Data breaches are becoming increasingly problematic during the due diligence stage of transactions. When Verizon Communications Inc. (“Verizon”) and Yahoo! Inc. (“Yahoo”) signed a Stock Purchase Agreement on July 23, 2016, Yahoo warranted that, to its knowledge, there had not been any unauthorized access or use of personal data that would be expected to have a “Business Material Adverse Effect” on Yahoo. (See Yahoo! Inc., Current Report on Form 8-K, at Exhibit 2.1 (July 23, 2016)). On Sept. 22, 2016, Yahoo issued a press release stating that there had, in fact, been an unauthorized access of personal data. (See Yahoo! Inc., Current Report on Form 8-K, at Exhibit 99.1 (Sept. 22, 2016)). The timing of this first announcement was fortuitous for Verizon, which used the development to delay closing and negotiate new terms resulting in the execution of an Amended Stock Purchase Agreement and a reduction of the purchase price by $350 million. (See Yahoo! Inc., Current Report on Form 8-K (Feb. 20, 2017)). Yet just when it appeared Verizon had avoided a $350 million immediate decrease in transaction value, Yahoo announced a second unauthorized access! (See Press Release, Oath, Yahoo provides notice to additional users affected by previously disclosed 2013 data theft (Oct. 13, 2017) (last visited Nov. 27,2017)). Suddenly, that $350 million reduction did not reflect the potential decrease in the value of the transaction when three billion Yahoo accounts were actually affected.
What should a buyer (and, inversely, a seller) do when investigating a target’s exposure to unauthorized access to data or other proprietary information? A number of paths exist to address these issues.
A buyer may devote substantial resources (both internal and perhaps through third parties) during the due diligence period to uncover any unauthorized access. Targets may resist allowing anyone (including the buyer) access to this information or may not want to be alerted to a previously unknown unauthorized access. Additionally, even with modern investigative techniques and methods, it may be difficult for anyone to provide a buyer with a definitive answer as to whether an unauthorized access has occurred.
A buyer can also press for robust representations and warranties and corresponding indemnification terms in the definitive document. Ideally, multiple representations and warranties would cover unauthorized access risks, with the representations and warranties crafted to cover the specific unauthorized access event and more general representations and warranties to cover the unauthorized access through its effect on the operation of the business. This may appear to be a favorable path for a buyer, but representations and warranties are vigorously negotiated. For example, in the aforementioned scenario, Yahoo was able to insert a knowledge qualifier in the representation and warranty language that essentially allowed it to avoid exposure for the unauthorized breach, at least initially.
Another option exists in the form of insurance. It is increasingly more common for the target to purchase representation and warranty insurance and for the seller to have in place insurance that covers the unauthorized access of data. Each may be an effective method to mitigate the risk associated with these types of data breaches.
So what is the optimal path for a buyer? Each strategy by itself can be effective, but as demonstrated in the Yahoo transaction, relying on any one solution can be dangerous. The path most likely to reduce the risk of diminished transaction value would be use of a combination of these solutions. The facts of each transaction (for example, if the target is in a highly regulated industry or if the target has sound data breach prevention protocol) would dictate which one of and how the methods could be used by a buyer to mitigate risk. What is clear is that doing nothing or relying on previous methods to protect a buyer against these new threats is not an effective way to mitigate the increasing odds that a target is, or has been, subject to a data breach.