The long term success of large and small business transactions can turn on a target’s success in managing data and cyber security and meeting complicated data privacy compliance obligations. Sellers, buyers, and deal lawyers need to consider having a cyber/privacy attorney involved in the due diligence process.
The importance of this was highlighted earlier this when then the U.K.’s data protection authority fined Marriott for a breach that affected Starwood Hotels. The breach began before Marriott acquired Starwood, but was not identified until after the sale. The regulator’s criticism focused less on the breach itself than on the success of the diligence undertaken to complete the sale: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition ….”
As the California Consumer Privacy Act (CCPA) takes effect on Jan. 1, 2020, and as requirements to undertake “reasonable security practices” multiply, it is not enough to simply “kick the tires” to evaluate the cyber risk that an acquisition may impose on a buyer. The good news is that targets with mature and compliant security and privacy programs generally document those efforts. A cyber/privacy lawyer can review security program documents, technical documents (SOC reports, penetration testing reports, etc.), security audits, key contracts and the like and work with technical resources to provide the best guidance to the buyer’s leadership group. If a target cannot provide these documents, buyer beware.