Cyberattacks. Data breaches. Regulatory investigations. Emerging
technology. Privacy rights. Data rights. Compliance challenges. The
rapidly evolving privacy and cybersecurity landscape has created a
plethora of new considerations and risks for almost every
transaction. Companies that engage in corporate transactions and
M&A counsel alike should ensure that they are aware of and
appropriately manage the impact of privacy and cybersecurity risks
on their transactions. To that point, in this article we provide an
overview of privacy and cybersecurity diligence, discuss the global
spread of privacy and cybersecurity requirements, provide insights
related to the emerging issues of artificial intelligence and
machine learning and discuss the impact of cybersecurity incidents
on transactions before, during and after a transaction.
Overview of Privacy and Cybersecurity Diligence
There is a common misunderstanding that privacy matters only for
companies that are steeped in personal information and that
cybersecurity matters only for companies with a business model
grounded in tech or data. While privacy issues may not be the most
critical issues facing a company, all companies must address
privacy issues because all companies have, at the very least,
personal information about employees. And as recent publicized
cybersecurity incidents have demonstrated, no company, regardless
of industry, is immune from cybersecurity risks.
Privacy and cybersecurity are a Venn diagram of legal concepts:
each has its own considerations, and for certain topics they
overlap. This construct translates into how privacy and
cybersecurity need to be addressed in M&A: each stands alone,
and they often intermingle. Accordingly, they must both be
addressed and considered together.
Privacy requirements in the U.S. are a patchwork of federal and
state laws, with several comprehensive privacy laws now in effect
or soon to be in effect at the state level. Notably, while it
doesn't presently apply in full to personnel and
business-to-business personal data, the California Consumer Privacy
Act covers all residents of the state of California, not just
consumers (despite confusingly calling residents
"consumers" in the law). Further, there are specific
laws, such as the Illinois Biometric Information Privacy Act and
the Telephone Consumer Protection Act, that add further, more
specific privacy considerations for certain business activities.
And while there is an assortment of laws with a wide variety of
enforcement mechanisms from private rights of action to regulatory
civil penalties or even disgorgement of IP, one consistent trend is
the increasing potential for financial liability that can befall a
non-compliant entity.
Laws in the U.S. related to cybersecurity compliance are not as
common as laws related to responding to and notifying of a data
breach. In recent years, specific laws and regulations have largely
focused on the healthcare and financial services industries.
However, legislative and regulatory activity is expanding in this
space, requiring increasingly specific technological,
administrative and governance safeguards for cybersecurity programs
well beyond these two industries. Additionally, while breach
response and notification where sensitive personal data is impacted
has been a well-established legal requirement for several years
now, increasingly complex cyber-attacks on private and public
entities has expanded the focus of cybersecurity incident reporting
requirements and enterprise cybersecurity risk considerations.
What Does This All Mean for Diligence?
For the buy side, identifying the specifics of what data, data
uses and applicable laws are relevant to the target company is
pivotal to appropriately understanding the array of risks that may
be present in the transaction. Equally, at least basic
technological cybersecurity diligence is important to understand
the risks of the transaction and potential future integration. For
the sell side, entities should be prepared to address their data,
data uses and privacy and cybersecurity obligations in diligence
requests.
Separately, privacy and cybersecurity diligence should not focus
solely on the risks created by past business activity but also
consider future intentions for the data, systems and company's
business model. If an entity is looking to make an acquisition
because it will be able to capitalize on the data that the acquired
entity has, then diligence should ensure that those intended uses
won't be legally or contractually problematic. This issue is
best known earlier than later in the transaction, as it may impact
the value of the target or even the desire to move ahead.
In the event that diligence uncovers concerns, some privacy and
cybersecurity risks will warrant closing conditions and/or special
indemnities to meet the risk tolerance of the acquiring entity. In
intense situations, such as where a data breach happens or is
identified during a transaction, there may even be a price
renegotiation. Understanding the depth and presence of these risks
should be front of mind for any entity considering a sale to allow
for timely identification and remediation and in some instances to
understand how persistent risks may impact the transaction if it
moves ahead. For all of these situations, privacy and cybersecurity
specialists are critical to the process.
The Global Spread of Privacy Requirements
The prevalence of global business, even for small entities that
may have overseas vendors or IT support, creates additional layers
of considerations for privacy and cybersecurity diligence.
Privacy and cybersecurity laws have existed in certain
jurisdictions for years or even decades. In others, the expanded
creation of, access to and use of digital data, along with
exemplars like the European Union (EU) General Data Protection
Regulation, have caused a profound uptick in comprehensive privacy
and cybersecurity laws. Depending on how you count, there are close
to or over 100 countries with such laws currently or soon to be in
place. This proliferation and dispersion of legal requirements
means a compounding of risk considerations for diligence.
Common themes in recently enacted and proposed global privacy
and cybersecurity laws include data localization, appointed company
representatives, restrictions on use and retention, enumerated
rights for individuals and significant penalties. Moreover, aside
from comprehensive laws that address privacy and cybersecurity,
other laws are emerging that are topic-specific. For example, the
EU has a rather complex proposed law related to the use of
artificial intelligence. It is critical to ensure that the
appropriate team is in place to diligence privacy and cybersecurity
for global entities and to help companies take appropriate
risk-based approaches to understanding the global compliance
posture. It can be difficult to strike a balance in diligence
priorities due to both the growing number of new global laws and
the lack of many (or any) historical examples of enforcement for
these jurisdictions. But robust fact-finding paired with continued
discussions on risk tolerance and business objectives, and careful
consideration of commercial terms, will help.
Artificial Intelligence and Machine Learning
As mentioned, artificial intelligence is a hot topic for privacy
and cybersecurity laws. One of the biggest diligence risks related
to artificial intelligence and machine learning (AI/ML) is not
identifying that it's being used. AI/ML is a technically
advanced concept, but its use is far more prevalent than may be
immediately understood when looking at the nature of an entity.
Anything from assessing weather impacts on crop production to
determining who is approved for certain medical benefits can
involve AI/ML. The unlimited potential for AI/ML application
creates a variety of diligence considerations.
Where AI/ML is trained or used on personal data, there can be
significant legal risks. The origin of training data needs to be
understood, and diligence should ensure that the legal support for
using that data is sound. In fact, the legal ability to use all
involved data should be assessed. Companies commonly treat all data
as traditional proprietary information. But privacy laws complicate
the traditional property-law concepts, and even if laws permit the
use of data, contracts may prohibit it. Recent legal actions have
shown the magnitude of penalties a company can face for wrongly
using data when developing AI/ML. Notably, in 2021 the FTC
determined that a company had wrongly used photos and videos for
training facial recognition AI. As part of the settlement, the U.S.
Federal Trade Commission ordered that all models and algorithms
developed with the use of the photos and videos be deleted. If a
company's primary offering is an AI/ML tool, such an order
could have a material impact on the company.
Additionally, the use of AI/ML may not result in the intended
output. Despite efforts to use properly sourced data and avoid
negative outcomes, studies have shown that bias or other integrity
issues can arise from AI/ML. This is not to say the technology
cannot be accurate, but it does demonstrate that when performing
diligence it is crucial to understand the risks that may be present
for the purposes and uses of AI/ML.
Security Incidents
Security incidents have been the topic of many a headline over
the past few years. Some of these incidents are the result of the
growing trend of ransomware or other cyber extortions, including
data theft extortions or even denial-of-service extortion. The
identification of a data security may well have a serious impact on
a transaction. Moreover, transactions can be impacted by data
security incidents occurring before, during and after a
transaction. Below we outline some key considerations for each.
An Incident Happened BEFORE a Transaction Started
- Incidents that happened before a transaction will generally
only be known if the company identified them, so it is key to
employ a detailed and thought-out list of diligence questions. - Be certain that you have experts involved who themselves
understand the impact of the information being provided and have
up-to-date knowledge of current cyber events. - It is imperative not to consider these issues in a silo.
Incidents may result in litigation, insurance ramifications and
reporting requirements with a variety of regulators. Ensure that
privacy and cybersecurity diligence is coordinated with other
specialists to avoid gaps or missed information-sharing
opportunities. - Be sure to assess the likelihood that a past incident could
create future liabilities. For example, when reporting an incident
to the Office for Civil Rights at the Department of Health and
Human Services, it is not uncommon for several years to pass before
there is an investigation. - Equally important is ensuring that the company actually
completed appropriate remediation. - If an incident has been identified, accounting for residual
risk should be part of the agreement. Representations that there
have been no incidents (partnered with any appropriate disclosures
otherwise) are standard even where no incident has been identified.
However, known incidents are unlikely to be covered by
representations and warranties insurance, and therefore more
specific options may be prudent. For example, depending on the
nature of the deal, a special indemnity relative to such an
incident may be a good idea, and it is important to gather as much
information about the incident as possible to accurately project
the potential liabilities arising from residual risks and negotiate
a special indemnity.
An Incident Happens DURING a Transaction
- An incident that starts or is identified as ongoing prior to
signing may cause a transaction to pause or be renegotiated. Always
maintain open and immediate communication with the transaction
leads when an incident is identified—or suspected. - An incident that happens or is identified as ongoing between
signing and close can create a series of complex issues.
Potentially the most problematic is that it can take a while to
understand the full nature and impact of an incident. This may make
it challenging to argue that an incident meets certain standards
(e.g., a material adverse event) that could allow the parties to
walk away within the necessary contractual time period. In such
incidents, it is imperative that appropriate legal, regulatory and
technical talent is leveraged to investigate and determine the
facts as soon as possible. - If moving ahead with the transaction, it is imperative to
assess the new risks being assumed. This includes preparing for
immediate post-close response and remediation actions. - While it can be a challenge, before the consummation of a deal
it is critical to watch the lines of separation to preserve the
breached entities' privilege needs and independent
responsibility with respect to the incident.
An Incident Happens AFTER a Transaction
- Incidents post-close are likely to be the responsibility of an
acquiring/merging entity. - However, it's key to understand when the incident began as
that may impact options, responsibilities, liabilities and
indemnification rights (particularly if it actually started
pre-close). - Be sure to also verify what, if any, specific protections were
included in the agreement that may relate to an incident.
While far from the totality of privacy and cybersecurity
considerations for transactions, these topics should help establish
a baseline understanding of what to look for and how to approach
privacy and cybersecurity in the current legal environment.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss