The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires. Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed. For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete. The following provides a snapshot of information concerning privacy violation penalties.
$ 3 million
Civil penalty imposed by the Federal Trade Commission upon acquirer for data privacy violation of acquisition that occurred prior to closing.1
|
Due diligence questions to consider in a M&A transaction in order to evaluate data privacy related rsisk:
-
Has the target received a regulatory inquiry concerning its data privacy practices?
-
Has the target received litigation claims concerning its data privacy practices?
-
Has the target tracked data privacy complaints submitted to it by consumers?
-
Has the target tracked data privacy complaints submitted by consumers to government agencies, including the quantity and nature of data privacy complaints lodged with the Federal Trade Commission?
-
Is the target subject to a sector specific data privacy law?
-
Do the target’s internal privacy policies and procedures comply with legal standards?
-
Do the target’s external privacy policies and procedures comply with legal standards?
-
Has the target conducted a data map or a data inventory?
-
What are the target’s data retention policies?
-
With whom does the target share data?
-
Does the target have a vendor management program in place?
-
Have the vendors used by the target provided appropriate contractual protections?
-
Did the target have an employee, such as a Chief Privacy Officer, who was focused on data privacy issues?
-
If the target conducted operations internationally did it have a strategy in-place for handling the cross-border transfers of information?
[View source.]