When a company is acquired, the buyer ultimately becomes responsible for the data security practices of the company that it acquired.  This is true with regard to litigation risks, reputational risks, and regulatory risks.  For example, the FTC can hold an acquiring company responsible for the bad data security practices of a company that it acquires.  Evaluating a potential target’s data security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed.  For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, but were discovered months after a transaction closed. 

When you are involved in a merger or acquisition consider the following due diligence questions relating to data security during the course of the transaction:

1. Is the target subject to a sector specific data security law?
2. Has the target received a regulatory inquiry concerning its data security practices in the past two years?
3. Has the target received litigation claims concerning its data security practices?
4. How many data security incidents has the target experienced?  Is the quantity reported commensurate with what would be expected given the industry, type of data held by the target, and quantity of data held by the target? Remember that too few incidents can be as much of a “red flag” as too many.
5. What data breaches has the target experienced?  Is the quantity reported commensurate with what would be expected given the industry, type of data held by the target, and quantity of data held by the target?
6. Does the target have a Written Information Security Program (“WISP”)?  If so, is it appropriate given the type and quantity of data held by the target?
7. Does the target have an Incident Response Plan (“IRP”).  If so, is the IRP appropriate and effective?
8. How has the target dealt with prior security incidents and security breaches?
9. Has the target conducted and documented internal security assessments?
10. Has the target conducted and documented external security assessments (e.g., penetration tests, vulnerability scans, data security audits)?
11. If the target accepts payment cards, are any areas of non-compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) identified in their most recent Report on Compliance (“ROC”)?  Does the ROC appear to accurately describe the target’s network and payment card infrastructure?
12. Has the target conducted a data map or a data inventory?
13. What are the target’s data retention policies?
14. Does the target have a vendor management program in place?  If so, how has the target evaluated the security practices of its vendors and subcontractors?
15. Does the target have dedicated employees focused on data security issues (e.g., a Chief Information Security Officer)?

    ---

1. See, In the Matter of Reed Elsevier and Seisint, FTC Docket No. C-4226 (July 29, 2008), https://www.ftc.gov/enforcement/cases-proceedings/052-3094/reed-elsevier-inc-seisint-inc-matter.

2. Id.

[View source.]