As more states pass data privacy laws and cybersecurity incidents continue to dominate the headlines, cybersecurity-related due diligence has become critical for purchasers. At a minimum, a buyer should request from a seller: a description of the target business’s data security infrastructure; categories of personally identifiable information (PII) collected by the business; descriptions of the business’s practices regarding the use, collection, transfer, storage and sharing of PII; and copies of the business’s policies related to the collection of data in jurisdictions with data privacy laws.

A purchaser also should include cybersecurity-related representations and warranties in the purchase agreement, including but not limited to representations that the target business: (1) is and has been in compliance with applicable data privacy laws; (2) has in place appropriate data privacy policies; and (3) has not received any inquiries or been subject to any legal proceedings or enforcement actions related to any data privacy laws.

As a cautionary example, in 2018, Marriott announced it was the victim of a data breach relating to its 2016 acquisition of Starwood. Prior to closing and unbeknownst to Starwood, cybercriminals had infiltrated Starwood’s reservation database and compromised the PII of millions of customers. While Marriott had conducted due diligence on Starwood before the acquisition, Marriott had not discovered the data breach. Moreover, because Marriott had not included cybersecurity representations and warranties in the purchase agreement, Marriott was unable to look to Starwood’s officers or directors for indemnification related to the data breach.

As the Marriott case demonstrates, data privacy issues are now highly relevant in M&A, and a buyer should be aware of the potential risks and consult counsel with cybersecurity experience.