The United States Department of Justice (DOJ) recently settled a qui tam suit with a defense contractor and its successor company for $8.4 million, resolving allegations that the contractor and successor company violated the False Claims Act (FCA) by failing to implement cybersecurity requirements consistent with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Notably, the settlement names the successor company as “the successor in liability” in the claims against the defense contractor, despite the fact that allegations occurred several years prior to the successor company’s acquisition of the defense contractor’s cybersecurity business. While successor liability is not a new concept in regulatory enforcement, the settlement provides a critical reminder that in mergers and acquisitions, companies should be critically assessing a seller’s data privacy and security risk profile during the due diligence process beyond simple representations or attestations of compliance with applicable data privacy and security laws.
Seller Considerations
From a seller’s perspective, this settlement is a reminder to spend some time pre-transaction documenting company compliance steps (including mitigation and risk management plans). During transactions, sellers should remember to be transparent about the status of data privacy and security programs, make available appropriate company stakeholders for buyer questions (data privacy and security diligence should not be a 15 minute call between opposing counsel and seller’s COO without providing any written diligence), and pay careful attention to transaction agreement terms.
Buyer Considerations
In recent years, with data itself becoming an increasingly valuable asset in transactions, as well as an ever-changing, highly-regulated data privacy and security landscape, we have seen a trend toward a heightened level of care to assessing a target’s privacy and security risk profile. Note that technology (e.g., AI) and innovative data arrangements develop much faster than legislation; thus, simple legal compliance representations do not sufficiently account for data privacy and security diligence.
Buyers should consider whether to conduct technical assessments of targets along with legal diligence. Buyers should be prepared to see more thorough privacy and security diligence inquiries (we are no longer in the days of “send seller your top 10 questions because they don’t have any materials in the data room” diligence for privacy or security). More comprehensive data privacy and security diligence by buyers is especially important successor liability settlements are north of $8 million dollars (not including resources in responding to regulatory investigation and public relations).
As more robust privacy and security diligence becomes market across industries, buyers should work with qualified privacy attorneys to beef up privacy, security, AI, and vendor management representations to decrease potential successor liability exposure, secure representations and warranties insurance, and shift liability to sellers when possible. Timely post-closing remediation is also a key component in reducing potential successor liability for buyers.
For additional information about the FCA allegations and implications of this DOJ settlement, please see our client alert here.
