Privacy and Cybersecurity in M&A Transactions

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC

The mergers and acquisitions market is hot. But with the increasing number of data breach incidences and the ever-growing list of new privacy laws, it is crucial for a buyer to do their homework to identify privacy and cybersecurity vulnerabilities of its target.

Due diligence is critical. There may be host of data implications for all types of companies – including manufacturers, service providers and distributors – that may not be entirely obvious from the onset. As a baseline, a buyer should request from the seller information such as: a description of the data security infrastructure; the categories of personally identifiable information (PII) collected and descriptions of the practices regarding the use, collection, transfer, storage and sharing of PII; and all policies related to the collection of data in jurisdictions that have data privacy laws.

Once the scope of data collection and its use by the target is understood, it may impact the transaction structure. If due diligence identifies privacy and cybersecurity vulnerabilities of the target, a buyer may shy away from acquiring the target’s shares or membership interests due to the potential risk involved with thereby acquiring all of the liabilities of the target. An acquisition of the target’s assets will likely be preferable in that instance, because the transaction can be structured to limit target liabilities assumed by the buyer. For example, a buyer could acquire only relevant technology and not acquire any data or customer contracts that may implicate data security and privacy liabilities. A buyer also may negotiate terms and conditions in the definitive agreement to provide adequate protection, such as an escrow or holdback. Finally, good due diligence enables a buyer to determine the terms of sale and use, and privacy and other policies, that it should adopt post-closing.

In sum, while data security and privacy may not always be at the forefront of a deal, buyers should be aware of the potential risks to avoid any future liabilities attributable to the misuse of their predecessor’s data.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bond Schoeneck & King PLLC | Attorney Advertising

Written by:

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.