The GDPR and Mergers and Acquisitions: What Corporate Buyers and Sellers Need to Know

by Dickinson Wright

Dickinson Wright

As cybersecurity incidents affecting Target, Home Depot, Anthem, Sony, Ashley Madison, and many other companies have demonstrated, cybersecurity poses a significant legal risk to companies. Not to mention it makes their electronically-stored corporate assets a virtual sitting duck at the mercy of the company’s IT infrastructure. While companies continue to grapple with regulatory, legal, and technological obligations, one area that has received less attention is the area of corporate mergers and acquisitions. This, however, is not an area that should be ignored, especially when so many mergers and acquisitions concern multi-national companies, companies operating in the EU, and/or companies with employees or customers in the European Union (EU), all of which will be responsible for complying with the EU’s General Data Protection Act (GDPR) come May 25, 2018.

One primary issue is when companies go through the acquisition process, not only can vulnerabilities in the security network be transferred to the acquiring company but so are regulatory and other non-compliance issues. For example, the Federal Trade Commission (FTC) and other regulators, including the EU Data Protection Authorities, who will enforce the GDPR, can hold an acquiring company responsible for the faulty, false or lax security practices of the company it acquires.

Take, for example, a company acquires a company in late 2017 only to discover that the company is covered under the GDPR based on the type of information it collects on customers but did not take any steps pre-acquisition to do so. Now, the acquiring company has limited time to review the acquired company’s data and security infrastructure and make the necessary compliance changes in a very short period of time. That key piece of information will significantly increase the financial regulatory burden on the acquiring company, but because the issue was not disclosed pre-acquisition, that financial burden was not negotiated as part of the purchase price.

Typically, there are three avenues for a corporate merger and acquisition: (1) asset sale - where an entity purchases the assets of another; (2) stock sale - where an entity purchases a majority stake in the equity of another entity; and (3) hostile takeover - where an entity takes a majority stake in the equity of a target entity that had no desire to lose its majority stake.

In all of these transactions, cybersecurity is a risk for all parties including their C-suite, board members, underwriters, and legal counsel. This is because, in the typical setting, the target company has intangible assets of significant value. As we have learned from some of the more publicized breaches, such intangible assets include, trade secrets (the company’s secret sauce); customer lists; personal identifying information; intellectual property/work product (as demonstrated by the Sony breach with the release of several films including The Interview featuring Seth Rogen and James Franco); high-level executive conversations detailing corporate strategies, financial issues, client confidences, etc. (as also demonstrated by the Sony breach); private health information of clients and employees (as demonstrated by the Anthem breach); and private sexual preferences and other personal information of clients/website users who import information (as demonstrated by the Ashley Madison breach).

Other company assets can also lose significant value in the event of a breach including customer goodwill and brand reputation. This was demonstrated quite prominently in the Anthem, Home Depot, and Target breaches. For example, on the heels of its 2012 breach, Target’s brand reputation and customer goodwill took a significant hit – not to mention its stock prices and the jobs of some of its higher-level executives. Although Target came back to pre-breach stock price levels, it stands as a good reminder of what it at stake.

As such, governance, risk, and regulatory and other compliance issues should be a part of the due diligence process, when closing the deal, and when finally integrating the companies.

Due Diligence

From the due diligence standpoint, there are many potential issues. First, many companies rely so much on cloud and digital storage and do not fully understand how that information is shared or who has access to it. Second, many companies have no idea what information has been transferred to personal or company-owned devices, thumb drives, or other places that also places it at issue. Third, while a large global company will likely have well-established policies and procedures regarding and concerning cybersecurity defenses, cybersecurity may not be as robust and vulnerability-deterrent as some of its smaller, acquired, or geographically-extended divisions or departments.

These factors play well for attackers who look for acquisitions, subsidiaries, and vendors (e.g., access in the 2012 Target breach was accessed through a Target vendor) to find a security vulnerability that does not adequately restrict access. Once the attacker is inside the less secure network, it looks for connectors into the larger corporation. If the attacker finds a connection, the attacker can use that opening to gain a traction foothold in the larger corporation’s secure network.

In the merger and acquisition context especially, it is not difficult for attackers to identify the weak links. Many mergers/acquisitions are publicly announced through press releases, industry pieces, etc. For public companies, they are required to list their subsidiaries in their filings with the Securities and Exchange Commission (SEC).

In addition to outside threats, companies should also protect against employees and former employees stealing company information via external transfers, downloading to mobile devices, etc. Companies on both sides of the transaction must pay attention to insider threats and cybersecurity risks involved in the due diligence process.
To demonstrate just how important cybersecurity is in the due diligence process, in 2014, TripAdvisor acquired Viator, a tour booking company, for $200 million. The deal closed and about two weeks later, Viator announced it was the victim of a data breach that compromised the personal details and credit card information of approximately 1.4 million of its customers. TripAdvisor’s stock fell five percent immediately on the news.

Thus, the risk of not performing cyber security due diligence is largely two-fold: First, the acquired company could have a bomb sitting in its network that has infiltrated its infrastructure waiting to explode (maybe even years later as in the case of the Yahoo! Breach), including after the deal has closed, leaving the acquiring company holding the bag. Second, the acquired company could have legal compliance obligations that are difficult to understand, time consuming and costly, e.g., GLPR that the acquired company wants to avoid or did not know they were subject to follow. If proper cybersecurity due diligence is not conducted, the acquiring company could get stuck with significant compliance costs and obligations that it was not expecting and that went unaccounted for in the original purchase price.

Just some of the GDPR issues that an acquiring company could face include:

  • Losing a significant amount of customer marketing and other data due to not being properly obtained via the GDPR’s consent requirements;
  • Having to identify relevant protected information to properly protect it;
  • Having to revise internal and external-facing customer and employee policies to include GDPR requirements;
  • Having to appoint a Data Protection Officer;
  • Having to conduct an Data Protection Impact Assessment;
  • Having to monitor and track all data subject requests to enforce their rights under the GDPR, including the right to be forgotten, portability of information, etc.;
  • Reviewing vendor/Subprocessor agreements to ensure they conform to the controller/processor requirements; and
  • Entering into model clauses or getting certified under the Privacy Shield in order to transfer customer and/or employee data from the EU to the United States or elsewhere.

There are four steps companies in a transaction should undergo at the due diligence stage to minimize cybersecurity risks

1.  Develop and M&A Strategy: This is accomplished by first realizing that cybersecurity is not an IT issue; it is a governance and risk issue as well. That means a comprehensive cybersecurity review is necessary at the board level prior to engaging in any acquisition discussions. When reviewing privacy and security issues at this stage, the following should be taken into account:

  • Scope of expansion and whether that includes expanding into new industries and/or new geographic regions with new/differing laws, i.e., require compliance with GDPR, HIPAA/HITECH, COPPA, GLBA, etc.;
  • Whether any new products or technologies are part of the business goals;
  • Whether the company is going to change how it uses certain categories of information; and
  • How the risk profile of both companies may change.

2.  Evaluate and Engage: Both parties should gain a comprehensive understanding of the data privacy and security profiles of each other. This is because a breach on either side of the transaction can kill a deal.

When specifically reviewing the target company, the acquiring entity should review the following key pieces of information, which is typically done via a secure online data room that is used to store relevant data during the due diligence phase:

  • A “data map” outlining where and how the target companies stores data and related security controls and protocols.
  • Privacy policies, procedures, and notices, including website terms and conditions and external-facing privacy policies.
  • Policies regarding how the target company collects, uses, discloses, transmits, stores, shares, retains, secures (encrypts / password protects) and destroys personal information and other protected categories of information. Of note, the Federal Trade Commission (FTC) views statements made by companies in their privacy policies as promises that must be kept even when the company that made them is acquired by another.
  • Identify the international scope of data and data transfers to review compliance requirements, including if the acquiring company has proper protections in place, i.e., GDPR compliant and certified under the Privacy Shield to transfer personal data out of the EU to the United States.
  • Determine the scope of scrutiny controls, e.g., administrative safety controls and programs, security audits, data/electronic risk assessments, comprehensive information security program, disaster recovery and business continuity plan, management of internal and external vendors including cloud service providers and data processors, compliant with industry standards, remediation effort protocol, and incident response plan.
  • Create a risk profile that should include information about any prior breaches, security incidents, or attempted breaches or security incidents. This also includes identifying past or present litigation, complaints, administrative investigations/fines/penalties relating to security issues.

Third party experts can also be brought in to conduct a cyber audit to ensure the deal is viable and that the risks are properly addressed and/or priced. This includes repeated penetration testing the target’s networks and systems.

3.  Insurance. The parties should consider purchasing cybersecurity insurance to protect against any unforeseen events that occur during and/or in the immediate aftermath of the deal.

4.  C-Suite Involvement. Boards on both sides of the transaction should focus their cybersecurity cultures to determine whether their views on cyber security match. For example, a company with well-established policies may face a lot of push back if the target company is more relaxed. This is especially true when it comes to requiring employees to set certain passwords; use certain security protocols with respect to Smart devices; refrain from accessing company information via unsecured Wi-Fi networks; continued compliance including the monitoring and tracking requirements under the GDPR; etc.

After the Deal Closes

Whether due diligence was properly done is usually readily apparent once the acquiring company takes over operational control of the target company. There are two fronts the acquiring company must deal. The first is operational as the acquiring company must ensure the initial connectivity between the companies. This is largely an IT function, but will also concern other functions, including HR, as employees’ computers and devices are reconfigured for on-site and remote work. The second is interpersonal as human resources and other teams will have to prepare, organize, and train employees, including onboarding new employees, with the new, integrated systems.

Documentation and Continued Compliance and Monitoring

Once the acquisition is complete, the work is not finished. The acquiring company must continue to improve its security, monitor and be mindful of internal and external treats vectors, continue to update security procedures and protocols, and delineate a clear line of information security responsibilities, reporting, costs, and shared responsibilities between the applicable departments, such as, IT, legal, HR, compliance and governance, etc.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson Wright | Attorney Advertising

Written by:

Dickinson Wright

Dickinson Wright on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.