As the privacy and cybersecurity landscape evolves, drug and device makers face increased challenges in mergers and acquisitions. Privacy and cybersecurity risks directly impact both the value and potential liabilities of these deals. Below we briefly outline the current landscape, potential risks, and recommended best practices for drug and device makers in diligence and other pre-close activities.

I recently had the opportunity to speak on topic at Gardner Law’s Navigating the M&A Waters of FDA-Regulated Companies program.

THE LANDSCAPE

To set the stage, it is important we review the current privacy and cybersecurity landscape. New privacy laws and regulations are emerging at both the state and federal levels, not to mention internationally, imposing stricter requirements. Noteworthy examples include the California Consumer Privacy Act (“CCPA”) and its amendments and implementing regulations, the recently passed Washington "My Health My Data Act" designed to protect health information that is not subject to HIPAA requirements, the recently passed Texas Data Privacy and Security Act, plus many other laws on the books in Colorado, Virginia, Connecticut, Utah, and Iowa (and pending in other states), as well as various implementing regulations. Not listed here (but equally significant) are the myriad privacy laws springing up around the globe, including of course the General Data Protection Regulation in Europe where enforcement is still trending upward.

We are also seeing a steady rise of cybersecurity threats, with cyber incidents growing in frequency and health care industry breaches in particular costing over $10 million on average.Recent health care data breaches offer hard lessons. The DC Health Link breach, impacting 170,000 individuals, and the Sharp HealthCare breach, exposing information about 63,000 individuals, underscore the potential consequences of neglecting privacy and cybersecurity considerations.

HOW DOES THIS IMPACT M&A?

Mergers and acquisitions can be greatly influenced by privacy and security matters, including the areas of risk listed below:

• Post-close enforcement and litigation. Acquiring companies may face enforcement actions and litigation if breaches or compliance gaps occur after the transaction.
• Valuation and risk allocation. The value of a deal and the allocation of risk may be directly influenced by the target company's privacy and security practices.
• Post-close remediation costs. Unforeseen expenses may arise due to the need for privacy and security compliance measures after the transaction.
• Data use limitations. Acquisition of unlawfully obtained or processed data may limit the acquirer's ability to use valuable information.
• Product or IT system vulnerabilities. The acquisition's value may be impacted by inadequate privacy and security controls surrounding critical assets.

LESSONS FROM PROMINENT M&A DEALS

Examining past M&A deals offers insights into the significance of privacy and security. For instance, the Marriott-Starwood merger exposed Marriott to substantial litigation and penalties due to a prior breach that was not discovered until after the deal closed. Similarly, Verizon's acquisition of Yahoo resulted in a price reduction of $350 million (a cash discount of approximately 7%) plus shared liabilities related to the data breaches. Both examples emphasize the need for thorough diligence and appropriate risk assessment in these transactions.

PITFALLS

Drug and device makers looking for deals should be aware of key risk areas:

• Inadequate inquiry about data breach/security incident history: Neglecting to investigate a target company's data breach history may lead to costly breach response activities, enforcement actions, and litigation.
• Undervaluing security and privacy controls implementation: Insufficient cybersecurity controls may require expensive remediation and increase the risk of undiscovered data breaches.
• Neglecting evaluation of target data stores: Compliance issues or data use limitations may hinder data transfer or sharing after the transaction.
• Ignoring risks associated with third-party relationships: Unaddressed cybersecurity or privacy exposures in third-party relationships can result in costly remediation or contract disputes.

AVOIDING PITFALLS: DUE DILIGENCE

Drug and device makers can take steps to reduce these risks:

• Assemble a qualified team, including IT, security, and privacy counsel, and ensure effective communication within the team.
• Understand the target company's risk profile, operating jurisdictions, business model, and applicable laws.
• Scope diligence efforts based on risk, utilizing written checklists, questionnaires, and interviews with key stakeholders, including the Chief Privacy Officer and Chief Information Security Officer (or key company leaders with similar roles).
• Focus on key risk areas, such as data use, program insufficiencies, and product security flaws – especially when the risk is related to the heart of the deal.
• Analyze relevant documentation, including privacy policies, incident response plans, and contracts, and assess their adequacy and compliance.

OTHER CONSIDERATIONS TO MITIGATE RISKS

In addition to diligence, consider these mitigations:

• Transition service agreement: Determine if the target company will act as a data processor during the transition and consult with privacy counsel on the implications for data privacy and security.
• Representations and warranties: Ensure that privacy and cybersecurity representations and warranties align with the target company's risk profile.
• Liability for breaches/non-compliance: Consult with an M&A expert to develop strategies for mitigating liability related to data breaches, enforcement actions, or litigation.
• Pre-close to post-close integration: Address alignment with applicable laws and standards and ensure harmonization of cybersecurity frameworks and privacy programs between the acquiring and target companies.

Privacy and cybersecurity considerations play a critical role in successful M&A transactions. By understanding the evolving landscape, learning from past breaches and M&A deals, and avoiding common pitfalls, drug and device makers seeking deals can proactively protect themselves and their stakeholders. Involvement of experts and diligent evaluation of the right risk areas are essential to minimize these risks.