Cybersecurity and data privacy concerns arise in many types of commercial transactions. but greater focus on potential cybersecurity and data privacy issues. Among the most typical transactions involve the potential merger with or acquisition of a target company that operates in certain highly-regulated industries and industries that deal with access to confidential information, including private information of their customers or clients. The business seeking to expand its portfolio of companies or to merge with a similar company, must be especially focused on how vulnerable the sensitive information might be to cyberattacks or to unauthorized access by third parties, including its competitors.

Not properly addressing cybersecurity and data privacy concerns could expose target companies and buyers alike to lawsuits, significant governmental sanctions, fines, audits, and/or harm to the entity’s reputation. In addition, directors and officers are at risk as well.  They potentially face individual liability or other adverse consequences if they don’t properly protect the materials that they receive in the course of the due diligence process, such as intellectual property information.

Upon consultation with counsel, a buyer should request and inspect all of the target company’s materials that relate to cybersecurity and data privacy. Such materials may include the target company’s general policies, procedures, and systems relating to personal or privileged information, protected health information and other sensitive information and data; a list of the target company’s websites and social media platforms and description of how the target company uses such sites and platforms; and, the target company’s employee manuals, policies and procedures as well as handbooks. If the target is engaged in transactions involving foreign nationals, such as residents of the European Union, compliance with applicable foreign laws such as the General Data Protection Regulation (GDPR) must be considered.

A buyer should also request documentation and explanation relating to any past instances of non-compliance with applicable cybersecurity and data privacy laws or cybersecurity attacks on the target company or any of its affiliates. If there have been past instances of cybersecurity breaches or attacks, a buyer should seek specific information such as how the incident occurred, the types of information exposed by the breach, and whether any litigation or governmental investigation resulted from the incident. The buyer should be sure that there are no pending threats or exposures to liability. Additionally, inspect the target company’s insurance policies, including in particular its cyber insurance policy, to determine if the incident was covered, and if additional coverage is needed after the merger or acquisition. Even if no specific cybersecurity and data privacy issues have been uncovered, a buyer should still request specific representations and warranties from the target company concerning the target company’s compliance with applicable cybersecurity and data privacy laws and regulations

If a buyer is still conducting its due diligence review at the time of signing, a buyer may want to include an opt our provision allowing for the termination of the agreement due to the unsatisfactory completion of its cybersecurity-related due diligence before closing. As with all aspects of the process, it is important to communicate and coordinate all the necessary steps with your attorney.

For more information, Stewart Banner