Cybersecurity and Data Privacy Due Diligence

AuthorGretchen Ramos and Grace E. King
I. Data Privacy and Cybersecurity
Data privacy and cybersecurity due diligence plays an essential
role in almost all business acquisition deals today. Acquiring a
company entails inheriting its data, the data governance pro-
gram in place, and inevitably the privacy and security risks
associated with that program. Data privacy and cybersecurity
issues uncovered after a company is acquired could expose
the purchasing company (purchaser) to intrusive government
investigations, large nes, and expensive consumer class action
litigation. Purchasers should evaluate data privacy and cyber-
security risks when rst assessing a potential target and make
assessment of such risks a priority during due diligence and
when negotiating the acquisition agreement and other transac-
tion documents.
The purchaser should devote sufcient time and resources to
conducting a thorough investigation into the selling company’s
Cybersecurity and
DataPrivacy Due Diligence
By Gretchen Ramos and Grace E. King*
*Grace E. King: I would like to express special thankfulness, warmth, and appre-
ciation to the most important people in my life—Scott, Alice, Emily, and Roy—as well
as my gratitude to my colleague Gretchen Ramos of Squire Patton Boggs.
(target’s) privacy and cybersecurity practices. This entails exam-
ining the target’s data inventory, data locations, data processing
activities, privacy policies, information governance guidelines,
security controls, and cybersecurity insurance policies for vulner-
abilities. It also requires analysis of any cybersecurity incidents
the target has experienced. The ndings of this investigation can
have a signicant impact on whether the acquisition proceeds, as
well as assisting the purchaser in accurately valuing the target
and planning for a successful data integration after the acqui-
sition. Due diligence can reveal a target’s potential liabilities
for data protection violations. Thus, the way the target handles
its data may increase the purchaser’s liability risk beyond
itstolerance threshold, which could result in the need to renego-
tiate settled deal terms or even terminate the deal discussions
Moreover, undertaking an analysis of a target’s data pri-
vacy and cybersecurity program often presents many challenges
because the two areas typically exist in separate departments.
The data privacy issues are often handled by the legal depart-
ment or a chief privacy ofcer, whereas the target’s information
technology (IT) department oversees the cybersecurity issues.
Thus, special care must be taken to ensure that the due diligence
undertaken extends to both departments and that the process
includes consideration of how the target is handling customer and
employee data.
This chapter outlines the steps purchasers should take in
performing privacy and cybersecurity due diligence and provides
guidance for the purchaser’s in-house counsel on how to approach
each step of the due diligence investigation. The ultimate goal
for in-house counsel is to provide the purchaser with a summary
of the target’s privacy program and its cybersecurity infrastruc-
ture and to identify all potential risk factors that might affect
the purchaser after an acquisition. The results of the due dili-
gence should provide the purchaser with a solid understanding of
the overall sophistication of the target’s data handling practices,
which should, in turn, help inform the purchaser’s negotiation

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT