Cybersecurity and Data Privacy Due Diligence

• Author: Gretchen Ramos and Grace E. King
• Pages: 389-412

389

I. Data Privacy and Cybersecurity

Considerations

Data privacy and cybersecurity due diligence plays an essential

role in almost all business acquisition deals today. Acquiring a

company entails inheriting its data, the data governance pro-

gram in place, and inevitably the privacy and security risks

associated with that program. Data privacy and cybersecurity

issues uncovered after a company is acquired could expose

the purchasing company (purchaser) to intrusive government

investigations, large nes, and expensive consumer class action

litigation. Purchasers should evaluate data privacy and cyber-

security risks when rst assessing a potential target and make

assessment of such risks a priority during due diligence and

when negotiating the acquisition agreement and other transac-

tion documents.

The purchaser should devote sufcient time and resources to

conducting a thorough investigation into the selling company’s

Chapter

Cybersecurity and

DataPrivacy Due Diligence

By Gretchen Ramos and Grace E. King*

9

*Grace E. King: I would like to express special thankfulness, warmth, and appre-

ciation to the most important people in my life—Scott, Alice, Emily, and Roy—as well

as my gratitude to my colleague Gretchen Ramos of Squire Patton Boggs.

390 CHAPTER 9

(target’s) privacy and cybersecurity practices. This entails exam-

ining the target’s data inventory, data locations, data processing

activities, privacy policies, information governance guidelines,

security controls, and cybersecurity insurance policies for vulner-

abilities. It also requires analysis of any cybersecurity incidents

the target has experienced. The ndings of this investigation can

have a signicant impact on whether the acquisition proceeds, as

well as assisting the purchaser in accurately valuing the target

and planning for a successful data integration after the acqui-

sition. Due diligence can reveal a target’s potential liabilities

for data protection violations. Thus, the way the target handles

its data may increase the purchaser’s liability risk beyond

itstolerance threshold, which could result in the need to renego-

tiate settled deal terms or even terminate the deal discussions

completely.

Moreover, undertaking an analysis of a target’s data pri-

vacy and cybersecurity program often presents many challenges

because the two areas typically exist in separate departments.

The data privacy issues are often handled by the legal depart-

ment or a chief privacy ofcer, whereas the target’s information

technology (IT) department oversees the cybersecurity issues.

Thus, special care must be taken to ensure that the due diligence

undertaken extends to both departments and that the process

includes consideration of how the target is handling customer and

employee data.

This chapter outlines the steps purchasers should take in

performing privacy and cybersecurity due diligence and provides

guidance for the purchaser’s in-house counsel on how to approach

each step of the due diligence investigation. The ultimate goal

for in-house counsel is to provide the purchaser with a summary

of the target’s privacy program and its cybersecurity infrastruc-

ture and to identify all potential risk factors that might affect

the purchaser after an acquisition. The results of the due dili-

gence should provide the purchaser with a solid understanding of

the overall sophistication of the target’s data handling practices,

which should, in turn, help inform the purchaser’s negotiation