Data Privacy and Cybersecurity in M&A: A New Era

• Date: 01 July 2018

Published in Landslide® magazine, Volume 10, Number 6, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2018 by the American Bar Association. Reproduced with permission. All rights reserved.

This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

By Daniel Ilan, Emmanuel Ronco, and Jane Rosen

Daniel Ilan is a partner in Cleary Gottlieb Steen & Hamilton LLP’s New York ofce. Emmanuel

Ronco is counsel in the rm’s Paris ofce.Jane Rosen is an associate in the rm’s New York

ofce. Their practices focus on intellectual property law, as well as cybersecurity, privacy, and

data protection. They may be reached, respectively, at dilan@cgsh.com, eronco@cgsh.com, and

jcrosen@cgsh.com.

A New Era

A

few years ago, buyers in mergers and acquisitions (M&A) conducted limited privacy1 or cybersecurity diligence, and

purchase agreements and their ancillary documents rarely explicitly addressed privacy and cybersecurity risks. Today,

substantive diligence in these areas is often imperative, and most transaction agreements now contain robust provisions

(and sometimes stand-alone data transfer agreements) relating to these risks. These signicant changes have resulted not only

from the dramatic increase in devastating cyberattacks and the increased sophistication of hackers,2 but also from the grow-

ing number of U.S. and foreign legislative measures addressing privacy and cybersecurity and the focus of regulators on these

issues, including in their review of M&A deals.

Image: iStockPhoto