“Managing Data Privacy Issues in Commercial and M&A Transactions”
Inside Counsel 08/06/15 By Heather L. Buchta, Jessica L. Franken
This is the fifth in a six-part series of privacy and security articles provided by the Data Privacy & Security Group of Quarles & Brady LLP, a national law firm.
Properly protecting a business from the risks of data breaches remains a moving target as hackers become more sophisticated and the technologies change. Understanding the risks inherent in acquiring or developing technologies that gather, process, and store data has become essential for businesses, both in the commercial transactions and M&A (mergers and acquisitions) arenas.
In order to ensure that data is properly handled and protected, companies need to understand what data is being collected, how it is being collected, and how it is being used and disclosed. This article identifies some of the key questions and issues in greater detail to provide some guidance on how to minimize the risk of data issues in those everyday business transactions.
Considerations in Commercial Transactions
Virtually every company today is reliant on software or cloud-based software services, all of which likely touch or contain some kind of data related to the company. Any time a company procures technology-based services or products, the business should first understand how those services or products will integrate into the company’s data flows by asking the following:
- Is data getting sent outside the company’s firewalls or sent to servers that are touched or controlled by provider or any other third party (i.e., is it in the cloud)?
- Will the provider have any ability to access to company data? If so, what data and for what purpose?
- Will the company be creating new data when using or receiving the services or products?
If you have confirmed that company data will be accessible by or under the control of a provider, incorporating appropriate protection for company data is key when negotiating the agreement. Addressing these items upfront with the business teams and the provider is key to understanding (and mitigating) the risk of the transaction. At a minimum, a provider agreement should address the following, along with other standard terms:
- Ownership of company data and provider rights to access or use the data, if any.
- Service levels for access and availability of the data, particularly if the data is outside the company’s physical control—i.e., 24x7, 99.999 percent uptime and response times for any support calls.
- Specific technical, administrative, and physical security standards of the provider, such as:
- Obligating the provider to meet applicable legal and industry standards—i.e. PCI, HIPAA, HITECH Act, GLB Act, FTC, and FCC regulations.
- Consideration of applicable portions of security frameworks—i.e. NIST and ISO 27000.
- Requiring regular testing of the provider’s security measures and granting company access to the testing reports.
- Detailing physical security measures of the hosting site.
- Requiring compliance with any company security standards and policies in place.
- Restricting personnel access to the data.
- Return of company data at the end of relationship in suitable (and usable) format. Destruction of the data should also take place following the return of the data at a level sufficient to ensure it cannot be recreated.
- Transition period at the end of term to transition data to another provider, if needed.
- Confidentiality, including any special industry concerns, such as Protected Health Information under HIPAA and HITECH Act.
- Address the responsibility for notification and any remedies offered to affected individuals related to a data breach and consider the interplay with your indemnification and limitation of liability.
In the world of mergers and acquisitions, the company is typically dealing with a stock deal or asset deal. If it is a stock deal, the company typically assumes responsibility for any data issues that occur post-closing only. For an asset deal, what risks are assumed depends on how the deal structured.
For both types of M&A transactions, due diligence is key to understanding and managing data-related risks in the deal. Due diligence on the target’s data assets, policies, and practices is a critical component of the transaction and should be addressed early in the due diligence process:
- What individual personal, health, and financial data is maintained by the target? Are the data subjects all U.S. citizens and residents or are there citizens or residents of another country?
- Does any target data reside in or get sent to third-party systems?
- Where is the target data physically located? Is any data stored outside the United States?
- How does the target gather data? Does it get collected at point of sale? Does it get purchased from third-party data aggregators? Is it collected from a website?
- How does the target use the data within the business?
- Does the target have appropriate permission to use the data as it does? Are there any records of any consents to collect and use the data?
- What data security protections are in place? Does the target have a written information security program or plan (i.e., WISP)?
- Has the target conducted any data security assessments or audits, either internally or by an independent auditor?
- What vendors have access to or otherwise process data for the target and what contracts are in place for the processing of that data? Do they address the critical issues for commercial transactions as contemplated above?
- Does the target have privacy statements or privacy policies in place? Do they appropriately cover the scope of the target’s data practices?
For asset deals, the buyer needs to determine the following additional information to properly prepare for closing:
- Whether target data will be transferred via servers and services that are being acquired.
- Whether transition services will be required post-closing to permit a move of the data from the seller’s software, equipment, and services to the buyer.
- Which party will be responsible for notification and damages related to data breaches prior to close and during any transition service period.
For both asset and stock deals, the buyer should also evaluate the manner in which the target has collected, used, and stored data, as well as consider whether indemnification for data breaches should be included and whether there is some hold back or other mechanism to ensure coverage for the potential liability.
Exploring the questions above as part of due diligence, and incorporating appropriate protections in provider and M&A agreements is an important step in a company’s overall data security program, and is investment of the company’s time that is well worth it. With today’s focus on data privacy and security, addressing these items at the forefront of the applicable transaction can help manage the risk and exposure of the company following the transaction—and in this case an ounce of prevention (and the time and resources to do so) certainly outweighs a pound of cure.