Privacy Plus+

Privacy, Technology and Perspective

Data-centric Considerations for Mergers and Acquisitions. Private equity, low interest rates and a rising stock market are helping to spur deals. Mergers and acquisitions (“M&A”) are all the rage these days, as would-be national businesses try to “roll up” regional players or “roll in” to different verticals in the hope that the whole becomes worth more than the sum of its parts.

So, this week let’s call attention to some data-centric opportunities attendant to M&A deals that can shrink trouble and raise value:

As seller: 

  • ·       Internal security assessments and fixes. In anticipation of a sale, a seller should consider undertaking a comprehensive security assessment, and remediating/ fixing major problems with its administrative, technical, and physical security measures.  How this assessment is scoped is important—It should be comprehensive, and it should be tied to recognized security assessment frameworks, like NIST, CIS, ISO-27001, etc.  Reality: The less vulnerable your company is, the more it will be worth to a buyer.  Recall that when Yahoo disclosed that it had been breached, its sale price ended up being slashed by $350M dollars. 

  • ·       Set up your data room securely and devote thought to your NDAs.  Your data room is where you will store the information that matters to buyers.  Who has access to your company’s most sensitive and proprietary business information and under what conditions is important.  When relying on third-party service providers to host a data room, you should not just “click-through” an agreement.  Instead, ensure that it has adequate security provisions.  Consider whether the data will be encrypted, protected by multi-factor authentication, etc.  In addition, do not rely on boilerplate non-disclosure agreements (“NDAs”) to protect the information.  NDAs should be designed carefully to address how the information should be handled, and the confidentiality obligations under the NDA should continue even after the NDA expires or is terminated.

  • ·       Seek out experience – and make time – to understand the exceptions attached to your reps and warranties.  Buyers rightly expect to know what they’re buying. So their draft documents often ask the seller to rep and warrant that the seller has lived a spotless, totally blameless and error-free business life, except as disclosed on Schedule XXX.  In the privacy and data security context, buyer may also ask seller to rep and warrant that it maintains commercially reasonable measures to protect the confidentiality, availability and integrity of its data and the IT systems as well as sufficient data security, disaster recovery and similar policies and procedures.  Figuring out what can be represented and warranted, and all that should – in honesty, fairness, and accordance with law – be disclosed takes experience, effort, and time. 

  • ·       Be careful with people. Sellers can develop a lot of the necessary information, disclosures, and so on through electronic means. But that isn’t enough. People know things (and can make mental connections) that technical means alone cannot. You need both.  And the people whom you must ask for help with disclosures will have families, responsibilities, and hopes of their own. These will affect how they behave, whether or not they happen to align with what you want. Our advice is not to be afraid of your own people, but always to be careful, generous, and understanding in how you treat them. 

As buyer: 

  • ·       Cybersecurity due diligence is essential.  Before buying, a buyer must undertake cybersecurity due diligence of the target company.  This is no longer negotiable as an action item.  A risk-based analysis that focuses on identifying and quantifying cyber issues is required. Recall that that after Starwood acquired Marriot, it discovered Marriot’s guest data had been breached.  Even though the breach happened before Starwood bought Marriot, the UK’s Information Commissioner’s Office (ICO) fined Starwood £99 million, faulting it, in part, for not conducting sufficient due diligence.

  • ·       Consider how reliance on third-party service providers may impact the deal.  Reliance on third-party vendors, data centers and Internet providers is a common risk.  Security breaches, unauthorized use and other data mismanagement, and service issues related to third-party service providers may compromise the confidentiality, integrity, or availability of employee and customer data, or otherwise cause problems which could adversely affect business and expose the buyer to liabilities.  The fact that most companies have little control or insight into the operations of their service providers compounds the problem.  In an acquisition, that is a risk which someone will bear. The question is “who;” so think about how that risk is allocated in the agreement. 

  • ·       Analyze Open Source.  It’s far too late to say, “don’t buy systems that have open source software laced through them.” That ship has sailed. Instead, identify and analyze the open source uses against their respective OS licenses, and consider how those may affect your business objectives.   

  • ·       Institutional knowledge. M&As often result in attrition, by the buyer’s decision or otherwise. But long-term employees often have important history and institutional knowledge (e.g. about “why and how XYZ was done”) which isn’t written down and will leave with them. Sellers are wise to get as much institutional knowledge as they can, while they can. In the process, they may discover that the people with institutional knowledge are more valuable than the PowerPoints, organizational charts and “knowledge transfer” plans might suggest.  (Of course, those people may discover that same thing about themselves, too.) 

  • ·       Create a Data Map. Purge Old Data. It’s often a giant, multi-year task to integrate IT departments.  But with respect to data particularly, the integration phase is great time to work on creating (or supplementing) the combined entity’s data map, showing where all the combined entity’s data is coming from, where it’s going and how it is being used along the way.  It’s also a great time to “purge” old data or other data that the buyer won’t use often, and ideally get it offline altogether. The data will be more secure that way. 

  • ·       Adapt the Best Infrastructure for Data Management. In many cases, some constituent companies will have created demonstrably better systems, programs and processes than others; or different constituent systems may have different strengths. Try to take the best from each. We say “try,” because strong personalities, warlords, baronies, and business politics may force the sacrifice of some of “the best” in order to make places for “the necessary.” So be it. Prepare to overcome as best you can.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.