Cyberattacks. Data breaches. Regulatory investigations. Emerging technology. Privacy rights. Data rights. Compliance challenges. The rapidly evolving privacy and cybersecurity landscape has created a plethora of new considerations and risks for almost every transaction. Companies that engage in corporate transactions and M&A counsel alike should ensure that they are aware of and appropriately manage the impact of privacy and cybersecurity risks on their transactions. To that point, in this article we provide an overview of privacy and cybersecurity diligence, discuss the global spread of privacy and cybersecurity requirements, provide insights related to the emerging issues of artificial intelligence and machine learning and discuss the impact of cybersecurity incidents on transactions before, during and after a transaction.
Overview of Privacy and Cybersecurity Diligence
There is a common misunderstanding that privacy matters only for companies that are steeped in personal information and that cybersecurity matters only for companies with a business model grounded in tech or data. While privacy issues may not be the most critical issues facing a company, all companies must address privacy issues because all companies have, at the very least, personal information about employees. And as recent publicized cybersecurity incidents have demonstrated, no company, regardless of industry, is immune from cybersecurity risks.
Privacy and cybersecurity are a Venn diagram of legal concepts: each has its own considerations, and for certain topics they overlap. This construct translates into how privacy and cybersecurity need to be addressed in M&A: each stands alone, and they often intermingle. Accordingly, they must both be addressed and considered together.
Privacy requirements in the U.S. are a patchwork of federal and state laws, with several comprehensive privacy laws now in effect or soon to be in effect at the state level. Notably, while it doesn't presently apply in full to personnel and business-to-business personal data, the California Consumer Privacy Act covers all residents of the state of California, not just consumers (despite confusingly calling residents "consumers" in the law). Further, there are specific laws, such as the Illinois Biometric Information Privacy Act and the Telephone Consumer Protection Act, that add further, more specific privacy considerations for certain business activities. And while there is an assortment of laws with a wide variety of enforcement mechanisms from private rights of action to regulatory civil penalties or even disgorgement of IP, one consistent trend is the increasing potential for financial liability that can befall a non-compliant entity.
Laws in the U.S. related to cybersecurity compliance are not as common as laws related to responding to and notifying of a data breach. In recent years, specific laws and regulations have largely focused on the healthcare and financial services industries. However, legislative and regulatory activity is expanding in this space, requiring increasingly specific technological, administrative and governance safeguards for cybersecurity programs well beyond these two industries. Additionally, while breach response and notification where sensitive personal data is impacted has been a well-established legal requirement for several years now, increasingly complex cyber-attacks on private and public entities has expanded the focus of cybersecurity incident reporting requirements and enterprise cybersecurity risk considerations.
What Does This All Mean for Diligence?
For the buy side, identifying the specifics of what data, data uses and applicable laws are relevant to the target company is pivotal to appropriately understanding the array of risks that may be present in the transaction. Equally, at least basic technological cybersecurity diligence is important to understand the risks of the transaction and potential future integration. For the sell side, entities should be prepared to address their data, data uses and privacy and cybersecurity obligations in diligence requests.
Separately, privacy and cybersecurity diligence should not focus solely on the risks created by past business activity but also consider future intentions for the data, systems and company's business model. If an entity is looking to make an acquisition because it will be able to capitalize on the data that the acquired entity has, then diligence should ensure that those intended uses won't be legally or contractually problematic. This issue is best known earlier than later in the transaction, as it may impact the value of the target or even the desire to move ahead.
In the event that diligence uncovers concerns, some privacy and cybersecurity risks will warrant closing conditions and/or special indemnities to meet the risk tolerance of the acquiring entity. In intense situations, such as where a data breach happens or is identified during a transaction, there may even be a price renegotiation. Understanding the depth and presence of these risks should be front of mind for any entity considering a sale to allow for timely identification and remediation and in some instances to understand how persistent risks may impact the transaction if it moves ahead. For all of these situations, privacy and cybersecurity specialists are critical to the process.
The Global Spread of Privacy Requirements
The prevalence of global business, even for small entities that may have overseas vendors or IT support, creates additional layers of considerations for privacy and cybersecurity diligence.
Privacy and cybersecurity laws have existed in certain jurisdictions for years or even decades. In others, the expanded creation of, access to and use of digital data, along with exemplars like the European Union (EU) General Data Protection Regulation, have caused a profound uptick in comprehensive privacy and cybersecurity laws. Depending on how you count, there are close to or over 100 countries with such laws currently or soon to be in place. This proliferation and dispersion of legal requirements means a compounding of risk considerations for diligence.
Common themes in recently enacted and proposed global privacy and cybersecurity laws include data localization, appointed company representatives, restrictions on use and retention, enumerated rights for individuals and significant penalties. Moreover, aside from comprehensive laws that address privacy and cybersecurity, other laws are emerging that are topic-specific. For example, the EU has a rather complex proposed law related to the use of artificial intelligence. It is critical to ensure that the appropriate team is in place to diligence privacy and cybersecurity for global entities and to help companies take appropriate risk-based approaches to understanding the global compliance posture. It can be difficult to strike a balance in diligence priorities due to both the growing number of new global laws and the lack of many (or any) historical examples of enforcement for these jurisdictions. But robust fact-finding paired with continued discussions on risk tolerance and business objectives, and careful consideration of commercial terms, will help.
Artificial Intelligence and Machine Learning
As mentioned, artificial intelligence is a hot topic for privacy and cybersecurity laws. One of the biggest diligence risks related to artificial intelligence and machine learning (AI/ML) is not identifying that it's being used. AI/ML is a technically advanced concept, but its use is far more prevalent than may be immediately understood when looking at the nature of an entity. Anything from assessing weather impacts on crop production to determining who is approved for certain medical benefits can involve AI/ML. The unlimited potential for AI/ML application creates a variety of diligence considerations.
Where AI/ML is trained or used on personal data, there can be significant legal risks. The origin of training data needs to be understood, and diligence should ensure that the legal support for using that data is sound. In fact, the legal ability to use all involved data should be assessed. Companies commonly treat all data as traditional proprietary information. But privacy laws complicate the traditional property-law concepts, and even if laws permit the use of data, contracts may prohibit it. Recent legal actions have shown the magnitude of penalties a company can face for wrongly using data when developing AI/ML. Notably, in 2021 the FTC determined that a company had wrongly used photos and videos for training facial recognition AI. As part of the settlement, the U.S. Federal Trade Commission ordered that all models and algorithms developed with the use of the photos and videos be deleted. If a company's primary offering is an AI/ML tool, such an order could have a material impact on the company.
Additionally, the use of AI/ML may not result in the intended output. Despite efforts to use properly sourced data and avoid negative outcomes, studies have shown that bias or other integrity issues can arise from AI/ML. This is not to say the technology cannot be accurate, but it does demonstrate that when performing diligence it is crucial to understand the risks that may be present for the purposes and uses of AI/ML.
Security incidents have been the topic of many a headline over the past few years. Some of these incidents are the result of the growing trend of ransomware or other cyber extortions, including data theft extortions or even denial-of-service extortion. The identification of a data security may well have a serious impact on a transaction. Moreover, transactions can be impacted by data security incidents occurring before, during and after a transaction. Below we outline some key considerations for each.
An Incident Happened BEFORE a Transaction Started
- Incidents that happened before a transaction will generally only be known if the company identified them, so it is key to employ a detailed and thought-out list of diligence questions.
- Be certain that you have experts involved who themselves understand the impact of the information being provided and have up-to-date knowledge of current cyber events.
- It is imperative not to consider these issues in a silo. Incidents may result in litigation, insurance ramifications and reporting requirements with a variety of regulators. Ensure that privacy and cybersecurity diligence is coordinated with other specialists to avoid gaps or missed information-sharing opportunities.
- Be sure to assess the likelihood that a past incident could create future liabilities. For example, when reporting an incident to the Office for Civil Rights at the Department of Health and Human Services, it is not uncommon for several years to pass before there is an investigation.
- Equally important is ensuring that the company actually completed appropriate remediation.
- If an incident has been identified, accounting for residual risk should be part of the agreement. Representations that there have been no incidents (partnered with any appropriate disclosures otherwise) are standard even where no incident has been identified. However, known incidents are unlikely to be covered by representations and warranties insurance, and therefore more specific options may be prudent. For example, depending on the nature of the deal, a special indemnity relative to such an incident may be a good idea, and it is important to gather as much information about the incident as possible to accurately project the potential liabilities arising from residual risks and negotiate a special indemnity.
An Incident Happens DURING a Transaction
- An incident that starts or is identified as ongoing prior to signing may cause a transaction to pause or be renegotiated. Always maintain open and immediate communication with the transaction leads when an incident is identified—or suspected.
- An incident that happens or is identified as ongoing between signing and close can create a series of complex issues. Potentially the most problematic is that it can take a while to understand the full nature and impact of an incident. This may make it challenging to argue that an incident meets certain standards (e.g., a material adverse event) that could allow the parties to walk away within the necessary contractual time period. In such incidents, it is imperative that appropriate legal, regulatory and technical talent is leveraged to investigate and determine the facts as soon as possible.
- If moving ahead with the transaction, it is imperative to assess the new risks being assumed. This includes preparing for immediate post-close response and remediation actions.
- While it can be a challenge, before the consummation of a deal it is critical to watch the lines of separation to preserve the breached entities' privilege needs and independent responsibility with respect to the incident.
An Incident Happens AFTER a Transaction
- Incidents post-close are likely to be the responsibility of an acquiring/merging entity.
- However, it's key to understand when the incident began as that may impact options, responsibilities, liabilities and indemnification rights (particularly if it actually started pre-close).
- Be sure to also verify what, if any, specific protections were included in the agreement that may relate to an incident.
While far from the totality of privacy and cybersecurity considerations for transactions, these topics should help establish a baseline understanding of what to look for and how to approach privacy and cybersecurity in the current legal environment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.