It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Along with these comprehensive data privacy laws, industry-specific laws governing the collection, use, and disclosure of protected health information, credit card information, controlled unclassified information, and more should be on the radar for businesses of all shapes and sizes. With all of these data privacy laws and regulations across the world, and the increased focus by regulators on data privacy practices, potential liability to acquirers of businesses has increased substantially.
Due to the changing landscape of privacy and data security, there has been an increased focus by regulators, representations and warranties insurance providers, and acquirers on the following:
- Sensitive personal information (i.e. Social Security numbers, drivers’ license numbers, financial information, medical information).
- Credit card information and the requirements under the Payment Card Industry Data Security Standard (PCI-DSS).
- Protected health information, self-insured plans, and the requirements under the Health Insurance Portability and Accountability Act.
- Data governance programs.
- Privacy policies and written data security policies and procedures, including for compliance with the GDPR, CCPA, and state specific data privacy laws.
- Security incidents, data breaches, ransomware attacks, and vulnerabilities to each.
If an acquirer does not conduct proper due diligence on a target’s data practices and procedures, it could be buying into a lawsuit, civil penalties, third-party audits, regulatory scrutiny, or other liabilities. For example:
- The GDPR gives the supervisory authorities the power to impose limits and bans on data processing, withdraw certifications, and impose monetary fines from 2% of worldwide annual revenue or up to EUR 10 million, or 4% of worldwide annual revenue or up to EUR 20 million for more serious offenses.
- The CCPA gives the California Attorney General the power to seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation.
- For a company that collects credit card information on its systems and is not PCI-DSS compliant, fines can be up to $500,000 per incident, plus penalties established by the company’s merchant agreements.
- If a company is unable to properly identify a prior security breach on its information systems, fails to provide notices in accordance with applicable law, or fails to take necessary remedial action, the company may have civil liabilities from state Attorneys General, private right of actions, and state unfair and deceptive trade practice laws.
With new and expanding data privacy laws, an increased focus by regulators and insurance providers, and increased potential liability for acquirers, data privacy has become a necessary inclusion into the due diligence process of an M&A transaction. Acquirers must conduct thorough due diligence on a target’s data governance plan, written policies and procedures, and past data breaches, as well as on a target’s collection, use, and disclosure of data. If documented plans, policies, and procedures do not exist, consider requiring the target to implement such plans, policies, and procedures as a pre-closing condition. Additionally, the acquirer should ensure the definitive agreements include proper representations and warranties pertaining to data privacy matters to better protect itself post-closing. Lastly, from a seller’s perspective, a potential target should take the proactive step to review what information it collects, its data governance plan, and its written data policies and procedures to address any material issues before they can be raised by a potential acquirer or insurance provider.
With the increasing prevalence of data privacy and security regulation, acquirers and potential targets must incorporate data privacy and security due diligence into the M&A process. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.