By Todd Reece
As data and network systems have become the backbone of modern business, it should be no surprise that privacy and information security have become increasingly important aspects of any merger or acquisition. Indeed, understanding the types of data a company holds, whether it has had any previous security incidents, and how it is using and protecting its data can greatly affect the risks—and potential value—of a company in any industry.
However, notwithstanding the field’s known importance, many companies still do not have their privacy and data security houses in order. Part of the problem is that outside of a few specific industries, companies face a patchwork of state and municipal laws with different requirements, leading to confusion about what they actually need to do to comply. Another part of the problem is simply linguistic—in common parlance, concepts like “privacy” and “data security” are often used interchangeably.
In this article, we lay out at a high level four interconnected areas of privacy and data security, as well as identify some key legal documents companies should be prepared to request or produce during diligence.
Data Map / Inventory
State privacy and information security laws generally apply to a business when they hold the personal information of a resident of that state. Accordingly, it is critical that businesses understand what personal information they (or a target company) have on consumers and employees, how it is collected, and what they are doing with it.
Companies on both sides of a transaction can use data maps or inventories during diligence—both to assess how well a company protects its data and to demonstrate potential value in a data set.
Data security relates to how businesses protect data in their possession. State laws typically apply only to “sensitive” personal information—such as social security numbers, financial accounts, etc.—but contractual obligations frequently extend data security obligations to “confidential” business information as well. State laws and contracts span between specific data security practices (e.g., utilizing encryption for data in transit) and generally requiring businesses to implement and maintain reasonable administrative, technical and physical security measures.
While many companies believe their data security needs are covered by their technical team, it is increasingly common, and even required, to memorialize data security programs various legal documents, such as in umbrella written information security programs, document retention policies, business continuity plans and vendor management policies. Providing or reviewing these documents can give useful insights into how advanced a company’s data security program really is.
All 50 states have breach responses laws that require companies to notify individuals and/or attorneys general after a data breach. These laws tend to focus on “sensitive” personal information, and some specifically require companies to have an “incident response plan” and keep records of incidents. During diligence, a review of a company’s incident response plan, records relating to past incidents and results or actions from annual “table top” exercises can remove uncertainty about a company’s risk.
Privacy laws relate to how a company uses and discloses personal information. Unlike data security and breach response laws, privacy laws tend to govern any type of personal information, even if it is not considered “sensitive” in the traditional sense. The European GDPR and the California Consumer Privacy—which require businesses to afford consumers various rights related to their personal data—have brought privacy to the forefront of the legal conversation. With several states and municipalities considering similar or more aggressive laws with private rights of action and statutory damages, this focus is likely to continue.
However, getting a good sense of a company’s privacy practices is not just about risk assessment—it can also help evaluate untapped potential synergies related to a company’s data set that can be realized with the proper disclosures and policy changes. Accordingly, companies should be prepared to delve into how data is used, and what disclosures are made, as part of any diligence.
About Todd Reece
Todd is a partner in the Business and Finance Department at Ballard Spahr LLP. He advises clients on transactional matters including mergers, acquisitions, financings (venture capital and private equity), securities, joint ventures, licensing matters, business formation issues, internal restructurings, and related matters.