Thursday, May 7, 2020 Privacy Battles in M&A Transactions Kate Black Greenberg Traurig Jill Green Morris Green Edward Hu TrustArc
Speaker Kate Black Shareholder, Data, Privacy & Cybersecurity Greenberg Traurig Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Prior to joining GT, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.
Speaker Jill Green Principal Morris Green LLC, providing expert privacy and legal consulting services 2014-2020 Deputy General Counsel, Global Privacy Officer - Genomic Health (acquired by Exact Sciences) Jill holds CIPP/E and CIPP/US certifications
Speaker Edward Hu Senior Counsel & Data Protection Officer TrustArc Edward serves as legal and regulatory counsel for the internal privacy and data governance program at TrustArc and also supports the TrustArc privacy solutions product lines. In his prior role at the company, he worked with the privacy, security, and legal teams at dozens of companies seeking to improve or certify their programs against a variety of legal frameworks. He holds CIPM, CIPT, CIPP/E, and CIPP/US certifications.
Privacy Battles in M&A Transactions • Purpose of Session ○ Provide firsthand experience from privacy professionals in the M&A context from the beginning to end as well as the post-close integration. ○ Provide a priority list of considerations and practical tips useful for any privacy professional. ○ Provide a forum in which conference participants can share their own wisdom regarding privacy considerations in M&As. • Presentation Sections ○ Due Diligence ○ Pre-Close to Day 1 ○ Post-Close Integration • Q&A + Sharing
Session Title The “Why This Matters” Slide ● According to one report, more than a third (40%) of acquiring companies engaged in M&A discovered a cybersecurity/privacy problem during the post-acquisition integration of the Target ● More often than not, lawyers ask a battery of out-of-the-box question not germane to the Target’s actual business ○ overemphasis on data breaches ○ lack of awareness of broader privacy/cybersecurity issues ● If you’re in-house counsel at the Acquiror, you can’t punt to your outside counsel handling the transaction ● Changes to the economic climate are likely to result in changes to the corporate landscape.
Due Diligence Navigating the Fog of War
Privacy Battles in M&A Transactions So you’re going to buy a company... ...and you’re in charge of privacy due diligence How are you going to start? ● Understand the Target’s business - stat ○ Public filings, Google, Target’s website ● What privacy regs are likely to apply? ○ Use a checklist/questionnaire to organize your questions and Target’s response ● Lots of examples online - and if you’re using outside counsel, they will have one
Privacy Battles in M&A Transactions The Fog of War... Vulnerability ● Uncertainty ● Complexity ● ● Ambiguity ...requires agility, analysis, creativity, and resources. Contributing Factors: ● What’s your own company’s risk appetite and awareness of privacy risks? ● What other deal issues are competing for attention? ● Does the timeline keep changing?
Privacy Battles in M&A Transactions How do you move forward, effectively? Focus on what you are really trying to achieve: enough knowledge of the Target’s privacy compliance program to provide your CEO a risk-based assessment of maturity and any specific risks to mitigate in the merger agreement or in the closing period. First steps: Do send that checklist and keep track of responses/holes in documentation ● Do your own review of public facing policies ● ○ Are they tailored to the business? Accurate under current law? ○ Test the email addresses - does anyone respond if you email privacy@targetco.com? How quickly? ○ Ask (but verify) if Target has been on HHS Wall of Shame, subject to FTC Settlement or otherwise publicly reported incidents. ○ Any mention of adherence to a InfoSec framework (ISO 27001, HiTRUST, NIST)? If so, ask for documentation.
Privacy Battles in M&A Transactions Second phase of diligence ● Y ou’ve received the initial set of responses to your checklist. What are the GASP responses? Where was there no response (this will happen): ○ Pick what matters most, you won’t have time to chase every thread and you will need to prioritize due to limited time/resources/executive patience with privacy matters ○ Modify reps, warrants, and closing covenants accordingly ○ Review the draft disclosure schedule: does what you are seeing match your work so far? What’s missing? ● Get buy in to schedule one or several calls with Target Privacy Lead/Compliance Officer ○ What if they are not over the wall? Push for this - can’t get adequate visibility without it ○ Address your priority list - GASP, missing responses ○ Ask open ended qualitative questions, even as far as “what privacy issues keep you up at night?”
Privacy Battles in M&A Transactions Second phase of diligence, Part Deux ● Don’t ignore other parts of the data room! ○ Finance - review scope of insurance, especially cyberinsurance coverage ■ fact check - are there contracts in place with approved incident response vendors? ○ Material contracts ■ Is Target a DoD supplier? Look for NIST compliance in the IT folder ■ Key customer contracts ● What are Target’s obligations and is there evidence of compliance? (Does Target have a clear, defined process for reporting incidents to customers?) ■ Customer Service & Sales ● Any SOPs on DSARs? ● What are marketing practices? Good compliance with CCPA? ■ IT/InfoSec ● is there a data flow map? What’s the system architecture, and are there appropriate contracts with key suppliers/cloud providers ■ Generally: how sophisticated is Target in contracting? How robust are data protection clauses in templates?
Privacy Battles in M&A Transactions Down to the wire.. ● No one is looking at the diligence checklists anymore ● Negotiating the merger agreement and the disclosure schedule at the same time ○ What reps can you get into the agreement vs. your “to do” list during sign-to-close and post-close integration ■ Ideally, reps specifically address compliance with all relevant privacy regimes (and not just a blanket “compliance with laws” rep ■ Reps should require disclosure of past enforcement actions, security incidents, and any legal proceedings in the privacy arena ● Common ‘last’ issues: ○ Materiality qualifiers ○ Lookback period (“Since July 1, 2015 … .”) ○ Forward-looking covenants to improve security and privacy practices in pre-close period ● Clearly communicate to your client a list of resources needed to resolve major gaps post-close.
Privacy Battles in M&A Transactions So you’re getting bought... ● First of all, are you, as the leading privacy professional in your organization, over the wall? ● Second, what are your ethical responsibilities in the diligence process? ○ Answer the questions asked, truthfully and with integrity, while reminding yourself that your company is your client ■ This is of course true whether or not you are an attorney for the company ○ But what if the Acquiror isn’t asking the right questions? ■ What are your practical concerns? ■ What are the ethical considerations in play, especially for attorneys? ● Model Rule 4.1 ● But this is not an area for “puffery” ■ Make sure the lead negotiating attorney knows this - it’s another data point ● Same issue - it’s a fog of war, and even a little worse than on the acquiror side!
Pre-Close to Day 1
Privacy Battles in M&A Transactions So you signed the deal … ● Depending on what happened during the fog of war, you may be in a variety of situations ○ As an acquiror, you might … ■ Have a robust understanding of the Target’s maturity level and any associated risks relating to privacy and InfoSec programs; or... ■ Have a sense of Target’s compliance level, and a good list of follow-on questions and “to dos” to start with ■ Have only the level of information that you could find publicly, with no real input from Target ○ As a Target, you might … ■ Be very curious about the acquiror’s own privacy/InfoSec program. After all, you didn’t get to ask any questions! ■ Be completely unmotivated to help with the integration process. After all, you just got bought! ● Role of in-house legal team v. outside counsel ○ Once the deal is signed, internal counsel has to build relationships with their new colleagues. Outside counsel may be in a better position to play “bad cop”.
Privacy Battles in M&A Transactions The Integration Process. In an ideal world … The combination of the two companies takes the best practices ● of each, to maximize synergies and shareholder value Show of hands - how often does this happen??
Recommend
More recommend