April 19, 2019
By Rudy Verner and Jacob Scarr
Companies looking to be acquired or planning on making a strategic acquisition need to start worrying about privacy and data security issues now, or risk paying for them later. A recent survey by Gartner’s Emerging Risks Monitor Report indicates that privacy regulations had surpassed talent shortages as the top emerging risk concerning business executives, and not without good reason. Privacy and data security concerns were undermining deals even before implementation of the GDPR and the passage of a greater number of state privacy laws. In 2017, Yahoo agreed to reduce the purchase price for the sale of their core internet business to Verizon by $350 million, or nearly 8% of the $4.48 billion deal. To make matters worse, Yahoo had to pay a $35 million penalty to the SEC for inadequate disclosures related to a data security breach.
Not just among technology companies, but in industries as varied as retail, insurance, and manufacturing, privacy due diligence around M&A transactions has seen exponential growth, and is likely to continue as more states and countries pass privacy laws and ramp up their enforcement. Representations and warranties concerning privacy, especially in public company transactions, have more than tripled in length and complexity in the last decade. Extensive breach representations, warranties of privacy practices and internal policies, and even representations concerning data subprocessors are becoming increasingly standard. Companies can expect significant negotiation over privacy risks, especially for data intensive businesses. However, even small companies that handle little consumer data could find themselves in a bind if they aren’t prepared to demonstrate compliance with data security laws, like those recently passed in Colorado.
Companies should strive to implement compliant privacy and data security practices long before they anticipate a potential acquisition. Ensuring compliance through clear documentation and implementation of sound privacy and data security practices will only become more important to reducing risks to business value at a potential exit. Likewise, acquirers would be well advised to conduct specialized due diligence into the privacy and data security practices of potential targets to ensure the negotiated purchase price reflects the true risks. While in most cases privacy and data security concerns will not be the sole reason a deal falls apart, they are an increasingly disputed deal point and driver of business value.
This article is intended to provide general information and, therefore, should not be treated as legal advice. If you have questions about a specific legal issue, you should seek the advice of a qualified attorney.