Data privacy and cyber-security risks play an increasingly prominent role when evaluating a potential corporate merger or acquisition target. Knowing how to manage these risks could mean the difference between a smooth M&A transaction and one that quickly turns into a liability nightmare for the buyer.

Verizon’s acquisition of Yahoo in February 2017 provides a recent, high-profile example. Verizon ultimately decided to move forward with the acquisition, even after discovering that Yahoo had suffered two massive data breaches, compromising over one billion user accounts.

In a Feb. 21 filing with the Securities and Exchange Commission, detailing an amended deal, Verizon said Yahoo will retain 50 percent of “certain post-closing liabilities arising out of governmental or third-party investigations, litigations, or other claims related to certain user security and data breaches.” Additionally, Yahoo will continue to be held fully liable for liabilities arising out of any shareholder lawsuits, as well as any SEC investigations and actions.

Some have questioned whether Verizon would have uncovered Yahoo’s data breaches if it had done more robust due diligence, a claim that Craig Silliman, Verizon’s general counsel, disputes. “There is no way you can do due diligence and find something ... that the company itself hasn’t found,” Silliman told Corporate Counsel.

“I don’t think one of the lessons learned is the need for due diligence around data breaches,” Silliman added. “I do think it points to the importance of reps and warranties around data breaches.”

One benefit of having representations and warranties in a purchase agreement, as so clearly demonstrated by the Verizon-Yahoo deal, is to proactively address risks and cover any potential gaps not found in the due-diligence stage. “We are seeing the development of quite robust reps and warranties in the areas of data privacy and cyber-security,” said Joshua Rawson, a partner and leader of the U.S. Technology and Intellectual Property Transactions practice group at law firm Dechert, which recently hosted a webinar addressing cyber-security considerations in M&A transactions.

Data-privacy and cyber-security considerations in M&A transactions are a developing area. Some representations focus on ownership of the data, for example, and the ability to transfer data to the buyer without violating laws or contracts, Rawson explained. Other reps and warranties call out specific types of laws that the buyer may be concerned with and wants the seller to take ownership of, including European data protection laws, he said.

“We are seeing the development of quite robust reps and warranties in the areas of data privacy and cyber-security.”
Joshua Rawson, Partner, Dechert

Other representations in a purchase agreement address the sufficiency of security measures and backup disaster recovery measures; existing data privacy and cyber-security policies and company’s compliance with those policies; and representations about security breaches, Rawson said. At a minimum, representations function to put the seller on notice, bring attention to issues that may need addressing, and shift risks to the seller, where appropriate, he said.

In addition to reps and warranties, due diligence—as best as it can be done—also plays an important role. Violetta Kokolus, special counsel at Dechert who advises on complex technology and intellectual property transactions, recommends the following key measures.

Review the data that is collected and how it’s used. “If you don’t understand what data is collected and how it is used, you will not be able to assess the legal risk,” Kokolus said.

Assess data flows. “Has it been exported out of the country? Has it been passed on to third-party vendors? All this information is relevant in terms of diligence,” Kokolus said.

Pay attention to the location of third-party vendors. Do you have cloud servers that are not based in the United States?

Review privacy promises of the target company. “One of the most important things to do is to review that privacy promise: Can you purchase that data from the target and use it in the way that you want as a buyer? Look at privacy policies of affiliates, as well, to see if they are collecting different types of data. All of this is important to review,” Kokolus said.

Not all target companies have a sophisticated understanding of data privacy and cyber-security issues. They may not even know if a data breach has occurred. Regardless of a target company’s level of sophistication, “diligence plays a key role,” Kokolus said.

The buyer company is not looking to educate the target company, but it can conduct its own investigation. One example is to engage the help of a third party, with the consent of the target, to conduct penetration testing.

Cyber-security considerations.  The term “cyber-security” refers to a company’s systems as a whole—proprietary data, business information, and personal information. Cyber-security also refers to the protection of personal information and personal data, a focal point for regulators.

It’s important to ensure that the target company has a comprehensive information-security program in place. “Asking for privacy and information-security programs and getting from the potential target company its privacy policy is not sufficient,” said Hilary Bonaccorsi, an associate with law firm Dechert.


Below is an excerpt from Verizon's Form 8-K filing with the Securities and Exchange Commission detailing the amended deal with Yahoo.
On February 20, 2017, Verizon and Yahoo entered into an amendment to the previously announced stock purchase agreement, dated as of July 23, 2016, by and between Verizon and Yahoo (the “Purchase Agreement”), pursuant to which the parties agreed that, subject to the terms and conditions thereof, the purchase price to be paid by Verizon in connection with the acquisition of Yahoo’s operating business (the “Transaction”) will be reduced by $350 million to approximately $4.48 billion in cash, subject to certain adjustments. Subject to certain exceptions, the parties also agreed that certain user security and data breaches incurred by Yahoo (and the losses arising therefrom) will be disregarded (1) for purposes of specified conditions to Verizon’s obligations to close the Transaction and (2) in determining whether a “Business Material Adverse Effect” under the Purchase Agreement has occurred.
Concurrently with the amendment of the Purchase Agreement, Yahoo and Yahoo Holdings, Inc., a wholly owned subsidiary of Yahoo that Verizon has agreed to purchase pursuant to the Transaction, also entered into an amendment to a related reorganization agreement, pursuant to which Yahoo (which has announced that it intends to change its name to Altaba Inc. following the closing of the Transaction) will retain 50% of certain post-closing liabilities arising out of governmental or third party investigations, litigations or other claims related to certain user security and data breaches incurred by Yahoo. In accordance with the original Transaction agreements, Yahoo will continue to retain 100% of any liabilities arising out of any shareholder lawsuits (including derivative claims) and investigations and actions by the SEC.
The transaction remains subject to customary closing conditions, including the approval of Yahoo’s stockholders, and is expected to close in the second quarter of 2017.
Source: Verizon Form 8-K

Rather, when looking for cyber-risks in an M&A transaction, Bonaccorsi said some things to watch for include:

A written information security program (WISP). The WISP should address how the company protects personal information, or employee information, that it collects and retains. It sets out the technical, administrative, and physical safeguards that the company has in place.

An incident response plan. This is an action plan that generally explains what the company would do in the event of a data breach or a cyber-attack. “It lays out how a company determines whether a given incident constitutes a reportable event, how incidents will be escalated within the organization, and the names and contact information for given internal decision makers and stakeholders,” Bonaccorsi said.

Contracts with critical third-party vendors. Target companies often will say that they have customer data but, because they host it in the cloud or store it with a vendor, they don’t have anything to show in terms of how they are protecting that data. “If it’s your customers’ information—even if you’re hosting it on the cloud or with a third-party vendor—you are still responsible for it,” Bonaccorsi said.

Contractual protection of personal data. A purchasing company would want to see evidence from a target company taking this approach that it has conducted diligence itself in selecting a service provider or vendor, she said. One way to do that is to contractually require the vendor to protect personal data in the same way that the company would want it protected.

Evidence of cyber-liability insurance coverage. It’s not required for every company to have dedicated cyber-liability insurance. Such coverage, however, “becomes important in your diligence process as you’re looking at potential data issues that a company may have,” Bonaccorsi said. Something to keep in mind: not only if the company has cyber-coverage, but whether it feels it has enough cyber-coverage.

During an M&A transaction, it’s also critical to ensure that data privacy and cyber-security policies are being implemented in practice. “A comprehensive information-security system and privacy policy can’t just exist on paper,” Bonaccorsi said. “Otherwise, they are essentially meaningless.”

One way to go about determining whether a program is implemented is to request additional documentation—such as risk assessments that the company has performed on its IT systems, or penetration-testing reports. “Those could give you some idea about the level of engagement the firm has with cyber-security and what risks need to be dealt with or have been dealt with,” Bonaccorsi said.

The company could also request data incident reports. Documentation of claims made under a cyber-liability policy may also provide some insight into the extent to which the company has implemented data privacy and cyber-security policies.

Finally, determine whether there have been any data incidents or regulatory issues concerning the company and how those issues were resolved or if they’re ongoing. These may include current or past information requests from regulators, for example.

In any merger and acquisition deal, conducting a robust level of due diligence is only half the battle. Putting in place representations and warranties in a purchase agreement, particularly as it concerns data privacy and cyber-security matters, is becoming an increasingly important measure in ensuring a smooth and risk-free transaction.