Managing data privacy issues in M&A transactions



FW moderates a discussion on managing data privacy issues in M&A transactions between Mary Ellen Callahan, a partner at Jenner & Block, Adam Pang, a director at Merrill DataSite, and Jim DeGraw, a partner at Ropes & Gray.

FW: Could you provide an insight into why it has become so important to manage data privacy issues during an M&A transaction? What key considerations do parties to a transaction need to make in this regard?

Callahan: Data – and particularly personal data – are valuable resources, often considered to be the intellectual property of companies in the 21st century. Because data is so valuable to companies, they are the keystone of any transaction. As a result, acquiring companies need to understand what promises the acquired company has made with regard to personal data, and the acquired company needs to be forthright to assist in due diligence. Key considerations include reviewing the privacy policies and any public statements about the collection, use and transfer of data, determining whether consent is required before transferring the data to the new company, and understanding data flows and database architecture.

Pang: Almost all M&A transactions require the parties to exchange personal data. The failure of a target company to meet its data privacy obligations can present a major risk to any company looking to acquire it. Addressing data protection compliance at an early stage allows sufficient time for any necessary remedial steps. Compliance and applicable laws should be an important consideration in the merger and acquisition process. Government agencies and regulatory bodies are reviewing privacy and data security issues in M&A transactions with increased scrutiny, in some cases resulting in significant enforcement.

DeGraw: Data privacy and security concerns can present classic systemic enterprise risk issues in M&A transactions. Rare today is the M&A target that does not rely heavily on data and information technology. As data breach experience has shown, even what were once viewed as ‘brick & mortar’ companies can be significantly harmed if they do not handle data properly. These systemic issues run the gamut of data privacy and security concerns. If a target company has failed to, or cannot, collect and deploy data in a manner consistent with applicable data privacy laws, the entire business model on which a transaction is premised may not be viable. Similarly, if a target has failed to adequately protect sensitive consumer data in its possession, it can easily incur substantial costs to investigate and remediate a breach incident, defend against regulatory investigation and class action lawsuits, and pay out damages and fines. Even if not catastrophic, data events can result in significant costs. Smart enterprises that believe they may be acquired therefore invest ahead of any transaction to make sure they collect, use and protect data reasonably and properly. And smart enterprises considering acquiring others will include data privacy and security considerations as a key part of their deal diligence and risk allocation plans.

If a target company has failed to, or cannot, collect and deploy data in a manner consistent with applicable data privacy laws, the entire business model on which a transaction is premised may not be viable.
— Jim DeGraw

FW: To what extent have recent regulatory and legislative developments increased the potential liabilities in connection with data privacy? What additional challenges might arise in cross-border deals?

Pang: Failure to adequately identify and address data privacy and security issues during a transaction could expose both buyers and sellers to a litany of adverse consequences, including lawsuits, fines or other governmental sanctions, audits, suspensions, breaches of contracts and overall reputational damage. If the proposed M&A transaction is structured as a merger or stock purchase, the buyer may be assuming the target’s past liabilities, including those for privacy compliance. Accordingly, buyers in such deals should conduct a more comprehensive analysis of the target’s past and current compliance with privacy laws, including with respect to actual or suspected breaches of the Target’s privacy policies or IT security. Even if they do not assume the Target’s liabilities, buyers should assess whether the Target complied with applicable privacy laws when it collected such data and review any associated limitations on the buyer’s subsequent use of the personal data.

DeGraw: Data privacy lawmaking and regulatory pressure continued apace worldwide last year, and shows no signs of letting up. In the US, the Security and Exchange Commission and the Federal Communications Commission have become quite active in examining data handling practices. This is in addition to the active stance already taken by the Federal Trade Commission and states’ attorney generals. This greatly overlapping regulatory interest creates a heightened risk of regulatory enforcement, while states and the federal government show an increased willingness to legislate more in the area, adding to execution risk. From a cross-border perspective, there are increasingly more countries, especially in Asia, that have adopted and are now implementing comprehensive data regimes. As for the EU, the recent falling apart of the US-EU safe harbour for transferring personal data has created some uncertainly for companies doing cross-border deals, as will the impending changes to EU data law, which we expect to be announced soon.

Callahan: In the US, the Federal Trade Commission has, through consent decrees, established that any material change to a privacy policy relating to previously collected personal data requires affirmative consent, and California has a similar statute. For US transactions, most privacy policies already have a ‘change of assets’ provision to allow for a transfer in a transaction. If the acquired company does not have such a provision, that is a red flag. For international transactions, not only is it important to review the privacy policy, local data protection and privacy laws should be reviewed to determine whether consent is necessary before effectuating the transaction.

FW: What privacy vulnerabilities commonly arise during the M&A due diligence process? What technology solutions are available to mitigate these risks?

DeGraw: The most common vulnerability we still see is the target company that has not given data handling proper consideration, especially if collecting or processing sensitive information. An M&A target company that deals in sensitive consumer data that lacks a chief data privacy or security officer is a potential red flag, as is the lack of proper data handling policies and procedures or a company that has never conducted a data security assessment. While there are some technological solutions that can help mitigate privacy and security risks, deploying these tools can require a fair amount of sophistication and expertise. And that may not be available to a target company to fix a problem amid the rush to get a deal done.

Callahan: While a review of the acquired company’s public statements is the first step to privacy due diligence, it should not be the last. Acquirers should do a review of any public-facing websites and mobile applications to make sure they are performing as promised, and there is no data leakage or inappropriate disclosure of information – law firms and some due diligence companies can do these reviews. Privacy and cyber security readiness questions should be incorporated into any M&A due diligence.

Pang: Prior to disclosure, a seller should review its privacy policies and applicable laws to carefully determine what personal data it can share during the due diligence process, as well as to evaluate compliance, data use restrictions and other issues. Great care should then be taken to limit the disclosure of sensitive information and personal data, with an emphasis on avoiding disclosing data that could trigger security breach obligations. Due diligence should be conducted via a secure method that allows controlled access with a data room provider that satisfies current, topical data privacy concerns via a comprehensive ISMS policy.

Due diligence should be conducted via a secure method that allows controlled access with a data room provider that satisfies current, topical data privacy concerns via a comprehensive ISMS policy.
— Adam Pang

FW: In your experience, are today’s acquirers more likely to evaluate the cyber and privacy framework at operation in a potential target, to identify weaknesses and potential liabilities?

Callahan: In our opinion, privacy and cyber security risks are under-emphasised for a variety of reasons. They have not been a part of ‘traditional’ due diligence, the analysis requires a different skill set than typical transactions, including understanding what is the current standard for commercial reasonableness, and the standards are evolving. Privacy and cyber experts should be incorporated into any M&A due diligence. In our experience, privacy analysis has materially modified the transaction’s terms several times, due to identified deficiencies that might not have been acknowledged in traditional due diligence.

Pang: The identification of potential data protection issues or areas of concern are certainly part of the preparatory steps taken by acquirers early on in an M&A process. This process includes – but is not limited to – identifying what information is required to carry on the business post-acquisition, how the buyer’s proposed use of the information post acquisition differs from the seller’s current use, whether the business is heavily reliant on personal data, and the significance of the personal data in the transaction. Additionally, areas such as security awareness training for staff, data protection policies, physical building access and IT infrastructure should also be considered.

DeGraw: Evaluating a potential target’s cyber and privacy framework from both a legal and technical perspective is a typical part of the diligence process for today’s transactions. Identifying not only weaknesses and potential liabilities is on the list, as well as identifying additional potential opportunities for putting a target’s data and systems to work.

FW: What options are available to mitigate the security risks posed by portable devices? Do parties fail to appreciate the potential impact of BYOD, and the increased chance of a sensitive information leak?

Pang: BYOD policies raise a number of data protection concerns, mainly due to the fact that the device is owned by the user rather than the data controller. Central to mitigating risk is having a clear BYOD policy so employees connecting their devices clearly understand their responsibilities. Auditing should be carried out on types of personal data to be accessed and the devices used. Clear data separation should also be considered as part of a BYOD implementation plan, including ring-fencing data, perhaps within a specific app, as well as ensuring the data is kept confidential in case the device is lost. Companies should consider which type of corporate data can be processed on personal devices, how to encrypt and secure access to corporate data, how corporate data should be stored on personal devices, how and when the corporate data should be deleted from personal devices, and how data should be transferred from personal devices to corporate servers.

DeGraw: Companies need to look at encryption, remote management, training – and encryption again. We have moved past the point where encrypting portable devices is expensive or hard. Regulators therefore often expect that encrypting sensitive data on portable devices should be done, and there are statutes that require that it be done in certain instances. Tools that remotely and effectively manage data on devices that are part of a BYOD programme are also widely available, and those tools and user training should be part of any comprehensive security programme. Companies that are not up to speed on data handling and security issues fail to appreciate that BYOD risks can be managed.

Callahan: The overall interconnectivity of our devices creates risks both for companies and individuals. In cyber security, the lowest common denominator, or least protected asset, is the vulnerability for companies, therefore the entire cyber ecosystem needs to be analysed for cyber security risk. Companies often consider cyber vulnerabilities to be only an IT risk, but given the interconnectivity, the value of company data and the opportunity for breaches or leaks, cyber security governance needs to be incorporated into corporate risk governance, particularly if an acquisition is anticipated.

Companies need to perform a privacy and cyber hygiene assessment proactively as part of their overall corporate risk governance to avoid any deal breakers or ‘gotcha’ moments during the heat of a transaction.
— Jim DeGraw

FW: Going forward, do you expect data privacy issues to take on increasing importance in M&A transactions? Can parties realistically keep ahead of the game considering the ever-increasing technological complexity of today’s business environment?

DeGraw: We are at the early stages of the information revolution. As once simple devices, like thermostats and phones, morph into sophisticated data collection and use tools, and the Internet of Things exponentially complicates information networks, the importance of carefully understanding the risks and potential of data is only going to increase. To remain competitive, parties will necessarily need to stay ahead of these developments. And to understand the ever-evolving legal risks associated with the same developments, parties will need lawyers who are staying ahead of both technology and data privacy legal developments.

Callahan: Privacy and cyber security issues are increasing in importance as more data and industries transition to electronic environments. Companies need to perform a privacy and cyber hygiene assessment proactively as part of their overall corporate risk governance to avoid any deal breakers or ‘gotcha’ moments during the heat of a transaction. Understanding where the current industry standards are, and where they are going, is crucial.

Pang: Increased scrutiny from regulatory bodies will continue to keep this topic relevant and will remain an ongoing challenge in M&A. Today, privacy laws exist in more than 90 countries worldwide with varying degrees of severity. Inevitably, the cross-border nature of today’s M&A environment will facilitate the need to appoint a dedicated person or team responsibility for privacy-related issues. Sellers can stay ahead of the curve by being better prepared, checking the business is in good ‘data protection shape’ to ensure a smooth transaction. They should notify individuals where appropriate, regularly update data privacy policies, adopt appropriate organisational security measures, safeguard cross-border data transfer and adhere to regulatory compliance authorities. For a buyer, a thorough assessment of the IT infrastructure of a target organisation is always advisable. IT processes, operating systems, documentation, risk assessment, security standards, registration with data protection authorities and previous breaches of security should all be reviewed during the due diligence phase. The simplest way to manage cyber threats and maintain confidentiality over data is by partnering with an organisation that is an expert in online data security, which will help manage and mitigate risk throughout every stage of the process.

FW: What final piece of advice can you offer to dealmakers, on both the buy and sell side, about managing data privacy issues during M&A?

Pang: Preparation is key. Do not start the transaction process unprepared. Get to know the other party. Do not assume business compliance when it comes to data privacy. Both parties should perform extensive due diligence procedures. Seek and retain external legal advice and appoint a person or team responsible for privacy-related issues. Always implement security measures in respect of the transaction process. Ensure diligence questionnaires include specific request forms appropriate for data protection matters. Any issues identified should also be immediately addressed. Recognise red flags such as a company’s overall data protection non-compliance, risky agreements with service providers, recent and frequent data security incidents, pending legal claims and procedures, data protection sanctions and adverse PR exposure, lack of ability to lawfully transfer or sell personal data, and false representations and warranties about the status of data privacy compliance. Continue to educate and collaborate with your teams to achieve business objectives. Lastly, remain alive to cyber security threats.

DeGraw: Be realistic. The market and technology is evolving, no one has perfect security and no one has figured out all the data privacy pitfalls and opportunities. But addressing these issues rationally, reasonably and intelligently, as part of an overall deal or organisational risk approach, will help dealmakers better manage the risk and reap the benefits.

Callahan: Privacy and cyber security cannot be afterthoughts. Incorporate corporate privacy and cyber security assessments proactively to avoid unforeseen pitfalls. Privacy and cyber security will be important throughout the corporate lifecycle, from start-up design, to IPO valuation, to sale or merger. During a transaction, due diligence is important, including incorporating privacy and security questions. But understanding the risks and being able to create a valuation of that risk is what sophisticated transactional lawyers need to be doing, or work with their privacy colleagues to do.

Mary Ellen Callahan is the Chair of Jenner & Block’s Privacy and Information Governance Practice. She has unique and broad experience advising clients at the interface of privacy protection with cyber security and national security issues. A nationally recognised privacy attorney with a decade and a half of outside counsel experience, she served as Chief Privacy Officer of the US Department of Homeland Security from 2009 until August 2012. She can be contacted on +1 (202) 639 6064 or by

Adam Pang is a director at Merrill DataSite. Mr Pang joined the firm in June 2006. He has over 13 years of experience in financial and information solutions management, working both in London and Hong Kong. Based in the London office, Mr Pang is focused on driving the International sales effort in the UK and emerging markets. He can be contacted on +44 (0)20 7422 6268 or by email:

Jim DeGraw is a partner in Ropes & Gray LLP’s corporate technology group. He regularly provides data incident crisis management counselling, leads investigations into potential data breach events, advises clients on establishing and conducting assessments of information security and data handling governance programmes, and helps clients structure data licensing businesses. With a background in computer science and as a certified privacy professional, CIPP/US, he is known for providing clients facing data concerns with practical, strategic advice. He can be contacted on +1 (415) 315 634 or by email:

© Financier Worldwide



Mary Ellen Callahan

Jenner & Block


Adam Pang

Merrill DataSite


Jim DeGraw

Ropes & Gray

©2001-2019 Financier Worldwide Ltd. All rights reserved.