A merger is an exciting event. Perhaps the company you built from the ground up is being acquired, and you will have access to the resources needed to expand your vision. Or maybe you are merging with a competitor to achieve market dominance, or your hostile takeover was a success. You are soon going to have a new set of shareholders to impress. Either way, a new phase in the lifecycle of your business has begun. As you proceed with the process, we cannot stress enough the importance of proper cybersecurity protection.
Our legal team here at Newburn Law has years of experience helping our clients in M&A transactions ensure that they engage in best practices. Without proper cybersecurity and privacy practices, deals can turn catastrophic.
Why It's Important to Get Cybersecurity Right During the Merger
While the acquiring company and its target have their cybersecurity infrastructure in place going into the deal, the two will likely have to be integrated to complete the merger. Two networks coming together can easily create gaps in the firm's security infrastructure. If left unnoticed, these gaps could create vulnerabilities hackers can exploit.
For example, the FBI has warned that hackers purposely target companies undergoing time-sensitive financial events, like mergers. These hackers threaten to leak commercially sensitive information if the companies do not pay the hackers a ransom. Because the release of this data could affect the price of the company's stock, the stability of which is essential during a merger, the victims often pay the ransom.
Verizon's acquisition of Yahoo is an example of poor cybersecurity practices affecting the merger process. In July of 2016, Yahoo and Verizon entered into a stock purchase agreement for all of Yahoo's operating businesses and at least one subsidiary valued at $4.83 billion.
Around that time, a hacker had told Yahoo they had stolen user data from almost 1 billion accounts on their network. Despite the hacker's claim and their own ongoing review of a previously undiscovered breach that occurred two years earlier, Yahoo issued a statement to the Securities Exchange Commission (the “SEC”) saying it had no knowledge of any security breaches, unauthorized access, or unauthorized use of its IT system.
Five weeks later, Yahoo had to disclose to Verizon and the public at large that they experienced a breach in 2014. Then in December 2016, Yahoo had to disclose that the hacker had stolen user data from almost a billion user accounts. These breaches were not only embarrassing for Yahoo, but they also affected the merger. Yahoo had to grant Verizon the following modifications to the transaction:
- A $350 million price reduction,
- Yahoo would be liable for all liabilities arising from lawsuits brought by shareholders and the SEC investigations related to the two breaches, and
- Liability for 50% of any governmental fine brought by someone other than the SEC and any third-party litigation.
Bad Cybersecurity Practices and Regulatory Fines
As you can see, good cybersecurity practices are paramount during a merger. Other negative consequences of bad cybersecurity and compliance practices are the fines imposed by government bodies for being out of compliance with their regulations. It is important to note that the following is not an exhaustive list of fines and penalties. Further non-compliance is all that is necessary for these fines to be levied against a company; no breach of the network is required.
The General Data Protection Regulation
The General Data Protection Regulation (the “GDPR”) is the European Union's flagship data protection and privacy law. It governs how personal data, which it defines as data that can be used to identify someone, is handled by those who have the power to process it. As a result, GDPR fines do not just result from a breach. They can arise from many administrative failures, such as:
- Not appointing a Data Protection Officer,
- Keeping records of personal data processing activities, or
If the numerous and varied infractions of the GDPR were not burdensome enough, the fines it imposes are. The maximum penalties allowed by the GDPR run up to 20 million euros or 4% of global annual revenues, whichever is larger. These fines can be levied against businesses outside the EU, that a website is accessible to internet users within the EU is sufficient for the GDPR to apply.
Children's Online Privacy Protection Act
The Children's Online Privacy Protection Act (“COPPA”) is an American data privacy law designed to protect children under the age of 13 on the internet. The rule applies to general audience websites that have actual knowledge that they are collecting data from children under the age of 13 and to commercial websites, mobile applications, and internet-enabled devices like smart toys directed at children under the age of 13.
It also applies to those that collect, use, or reveal the data from these websites, apps, and devices. The civil penalties associated with violations of COPPA can reach up to $46,517 per violation. The fine is not tied to the number of victims but the number of times the victims had their rights violated. Thus, if a child can log in to the website three times a day, the $46,517 fine can be imposed three times.
The Health Insurance Portability and Accountability Act
A perfect example of an industry-specific regulation, the Health Insurance Portability and Accountability Act (“HIPAA”), is a law that governs many aspects of the healthcare and health insurance industries in the United States.
Among the rules outlined in HIPAA is the Privacy Rule, a data security rule dictating how Personal Health Information must be stored and protected. The Department of Health and Human Services' Office for Civil Rights enforces HIPAA policies. Depending on the circumstances around the violation, the Department can fine up to $50,000 and bring criminal charges against individuals.
Using Best Practices
So how does one avoid breaches and violations of data privacy laws during a merger? The answer is to use best practices during the due diligence process and ideally use best practices before the target company was propositioned for acquisition. But what are best practices?
Fundamentally, it's a nebulous concept with a meaning that varies depending on the context in which it is used. But, in general, best practices mean whichever industry generally accepts techniques or methods to produce the best results compared to other ways of completing the task. Thus, it is usually the case that the industry-standard constitutes best practices.
For example, a toy manufacturer would need to comply with COPPA to be using best practices. Yet, a hospital would need to comply with HIPAA to be using best practices. However, it is unlikely that a toy manufacturer would need to comply with HIPPA or that a hospital would have to comply with COPPA. Thus, best practices are an industry-specific set of practices generally accepted by that industry to be the best way of completing a task or objective. In the context of the cybersecurity due diligence process during a merger, best practices would include, but would not be limited to, the following:
- Identifying the target's high-value digital assets and evaluating their importance to the business.
- Evaluating the target's cybersecurity program to protect these high-value digital assets.
- Assessing the target's reliance on third-party providers like goods, services, data, joint ventures, and outsourced business functions.
- Assessing its incident-response capabilities based on their previous breaches and other security incidences.
- Identifying applicable laws and regulations, then determining if the target is compliant with them and who is responsible for their compliance.
- Evaluate the target network's ability to withstand a directed cyber-attack.
- Assess the target's data-sharing practices, including:
- Whether they are selling or sharing data externally,
- If data is being transferred internationally, and
- Which data procedures are third-party vendors expected to follow.
- Examine the target's data retention and disposal policies, including whether backups are retained after data is disposed of.
Assembling a Due Diligence Team
Companies should then assemble a due diligence team with the objectives set out. This team will carry out the best cybersecurity practices during the merger. The roster should include:
- In-house counsel,
- External counsel and consultants,
- The chief security, compliance, and information officers and lower-ranking members of those departments.
These members should come from both the acquiring company and the target company. We have helped act as external counsel for numerous mergers and acquisitions, ensuring both companies are compliant with all relevant regulations. It is crucial that the team you compile is experienced and knowledgeable, understanding exactly what you need to do to maintain compliance.
To ensure the success of your cybersecurity due diligence team, make sure to avoid these common setbacks:
- Ineffective communication: By including members of the target company on the due diligence team, one should receive their support in understanding the cybersecurity infrastructure of their firm. Both teams should have immediate access to the representatives of the target company should any explanations or documentation be needed.
- Insufficient Information: The target company should provide a record of its past cybersecurity incidents. If they don't or claim the information is privileged, it is important to receive an explanation and consider walking from the deal if the explanation is not satisfactory.
- Regulatory compliance: Take time to understand the requirements to ensure the target company complies with all legal and regulatory compliance obligations for one's own industry and the target company's industry if the requirements are different.
- Remote Due Diligence: Due to the COVID-19 pandemic, much of the M&A process is now done virtually. This can be challenging for establishing the personal relationships needed for teams to work together effectively. Further, site visits may prove challenging due to pandemic-related occupancy restrictions. Most importantly, secured data rooms are also virtual and should have their own dedicated security team to prevent hackers from accessing them.
To summarize, while a merger is a very exciting event for your business, it is also in a precarious position as it is becoming responsible for the actions of a different organization. As the merger proceeds, taking the appropriate measures to protect the businesses is of the utmost importance. This can be done through effective cybersecurity due diligence.
By utilizing industry-specific best practices and a qualified cybersecurity due diligence team, companies should be able to develop a thorough understanding of the target corporation. It is crucial to understand whether consummating the merger is the best option and ensure the transaction proceeds without incident.
If you have any questions about ensuring cybersecurity and privacy compliance during your merger or acquisition, contact us today to learn how we can help you. With years of experience, we know exactly what companies need to do in order to optimize their merger or acquisition and maintain that compliance.