The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires. Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed. For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete.
To mitigate potential liabilities, Buyer must prioritize data governance, privacy, and security concerns from the outset of an M&A transaction, from initial evaluation to post-acquisition integration. Due diligence should begin with an evaluation of relevant state, federal, and international laws in order to appropriately tailor informational requests directed to the target. Buyer should ask for policy and procedure documents to evaluate the seller’s internal controls, such as data inventories, privacy policies, information security policies, data retention policies, incident response plans, and any other data governance related documents. The target’s response to due diligence requests should be used to negotiate appropriate pre-closing conditions, indemnities, and the ultimate transaction price.
$ 3 million
Civil penalty imposed by the Federal Trade Commission upon acquirer for data privacy violation of acquisition that occurred prior to closing.1
The amount Verizon reduced its purchase price of Yahoo after it discovered a massive unreported data breach during acquisition.2
Due diligence questions to consider in a M&A transaction in order to evaluate data privacy related rsisk:
1. United States (FTC) v. Playdom, Case No. 11-00724 (C.D. Cal. May 11, 2011).
2. TechCrunch, After data breaches, Verizon knocks $350M off Yahoo sale, now valued at $4.48B (February 21, 2017), https://techcrunch.com/2017/02/21/verizon-knocks-350m-off-yahoo-sale-after-data-breaches-now-valued-at-4-48b/.