Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires.  Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed.  For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete.

To mitigate potential liabilities, Buyer must prioritize data governance, privacy, and security concerns from the outset of an M&A transaction, from initial evaluation to post-acquisition integration.  Due diligence should begin with an evaluation of relevant state, federal, and international laws in order to appropriately tailor informational requests directed to the target.  Buyer should ask for policy and procedure documents to evaluate the seller’s internal controls, such as data inventories, privacy policies, information security policies, data retention policies, incident response plans, and any other data governance related documents.  The target’s response to due diligence requests should be used to negotiate appropriate pre-closing conditions, indemnities, and the ultimate transaction price.

$ 3 million

Civil penalty imposed by the Federal Trade Commission upon acquirer for data privacy violation of acquisition that occurred prior to closing.1

$350 million

The amount Verizon reduced its purchase price of Yahoo after it discovered a massive unreported data breach during acquisition.2


Due diligence questions to consider in a M&A transaction in order to evaluate data privacy related rsisk:

  1. Has the target received a regulatory inquiry concerning its data privacy practices?
  2. Has the target received litigation claims concerning its data privacy practices?
  3. Has the target tracked data privacy complaints submitted to it by consumers?
  4. Has the target tracked data privacy complaints submitted by consumers to government agencies, including the quantity and nature of data privacy complaints lodged with the Federal Trade Commission?
  5. Is the target subject to a sector specific data privacy law?
  6. Do the target’s internal privacy policies and procedures comply with legal standards?
  7. Do the target’s external privacy policies and procedures comply with legal standards?
  8. Has the target conducted a data map or a data inventory?
  9. What are the target’s data retention policies?
  10. With whom does the target share data?
  11. Does the target have a vendor management program in place?
  12. What privacy representations has the target made to business partners?
  13. Have the vendors used by the target provided appropriate contractual protections?
  14. Did the target have an employee, such as a Chief Privacy Officer, who was focused on data privacy issues?
  15. If the target conducted operations internationally did it have a strategy in-place for handling the cross-border transfers of information?

1. United States (FTC) v. Playdom, Case No. 11-00724 (C.D. Cal. May 11, 2011).

2. TechCrunch, After data breaches, Verizon knocks $350M off Yahoo sale, now valued at $4.48B (February 21, 2017), https://techcrunch.com/2017/02/21/verizon-knocks-350m-off-yahoo-sale-after-data-breaches-now-valued-at-4-48b/.