The FTC can hold an acquirer responsible for the bad data security practices of a company that it acquires. Evaluating a potential target’s data security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed. For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, but were discovered months after a transaction closed. The following provides a snapshot of information concerning hacking.

21 months 

Number of months hackers penetrated a target’s systems before the target was acquired and investigated by the FTC.1

9 months

Number of months hackers continued to penetrate a target’s systems after the target was acquired and investigated by the FTC.2


Due diligence questions relating to data security to consider in a M&A transaction:

  • Is the target subject to a sector specific data security law?
  • Has the target received a regulatory inquiry concerning its data security practices in the past two years?
  • Has the target received litigation claims concerning its data security practices?
  • How many data security incidents has the target experienced? Is the quantity reported commensurate with what would be expected given the industry, type of data held by the target, and quantity of data held by the target?
  • What data breaches has the target experienced? Is the quantity reported commensurate with what would be expected given the industry, type of data held by the target, and quantity of data held by the target?
  • Does the target have a Written Information Security Program (“WISP”)? If so, is it appropriate given the type and quantity of data held by the target?
  • Does the target have an Incident Response Plan (“IRP”). If so, is the IRP appropriate and effective?
  • How has the target dealt with prior security incidents and security breaches?
  • Has the target conducted and documented internal security assessments?
  • Has the target conducted and documented external security assessments (e.g., penetration tests, vulnerability scans, data security audits)?
  • If the target accepts payment cards, are any areas of non-compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) identified in their most recent Report on Compliance (“ROC”)? Does the ROC appear to accurately describe the target’s network and payment card infrastructure?
  • Has the target conducted a data map or a data inventory?
  • What are the target’s data retention policies?
  • Does the target have a vendor management program in place? If so, how has the target evaluated the security practices of its vendors and subcontractors?
  • Did the target have dedicated employees focused on data security issues (g., a Chief Information Security Officer)?

1. See, In the Matter of Reed Elsevier and Seisint, FTC Docket No. C-4226 (July 29, 2008), https://www.ftc.gov/enforcement/cases-proceedings/052-3094/reed-elsevier-inc-seisint-inc-matter.

2. Id.