Any company—especially an entity in a highly regulated industry (such as financial services, health care, hospitality, retail, technology, and telecommunications)—seeking to sell, acquire, or merge with another company needs to carefully consider the privacy and security concerns related to the sensitive business and personal data flowing through the target company. A thorough review of a target’s privacy and security compliance programs is, therefore, a must before entering into any transaction. Compliance costs and litigation can significantly affect the value of a company, necessitating a careful assessment of any target’s potential liabilities or compliance costs that are likely to be passed on after the transaction.
Epstein Becker Green’s Privacy & Security Group undertakes privacy and security due diligence reviews and provides support capabilities to clients in the context of sales, acquisitions, mergers, and joint ventures. We help clients understand what data is being stored by the target and if it is protected; whether the target has put in place proper response and remediation processes and policies; and what, if any, disclosures are needed.
Specifically, our due diligence reviews typically include the following components:
- a review of the target company’s privacy and security policies, including compliance with relevant international, federal, and state laws and regulations;
- an examination of the target company’s protocols, procedures, controls, or other implementation directives to ensure that the adopted policies are properly integrated into the target’s business practices;
- an examination of the target company’s network security, risk assessments, and other security safeguards to protect against unlawful disclosures of sensitive data;
- verification that the target company has entered into appropriate data use agreements with any entity with which it has shared sensitive data, and a review of the content and implementation of those agreements;
- a review of the target company’s regulatory history, including if it has been (or is currently) the subject of a government investigation regarding privacy and security, as well as the manner in which the investigation was resolved; and
- an investigation into whether the target company has been (or is) the subject of private litigation relating to a violation of applicable privacy laws.
In addition, Epstein Becker Green stays involved throughout the transactional process to ensure that sensitive data is transferred in accordance with all relevant laws, rules, and regulations. We identify, evaluate, and calculate risk to our client and then develop representations, warranties, indemnities, and other contractual provisions and protections, as well as negotiate licenses, service contracts, and supplier and other agreements, to safeguard confidential information and to shift or mitigate that risk.