The FTC can hold an acquirer responsible for the bad data security and privacy practices of a company that they acquire. Evaluating a potential target’s data privacy and security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed. For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, and were discovered months after the transaction closed.
Due diligence questions to consider in a M&A transaction:
1. Has the target received a regulatory inquiry concerning its data privacy and security practices?
2. Has the target received litigation claims concerning its data practices?
3. Has the target tracked complaints submitted to it by consumers?
4. Has the target tracked complaints submitted by consumers to the government?
5. Is the target subject to a sector specific data privacy or security law?
6. Does the target have an appropriate Written Information Security Program (“WISP”)?
7. Does the target have an appropriate Incident Response Plan (“IRP”)?
8. How has the target dealt with prior security incidents and security breaches?
9. Has the target conducted and documented internal security assessments?
10. Has the target conducted and documented external security assessments?
11. If the target accepted payment cards, are any vulnerabilities identified in its most recent Report on Compliance (“ROC”)?
12. Do the target’s internal privacy policies and procedures comply with legal standards?
13. Do the target’s external privacy policies and procedures comply with legal standards?
14. Has the target conducted a data map or a data inventory?
15. What are the target’s data retention policies?
16. With whom does the target share data?
17. Does the target have a vendor management program in place?
18. Have the vendors used by the target provided appropriate contractual protections?
19. Did the target have a system in place to identify privacy or security problems?
20. Did the target have employees focused on data privacy or data security issues?
The following provides snapshot information concerning due diligence in mergers and acquisitions.
$3 million
Civil penalty imposed upon acquirer for violations of Children’s Online Privacy Protection Act that occurred prior to sale.1
|
21 months
Number of months hackers penetrated a target’s systems before the target was acquired and investigated by the FTC.2
|
9 months
Number of months hackers continued to penetrate a target’s systems after the target was acquired and investigated by the FTC.3
|
[1] United States (FTC) v. Playdom, Case No. 11-00724 (C.D. Cal. May 11, 2011).
[2] See, In the Matter of Reed Elsevier and Seisint, FTC Docket No. C-4226 (July 29, 2008), https://www.ftc.gov/enforcement/cases-proceedings/052-3094/reed-elsevier-inc-seisint-inc-matter.
[3] Id.
[View source.]