Data Privacy: The Hidden Security Genome for Investors and M&A Dealmakers
Data flow is the new lifeblood of the global economy; it will probably define the 21st century in the same way that oil and transportation defined the last.
Governments are regulating the data economy and have taken steps to safeguard their citizens’ and residents’ personal data with privacy laws. Yet a key pillar to most existing and pending data privacy legislation – in the U.S. and abroad – is the requirement that companies have adequate data security. Businesses that thrive in this era will not only be data savvy: security will be inherent in their DNA. Identifying this hidden security genome is now critical for investors and M&A dealmakers.
Privacy Regulation is Global
In Europe, the EU General Data Protection Regulation (GDPR) went into effect in May 2018.1The GDPR is extensive in scope, extraterritorial in reach and introduces fines of up to 4% of global group revenues on any company that fails to comply with certain provisions. That 4% fine could apply to a U.S.- headquartered global private equity fund or a multinational conglomerate.
A key requirement of the GDPR is that companies implement “appropriate technical and operational security measures.”
In the U.S., California – whose Constitution enshrines the “inalienable right” of every resident to privacy – duly followed in the footsteps of the GDPR with the California Consumer Privacy Act (CCPA). The Act gives individuals rights over how businesses collect and use their data and imposes steep penalties. Californians have the right to file a civil action against a business that fails to implement and maintain reasonable security. California’s Attorney General (AG)can impose penalties of up to $2,500 per violation, and up to $7,500 for intentional violations.
As of July 1, 2020, California’s AG has begun enforcement of the CCPA. He rejected requests from businesses to defer this date as they navigate the COVID-19 pandemic, reportedly taking the view that compliance with the CCPA is now more important than ever. The AG has indicated that he expects data breaches and class action lawsuits to decide how he prioritises enforcement of the CCPA. This follows what we have seen in the EU: Specifically, the largest reported fines under the GDPR – at an airline ($230 million) and a hospitality company ($123 million) – directly arose out of data breaches, with the latter as a result of an M&A transaction. With these regulations, it is clear to see the financial and reputational impact that investors should consider factoring into deals and their existing portfolios.
How Much Security is Expected?
California’s former AG Kamala Harris provided some guidance in the state’s 2016 Data Breach Report, which said that a failure to implement the Center for Internet Security’s Critical Security Controls (CIS CSC) constitutes a lack of reasonable security.2
This may indicate that the AG’s standard for “reasonable security” is high. However, it doesn’t follow that implementing the CSCs will amount to reasonable security; many would argue that these controls alone may prove insufficient in the face of regulatory scrutiny or a discerning judge in a class action lawsuit. A good data protection program is iterative, and requires constant reviews and adjustments. Litigation arising out of other laws – such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Federal Trade Commission Act – provides useful guidance: all demand that businesses must be able to provide a thoughtful and comprehensive account of their security programs.
Finding the Security Genome
There is no one-size-fits-all approach to executing deals with a margin of safety. But whether you are on the buy-side or the sell-side in a deal, there is a common process you can follow to prepare your organisation for any transaction. This will also help ensure that, in the worst-case scenario, you have a compelling response to future regulators and litigants.
Aon recommends cyber due diligence on a target’s operations and technical safeguards to complement the legal measures that your attorneys will address, such as data privacy contracts and third-party agreements. Cyber due diligence can reveal critical security risks early in the deal lifecycle. Acquirers are awakening to the fact that inadequate security is not just a theoretical risk; it is a quantifiable future cost that can erode deal value. Sellers equally can prepare a compelling, well-evidenced record of good data governance, security practices and privacy controls.
Dealmakers on both sides of the transaction can gain a competitive advantage by harnessing the security genome. Investors and dealmakers should consider the following:
The dark web is a bustling marketplace for cyber criminals trading stolen data. Are the target’s customer data or employee credentials being sold on the dark web? Are hackers selling access to the company’s network, or its trade secrets and other intellectual property? No company should make an investment or put themselves forward for sale before investigating the nature, extent and severity of data leakage. Leaked data is a threat to enterprise value.
Businesses cannot protect and secure data if they don’t have a process for managing it. They must identify and map out where data is stored, and which service providers and other third parties it is shared with. Where the seller has an international footprint, they should track and record flows of personal data into and out of regulated jurisdictions.
Does the seller perform regular security assessments? The privacy and security risks facing a fintech software development company and a medical testing firm will vary significantly. Each requires tailored security solutions based on a risk-informed approach. For sellers in the U.S., combining the CIS CSCs with the NIST Cyber Security Framework is a decent start. If the company operates internationally, the CSCs coupled with the ISO 27001 may be more appropriate. These should be conducted somewhat regularly: an assessment from three years ago may fail to capture today’s significant risks. If the seller has never conducted a security risk assessment, the acquirer should factor that into their deal valuation and/or model it as a future cost.
Dynamic Security Program
Does the company have a living, breathing cyber program? The old saying goes that hackers only need to get it right once; the defense – i.e. your company or investment – needs to get it right every time. Data protection and security requires ongoing evaluation, monitoring and adjustments. Many of the M&A deals in which data breaches later came to light arguably could have been structured differently had the parties involved conducted an external technical analysis of the target and research on the deep and dark web before completing the deal.
Successful Deal Making
Ensuring that data remains secure is paramount to remaining competitive in the new digital economy. At a minimum, investors should:
Perform Cyber Due Diligence on every deal
It’s not just about technology firms, all businesses leverage data and require robust data security programs. Proper cyber due diligence will help you identify data privacy risks at the technical and operational levels.
Factor due diligence findings into your valuation model and negotiations
Buying a company that requires significant cyber remediation activities and future investment is a hidden cost. Data privacy and security risks should be treated as balance sheet items.
Mitigate the risk
Plan for and execute on a cyber remediation program in the first 100-day period following the deal’s completion; this can help secure the enterprise and safeguard its value.
Transfer the risk
Use additional protections, such as cyber insurance and a representations and warranties policy, to address specific deal concerns.
The CCPA will give rise to a wave of privacy litigation and all indications are that the catalyst for this will be security incidents. Similar legislation is pending in other U.S. states, and a federal privacy law may arrive sooner than later. Investors and M&A dealmakers should consult with privacy attorneys and specialist M&A cyber professionals to help protect their assets and prepare their security story, both for future transactions and potential regulatory inquiries.