To print this article, all you need is to be registered or login on Mondaq.com.
Cyberattacks. Data breaches. Regulatory investigations. Emergingtechnology. Privacy rights. Data rights. Compliance challenges. Therapidly evolving privacy and cybersecurity landscape has created aplethora of new considerations and risks for almost everytransaction. Companies that engage in corporate transactions andM&A counsel alike should ensure that they are aware of andappropriately manage the impact of privacy and cybersecurity riskson their transactions. To that point, in this article we provide anoverview of privacy and cybersecurity diligence, discuss the globalspread of privacy and cybersecurity requirements, provide insightsrelated to the emerging issues of artificial intelligence andmachine learning and discuss the impact of cybersecurity incidentson transactions before, during and after a transaction.
There is a common misunderstanding that privacy matters only forcompanies that are steeped in personal information and thatcybersecurity matters only for companies with a business modelgrounded in tech or data. While privacy issues may not be the mostcritical issues facing a company, all companies must addressprivacy issues because all companies have, at the very least,personal information about employees. And as recent publicizedcybersecurity incidents have demonstrated, no company, regardlessof industry, is immune from cybersecurity risks.
Privacy and cybersecurity are a Venn diagram of legal concepts:each has its own considerations, and for certain topics theyoverlap. This construct translates into how privacy andcybersecurity need to be addressed in M&A: each stands alone,and they often intermingle. Accordingly, they must both beaddressed and considered together.
Privacy requirements in the U.S. are a patchwork of federal andstate laws, with several comprehensive privacy laws now in effector soon to be in effect at the state level. Notably, while itdoesn't presently apply in full to personnel andbusiness-to-business personal data, the California Consumer PrivacyAct covers all residents of the state of California, not justconsumers (despite confusingly calling residents"consumers" in the law). Further, there are specificlaws, such as the Illinois Biometric Information Privacy Act andthe Telephone Consumer Protection Act, that add further, morespecific privacy considerations for certain business activities.And while there is an assortment of laws with a wide variety ofenforcement mechanisms from private rights of action to regulatorycivil penalties or even disgorgement of IP, one consistent trend isthe increasing potential for financial liability that can befall anon-compliant entity.
Laws in the U.S. related to cybersecurity compliance are not ascommon as laws related to responding to and notifying of a databreach. In recent years, specific laws and regulations have largelyfocused on the healthcare and financial services industries.However, legislative and regulatory activity is expanding in thisspace, requiring increasingly specific technological,administrative and governance safeguards for cybersecurity programswell beyond these two industries. Additionally, while breachresponse and notification where sensitive personal data is impactedhas been a well-established legal requirement for several yearsnow, increasingly complex cyber-attacks on private and publicentities has expanded the focus of cybersecurity incident reportingrequirements and enterprise cybersecurity risk considerations.
What Does This All Mean for Diligence?
For the buy side, identifying the specifics of what data, datauses and applicable laws are relevant to the target company ispivotal to appropriately understanding the array of risks that maybe present in the transaction. Equally, at least basictechnological cybersecurity diligence is important to understandthe risks of the transaction and potential future integration. Forthe sell side, entities should be prepared to address their data,data uses and privacy and cybersecurity obligations in diligencerequests.
Separately, privacy and cybersecurity diligence should not focussolely on the risks created by past business activity but alsoconsider future intentions for the data, systems and company'sbusiness model. If an entity is looking to make an acquisitionbecause it will be able to capitalize on the data that the acquiredentity has, then diligence should ensure that those intended useswon't be legally or contractually problematic. This issue isbest known earlier than later in the transaction, as it may impactthe value of the target or even the desire to move ahead.
In the event that diligence uncovers concerns, some privacy andcybersecurity risks will warrant closing conditions and/or specialindemnities to meet the risk tolerance of the acquiring entity. Inintense situations, such as where a data breach happens or isidentified during a transaction, there may even be a pricerenegotiation. Understanding the depth and presence of these risksshould be front of mind for any entity considering a sale to allowfor timely identification and remediation and in some instances tounderstand how persistent risks may impact the transaction if itmoves ahead. For all of these situations, privacy and cybersecurityspecialists are critical to the process.
The prevalence of global business, even for small entities thatmay have overseas vendors or IT support, creates additional layersof considerations for privacy and cybersecurity diligence.
Privacy and cybersecurity laws have existed in certainjurisdictions for years or even decades. In others, the expandedcreation of, access to and use of digital data, along withexemplars like the European Union (EU) General Data ProtectionRegulation, have caused a profound uptick in comprehensive privacyand cybersecurity laws. Depending on how you count, there are closeto or over 100 countries with such laws currently or soon to be inplace. This proliferation and dispersion of legal requirementsmeans a compounding of risk considerations for diligence.
Common themes in recently enacted and proposed global privacyand cybersecurity laws include data localization, appointed companyrepresentatives, restrictions on use and retention, enumeratedrights for individuals and significant penalties. Moreover, asidefrom comprehensive laws that address privacy and cybersecurity,other laws are emerging that are topic-specific. For example, theEU has a rather complex proposed law related to the use ofartificial intelligence. It is critical to ensure that theappropriate team is in place to diligence privacy and cybersecurityfor global entities and to help companies take appropriaterisk-based approaches to understanding the global complianceposture. It can be difficult to strike a balance in diligencepriorities due to both the growing number of new global laws andthe lack of many (or any) historical examples of enforcement forthese jurisdictions. But robust fact-finding paired with continueddiscussions on risk tolerance and business objectives, and carefulconsideration of commercial terms, will help.
As mentioned, artificial intelligence is a hot topic for privacyand cybersecurity laws. One of the biggest diligence risks relatedto artificial intelligence and machine learning (AI/ML) is notidentifying that it's being used. AI/ML is a technicallyadvanced concept, but its use is far more prevalent than may beimmediately understood when looking at the nature of an entity.Anything from assessing weather impacts on crop production todetermining who is approved for certain medical benefits caninvolve AI/ML. The unlimited potential for AI/ML applicationcreates a variety of diligence considerations.
Where AI/ML is trained or used on personal data, there can besignificant legal risks. The origin of training data needs to beunderstood, and diligence should ensure that the legal support forusing that data is sound. In fact, the legal ability to use allinvolved data should be assessed. Companies commonly treat all dataas traditional proprietary information. But privacy laws complicatethe traditional property-law concepts, and even if laws permit theuse of data, contracts may prohibit it. Recent legal actions haveshown the magnitude of penalties a company can face for wronglyusing data when developing AI/ML. Notably, in 2021 the FTCdetermined that a company had wrongly used photos and videos fortraining facial recognition AI. As part of the settlement, the U.S.Federal Trade Commission ordered that all models and algorithmsdeveloped with the use of the photos and videos be deleted. If acompany's primary offering is an AI/ML tool, such an ordercould have a material impact on the company.
Additionally, the use of AI/ML may not result in the intendedoutput. Despite efforts to use properly sourced data and avoidnegative outcomes, studies have shown that bias or other integrityissues can arise from AI/ML. This is not to say the technologycannot be accurate, but it does demonstrate that when performingdiligence it is crucial to understand the risks that may be presentfor the purposes and uses of AI/ML.
Security incidents have been the topic of many a headline overthe past few years. Some of these incidents are the result of thegrowing trend of ransomware or other cyber extortions, includingdata theft extortions or even denial-of-service extortion. Theidentification of a data security may well have a serious impact ona transaction. Moreover, transactions can be impacted by datasecurity incidents occurring before, during and after atransaction. Below we outline some key considerations for each.
An Incident Happened BEFORE a Transaction Started
An Incident Happens DURING a Transaction
An Incident Happens AFTER a Transaction
While far from the totality of privacy and cybersecurityconsiderations for transactions, these topics should help establisha baseline understanding of what to look for and how to approachprivacy and cybersecurity in the current legal environment.
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.
Excerpt from:
Privacy And Cybersecurity Risks In Transactions Impacts From Artificial Intelligence And Machine Learning, Addressing Security Incidents And Other...
Read More..