Privacy Battles in M&A Transactions · Goals should focus on the team as well as substantive...

Thursday, May 7, 2020

Privacy Battles in M&A TransactionsKate BlackGreenberg Traurig

Jill GreenMorris Green

Edward HuTrustArc

Speaker

Kate BlackShareholder, Data, Privacy & CybersecurityGreenberg Traurig

Kate Black’s practice focuses on data privacy, information protection, and

commercial transactions in consumer technology, digital health, life sciences, and

genetics.

Prior to joining GT, Kate served as 23andMe’s first Global Privacy Officer in Mountain

View, CA and worked in the Office of Policy and Planning in the Office of the National

Coordinator for Health IT in the U.S. Department of Health and Human Services in

Washington, D.C.

Speaker

Jill GreenPrincipalMorris Green LLC, providing expert privacy and legal consulting services

2014-2020Deputy General Counsel, Global Privacy Officer - Genomic Health (acquired by Exact Sciences)

Jill holds CIPP/E and CIPP/US certifications

Speaker

Edward HuSenior Counsel & Data Protection OfficerTrustArc

Edward serves as legal and regulatory counsel for the internal privacy and data governance program at TrustArc and also supports the TrustArc privacy solutions product lines. In his prior role at the company, he worked with the privacy, security, and legal teams at dozens of companies seeking to improve or certify their programs against a variety of legal frameworks. He holds CIPM, CIPT, CIPP/E, and CIPP/US certifications.

Privacy Battles in M&A Transactions

• Purpose of Session○ Provide firsthand experience from privacy professionals in

the M&A context from the beginning to end as well as the post-close integration.

○ Provide a priority list of considerations and practical tips useful for any privacy professional.

○ Provide a forum in which conference participants can share their own wisdom regarding privacy considerations in M&As.

• Presentation Sections○ Due Diligence○ Pre-Close to Day 1○ Post-Close Integration

• Q&A + Sharing

Session TitleThe “Why This Matters” Slide

● According to one report, more than a third (40%) of acquiring companies engaged in M&A discovered a cybersecurity/privacy problem during the post-acquisition integration of the Target

● More often than not, lawyers ask a battery of out-of-the-box question not germane to the Target’s actual business

○ overemphasis on data breaches○ lack of awareness of broader privacy/cybersecurity issues

● If you’re in-house counsel at the Acquiror, you can’t punt to your outside counsel handling the transaction

● Changes to the economic climate are likely to result in changes to the corporate landscape.

Due DiligenceNavigating the Fog of War


So you’re going to buy a company......and you’re in charge of privacy due diligence

How are you going to start?● Understand the Target’s business - stat

○ Public filings, Google, Target’s website● What privacy regs are likely to apply?

○ Use a checklist/questionnaire to organize your questions and Target’s response● Lots of examples online - and if you’re using outside counsel, they will have one


The Fog of War...● Vulnerability● Uncertainty● Complexity● Ambiguity

...requires agility, analysis, creativity, and resources.

Contributing Factors:● What’s your own company’s risk appetite and

awareness of privacy risks?● What other deal issues are competing for attention?● Does the timeline keep changing?


How do you move forward, effectively?Focus on what you are really trying to achieve: enough knowledge of the Target’s privacy compliance program to provide your CEO a risk-based assessment of maturity and any specific risks to mitigate in the merger agreement or in the closing period.

First steps:● Do send that checklist and keep track of responses/holes in documentation● Do your own review of public facing policies

○ Are they tailored to the business? Accurate under current law?○ Test the email addresses - does anyone respond if you email [email protected]? How

quickly?○ Ask (but verify) if Target has been on HHS Wall of Shame, subject to FTC Settlement or

otherwise publicly reported incidents.○ Any mention of adherence to a InfoSec framework (ISO 27001, HiTRUST, NIST)? If so, ask for

documentation.


Second phase of diligence● You’ve received the initial set of responses to your checklist. What are the GASP responses?

Where was there no response (this will happen):○ Pick what matters most, you won’t have time to chase every thread and you will need

to prioritize due to limited time/resources/executive patience with privacy matters○ Modify reps, warrants, and closing covenants accordingly○ Review the draft disclosure schedule: does what you are seeing match your work so

far? What’s missing?● Get buy in to schedule one or several calls with Target Privacy Lead/Compliance Officer

○ What if they are not over the wall? Push for this - can’t get adequate visibility without it

○ Address your priority list - GASP, missing responses○ Ask open ended qualitative questions, even as far as “what privacy issues keep you up

at night?”


Second phase of diligence, Part Deux● Don’t ignore other parts of the data room!

○ Finance - review scope of insurance, especially cyberinsurance coverage■ fact check - are there contracts in place with approved incident response vendors?

○ Material contracts■ Is Target a DoD supplier? Look for NIST compliance in the IT folder■ Key customer contracts

● What are Target’s obligations and is there evidence of compliance? (Does Target have a clear, defined process for reporting incidents to customers?)

■ Customer Service & Sales● Any SOPs on DSARs?● What are marketing practices? Good compliance with CCPA?

■ IT/InfoSec● is there a data flow map? What’s the system architecture, and are there

appropriate contracts with key suppliers/cloud providers■ Generally: how sophisticated is Target in contracting? How robust are data protection

clauses in templates?


Down to the wire..● No one is looking at the diligence checklists anymore● Negotiating the merger agreement and the disclosure schedule at the same time

○ What reps can you get into the agreement vs. your “to do” list during sign-to-close and post-close integration

■ Ideally, reps specifically address compliance with all relevant privacy regimes (and not just a blanket “compliance with laws” rep

■ Reps should require disclosure of past enforcement actions, security incidents, and any legal proceedings in the privacy arena

● Common ‘last’ issues:○ Materiality qualifiers○ Lookback period (“Since July 1, 2015….”)○ Forward-looking covenants to improve security and privacy practices in pre-close period

● Clearly communicate to your client a list of resources needed to resolve major gaps post-close.


So you’re getting bought...● First of all, are you, as the leading privacy professional in your organization, over the wall?● Second, what are your ethical responsibilities in the diligence process?

○ Answer the questions asked, truthfully and with integrity, while reminding yourself that your company is your client

■ This is of course true whether or not you are an attorney for the company○ But what if the Acquiror isn’t asking the right questions?

■ What are your practical concerns?■ What are the ethical considerations in play, especially for attorneys?

● Model Rule 4.1● But this is not an area for “puffery”

■ Make sure the lead negotiating attorney knows this - it’s another data point● Same issue - it’s a fog of war, and even a little worse than on the acquiror side!

Pre-Close to Day 1


So you signed the deal…● Depending on what happened during the fog of war, you may be in a variety of situations

○ As an acquiror, you might…■ Have a robust understanding of the Target’s maturity level and any associated risks

relating to privacy and InfoSec programs; or...■ Have a sense of Target’s compliance level, and a good list of follow-on questions

and “to dos” to start with■ Have only the level of information that you could find publicly, with no real input

from Target○ As a Target, you might…

■ Be very curious about the acquiror’s own privacy/InfoSec program. After all, you didn’t get to ask any questions!

■ Be completely unmotivated to help with the integration process. After all, you just got bought!

● Role of in-house legal team v. outside counsel○ Once the deal is signed, internal counsel has to build relationships with their new

colleagues. Outside counsel may be in a better position to play “bad cop”.


The Integration Process. In an ideal world…● The combination of the two companies takes the best practices

of each, to maximize synergies and shareholder value

Show of hands - how often does this happen??


No matter which side you’re on, your task is singular: INTEGRATE

Step 1: Get a handle on internal structure, politics, and allies.- Great time to make friends and influence people. - Intended reporting structure?

Step 2: Assess what you’ve learned through the acquisition diligence process. - If you acquired, take stock of red flags, gaps, and map regulatory overlap. - If you were acquired, you have a lot to learn about your new owner.

Step 3: Get together with your privacy counterparts to set the basics.- If leadership allows, now is a great time to get together and learn how the other

privacy team works, what regulations they have to comply with, and how their program runs.

- Include any security or IT team members if you can - Take time to get to know each other - you’re all on the same team now!


Substantive Investigation

● Understand Data Flows, Processing Activities, and Key Business Data Needs

● Key 5 Compliance Issues○ Regulatory obligations of each entity ○ Contract obligations and management○ Data subject rights requirements and processes○ Security ○ Governance & Oversight

■ Internal■ External


Next Up: Make a plan

Once you begin to understand the overall privacy program needs, the privacy leadership should make an initial, prioritized plan:

1. What is needed before Day 1?a. Are any business critical contracts in need of updating? Do you need to

execute an intercompany data sharing exhibit between corporate subsidiaries? b. Do DPO or CPO roles need to change?c. Assist IT / Security integration to “go-live” on Day 1.

i. Public website changes ii. Internal corporate communication (email, chat, etc)

iii. Backend storage and interoperability


First 90 DaysConsidering your resource constraints and what you’ve learned you prioritize a set of 5-10 discrete, quantifiable goals for the privacy team in the first 90 days.

● Goals should focus on the team as well as substantive privacy issues. ● Accountability & dependencies should be ● Some common areas of focus include:

○ Third Party Risk■ Execute updates to top 20 vendor agreements.■ Execute intercompany data

○ Compliance■ Implement compliance repository approach for new combined company.■ Document CCPA compliance requirements for new company.

● Ex) Is the new group of entities likely to be considered “third parties under the CCPA? If so, establish a plan for compliance.

○ Data Breach■ Update data breach response plan.

Post-Close IntegrationOperational Considerations

Preliminary

1. Plan for a lot of work (project plan, milestones)

2. Integration vs. Segregation

3. Organizational changesa. Hybrid vs. Centralized vs. Decentralizedb. Leverage key personnel (across departments)c. Who makes the decisions?d. Culture and relationships

4. Philosophical or positional differencesa. Risk aversion/appetiteb. Leader/followerc. Varying interpretations of law (e.g. CCPA

“sale”)


Data Inventory & Mapping

● Personal information flows○ Foundation and prerequisite

to taking action○ Notice, records of processing,

determining legal requirements, transfer mechanisms, etc.

● Be systematic - it pays off○ Every department○ Use key personnel


Who Data subjects, recipients, controllers, processors

What Data elements, IT systems

When Data retention

Where Collection, processing, transfers (incl. sales)

Why Processing purposes, legal bases

How Security, controls, transfer mechanisms

Primary Considerations - Legal Obligations (1 of 2)

● New regulatory obligations○ Data types (e.g. PHI, special categories) ○ Data subjects (e.g. children, CA residents)○ Jurisdiction (e.g. GDPR, CCPA)○ Review each law

● Contracts○ DPA notice re change to subprocessors○ Review contract notice provisions○ New paper?○ How to prioritize○ How to manage workload


This image is licensed under the Creative Commons Attribution 2.0 Generic license. https://creativecommons.org/licenses/by/2.0/legalcode

Primary Considerations - Legal Obligations (2 of 2)

● Notices○ Merge privacy notices? Give notice (minimum any time

data handling practices change or degradation of individuals’ rights.)

○ Give notice of notice or specialized notice re changes○ Intermingled data - notice for new uses○ Employee privacy notice

● Data Subject Requests○ Consolidating operations○ Adjusting response times and procedure○ Branding


This file is licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license. Attribution Chris 73 / Wikimedia Commons. https://creativecommons.org/licenses/by-sa/3.0/legalcode

Secondary Considerations

● Update scope of certifications○ SOC, ISO, Privacy Shield, APEC CBPR○ Industry-specific

● Update internal policies and procedures○ Privacy policy○ BCDR plan and breach insurance

● Record of Processing (GDPR Art. 30)○ Consider software solution. Going manual?

Download the ICO templates.○ https://ico.org.uk/media/for-organisations/documents/2172937/gdpr-documentation-

controller-template.xlsx○ https://ico.org.uk/media/for-organisations/documents/2172936/gdpr-documentation-

processor-template.xlsx

1. Privacy program management act


This image is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. https://creativecommons.org/licenses/by-sa/4.0/legalcode


Integrating Privacy Programs - Use a Framework!

Why?

1. Checklist manifesto. Even experts with decades of experience use a checklist when there is sufficient risk involved.

2. Blind spots. Each legacy organization may not have a process or policy addressing something that the other requires a process or policy for.

3. Centralized organization. As the organizations transition, projects may fall off, responsibilities may change.

4. Useful for presentation. Presentation to internal stakeholders about the scope of work contemplated or completed.


https://info.trustarc.com/Web-Resource-2020-01-20-Privacy-Data-Governance-Framework_LP.html


Controls-based Framework (55 Controls under 16 Standards)

Example of Standard: “Enable individuals to choose whether personal data about them is processed. Obtain and document prior permission where necessary and appropriate, and enable individual to opt out of ongoing processing.”

Example of Control: “Ensure consent is clear and conspicuous, freely given, and able to be withdrawn at any time.”


Activities-based Framework (139 PMAs under 13 Categories)

Example of Category: “Managing Third Party Risk”

Example of Privacy Management Activity: “Maintain a vendor privacy risk assessment process.”


Privacy Management Activity Categories

1. Governance Structure2. Inventory of PI and Data Transfer Mechanisms3. Internal Privacy Policy4. Operationalizing Data Privacy5. Training and Awareness6. Managing Information Security Risk7. Managing Third Party Risk8. Maintaining Notices9. DSRs and Complaints

10. New Operational Practices11. Incident Management and Breach Response12. Monitoring Data Handling Practices13. Track External Requirements

https://info.trustarc.com/Web-Resource-2020-01-20-Privacy-Data-Governance-Framework_LP.html

Questions + Contact

Jill GreenPrincipalMorris Green [email protected]

Kate BlackShareholderGreenberg [email protected]

Edward HuSenior Counsel & [email protected]

Privacy Battles in M&A Transactions · Goals should focus on the team as well as substantive...

Documents

Transcript of Privacy Battles in M&A Transactions · Goals should focus on the team as well as substantive...