Introduction
This checklist will assist in-house counsel and private practitioners who are responsible for due diligence in the merger and acquisition (M&A) process. The checklist provides outlines the key privacy and data security issues related to M&A transactions.
The topics covered in this checklist include the purpose and scope of privacy and data security due diligence, key areas of inquiry and review, categories of information to be requested from the target, and review and analysis of due diligence materials.
The checklist addresses the following steps:
- Conduct initial evaluation and due diligence preparation
- Conduct data and IT assets due diligence
- Determine applicable legal obligations
- Understand target company’s management of data and IT assets
- Review negotiation of transactional agreement
- Plan for integration of target’s data and IT assets
The checklist is presented as a list of requirements that you can check off as they are addressed. At the end of each step, there are explanatory notes corresponding with each requirement in the checklist.
The checklist can be used in conjunction with the following relevant references and resources:
- privacy and cybersecurity frameworks developed by the National Institute of Standards and Technology (NIST); and
- guidelines developed by the International Association of Privacy Professionals (IAPP).
For additional information, see How-to guides: How to manage third party supply chain data privacy, security risks, and liability and How to draft a privacy policy, and privacy and data security provisions in contracts.
Step 1 – Conduct initial evaluation and due diligence preparation
| No. | Description |
| 1.1 | Initial due diligence assessment |
| 1.2 | Establish due diligence team |
| 1.3 | Establish process for information sharing |
| 1.4 | Review sources of information |
| 1.5 | Consider exposure and risks to the prospective buyer |
| 1.6 | Confirm compliance with legal obligations |
Step 2 – Conduct data and IT assets due diligence
| No. | Description |
| 2.1 | Identify the target’s data and data assets |
| 2.2 | Conduct data inventory and classification |
| 2.3 | Identify red flags |
| 2.4 | Conduct IT asset inventory |
Step 3 – Determine applicable legal obligations
| No. | Description |
| 3.1 | Determine applicable obligations under federal and state laws |
| 3.2 | Determine applicable contractual obligations |
| 3.3 | Evaluate industry and self-regulatory standards |
| 3.4 | Consider applicable obligations for cross-border data transfers |
| 3.5 | Conduct a compliance gap analysis |
Step 4 – Understand target company’s management of data and IT assets
| No. | Description |
| 4.1 | Evaluate target’s information security program and policies |
| 4.2 | Review data retention and disposal procedure |
| 4.3 | Evaluate target’s data incident response program |
| 4.4 | Evaluate administrative infrastructure and organizational governance |
| 4.5 | Evaluate risk from third-party service providers |
| 4.6 | Evaluate results of due diligence |
Step 5 – Review negotiation of transactional agreement
| No. | Description |
| 5.1 | Review standard clauses and form of acquisition |
| 5.2 | Resolve, mitigate, or allocate the risk of material issues |
Step 6 – Plan for integration of target’s data and IT assets
| No. | Description |
| 6.1 | Assess the desirability and risks of merging data |
| 6.2 | Discuss any integration concerns |
| 6.3 | Analyze the effect M&A has on privacy and information security programs and obligations |
| 6.4 | Evaluate cost of integration |
General notes
Scope and use of checklist
US privacy law in its current state is a patchwork of laws, so not every privacy or data security regulation will apply to every business. Moreover, because every organization handles data differently, each organization will have a different privacy and data security posture. Therefore, take care to evaluate a given organization’s privacy and data security risks and issues during M&A transactions. To properly identify these issues, consider factors including the organization’s structure, industry, product offerings, and jurisdiction of operation.
Additionally, note that this checklist only covers codified privacy laws, the scope of this checklist does not cover common law privacy-related issues.
Legal framework
Since much of the emphasis on privacy in the US privacy law environment is on electronic privacy, both privacy and information security laws are relevant to privacy compliance by organizations in the United States.
An organization that operates in more than one jurisdiction will need to be aware of the laws in each jurisdiction. One jurisdiction’s data privacy and security laws may or may not provide a ‘safe harbor’ with regard to compliance with the other jurisdiction’s data privacy and security requirements.
Regularly check for legal updates and review and update your organization’s privacy and data security risk assessments. This is essential to ensure proper data privacy and security due diligence evaluation during M&A transactions.
See further How-to guide: How to determine and apply relevant US privacy laws to your organization.
Importance of privacy and data security due diligence in M&A
Since data is an important business asset, a privacy and data security due diligence review is essential in M&A transactions. The prospective buyer must ensure that the target business has the proper safeguards and procedures in place to protect the value of this asset. A target business’s failure to collect and store data properly may lead to the following additional costs for the prospective buyer:
- the cost of upgrading or enhancing security systems to ensure the target meets its data security obligations;
- potential regulatory penalties;
- potential litigation costs;
- an unfavorable reputation or public image from data breaches or other data security incidents;
- costs associated with data breach notifications;
- loss of customer trust and loyalty; and
- increased insurance premiums.
As an example of the potential data security risk involved in M&A, Marriott bought Starwood in 2016. Although it was not discovered at the time of the acquisition due diligence that Starwood’s systems had actually been compromised as early as 2014. The systems of Starwood and Marriott had not yet been integrated when, in 2018 the breach of Starwood’s system was discovered. According to reports the breach involved up to 500 million guests and included the names, addresses, phone numbers, birth dates, email addresses and encrypted credit card details of hotel customers. The travel histories and passport numbers of a smaller group of guests were also taken.
The costs associated with the breach were significant, including a fine of £99 million — more than $120 million — levied in July, 2019 by the UK’s Information Commissioner’s Office (ICO) for violating British citizens’ privacy rights under the GDPR. The ICO specifically cited Marriott’s failure to do due diligence on Starwood’s IT infrastructure as an explanation as to why Marriott was being punished for Starwood’s mistakes. The fine imposed by the UK may only be the beginning, since other jurisdictions may also punish the company for its lapses. In addition, there were a number of class action lawsuits that were filed as well as the reputational damage of both the Marriott and Starwood brands.
Step 1 – Conduct initial evaluation and due diligence preparation
The general purpose of due diligence in the M&A context is to allow the prospective buyer to evaluate the prospective target organization and to confirm that the target is suitable for acquisition. The buyer determines what level of risk it finds acceptable and also how to evaluate the potential issues that arise during due diligence.
The objectives of the initial evaluation and due diligence preparation step include detailing the goals of the M&A transaction and the strategic direction for the combined business. The buyer must also clarify the types of information that will be summarized in the final due diligence report and how that information will inform the final recommendations regarding the M&A transaction.
1.1 Initial due diligence assessment
An initial due diligence assessment conducted by the prospective buyer is a preliminary review of the target. An initial assessment may include the following information:
- the organization and structure of the target;
- the target’s assets and operations;
- the target’s intellectual property;
- the target’s compliance with data and privacy laws and regulations;
- a list of the target’s physical facilities; and
- any ongoing litigation in which the target is involved.
Based on the initial assessment, the prospective buyer then determines the privacy and information security issues that it will focus on in the remainder of the due diligence process.
1.2 Establish due diligence team
The due diligence team is generally responsible for obtaining a full understanding of the target’s obligations, including its privacy and data security obligations.
Each member of the due diligence team must be knowledgeable about, and trained in, M&A transactions or data security. The team should have expertise in business, legal, technical, and financial matters. Specific members of the team may include the following:
- attorneys with different subject-matter expertise, such as antitrust, corporate law, privacy law, and securities law;
- business managers;
- technical experts or engineers;
- IT and infrastructure experts;
- data security experts; and
- personnel managers.
The prospective buyer decides on the specific roles and responsibilities of each member on the due diligence team to ensure a faster and more efficient due diligence review.
1.3 Establish process for information sharing
The due diligence team must establish a process for evaluating whether information obtained as part of the due diligence should be shared (including whether to share it with individual employees or members outside of the due diligence team) and, if so, how to share that information.
1.4 Review sources of information
1.4.1 Identify and review sources of information
The due diligence team reviews the information provided by the target and ensures that all of the required sources of information are described with particularity. General sources of due diligence information (ie, information that does not relate specifically to data security) include:
- financial contracts and other agreements, including customer agreements and compensation agreements;
- loans and other debts; and
- employment contracts.
Specific sources of information for privacy and data security issues include the following:
- data security processes and procedures;
- data governance structure;
- privacy policies;
- data use policies; and
- past data security incidents.
To obtain detailed information regarding specific areas of interest, the prospective buyer provides a written questionnaire for relevant departments or employees of the target. Such a questionnaire may include the questions set out below.
- With whom does the target share data, including any third-party contractors?
- Which employees or systems are responsible for identifying and responding to data security issues?
- What are the target’s data retention policies?
- Does the target have a data incident response plan or program?
- Does the target have a list of privacy or data security complaints from customers?
- Has the target ever received any official inquiries, or been the subject of any investigations, regarding its privacy and data security practices?
- Has the target ever received any litigation claims, or defended any litigation, relating to its privacy and data security practices?
1.4.2 Conduct interviews
The prospective buyer then conducts interviews with relevant employees of the target. Interview questions may cover the areas on the written questionnaires, in addition to any further areas on which the prospective buyer requires more information. Interviews may be conducted with a variety of personnel:
- privacy officers and officials;
- data security or IT officials;
- computer systems architects or engineers; and
- attorneys or regulatory officials.
1.4.3 Commission a data security risk assessment by an independent third-party
As part of the due diligence process, the prospective buyer may commission an independent third party to focus on possible risks that exist within the target’s privacy and data security policies. A third-party assessment can also help the prospective buyer focus on relevant policies and procedures.
1.5 Consider exposure and risks to the prospective buyer
When reviewing the shared information, the due diligence team should consider its exposure to the risks listed below.
- The level of sensitivity of the specific types of information. For instance, information covered by specific regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or covered by multiple layers of regulations, may have a higher degree of sensitivity and merit further examination (including whether the target’s data security policies are sufficient).
- Whether the information shared by the target is shared securely with the due diligence team. Encryption and other security methods and procedures should be used to protect sensitive information under review.
- Whether a large volume of data is shared. Sharing large volumes of data raises the risk of damage in the event of a data security incident or breach.
1.6 Confirm compliance with legal obligations
The due diligence team is responsible for determining whether the target is in compliance with all relevant laws regarding the collection and use of customer data.
1.6.1 Applicability of local laws or regulations
A target located in the United States must store or communicated data in compliance with relevant state and federal laws. Any disclosures of personal information before closing the transaction must comply with all relevant state laws, as well as the target’s contractual obligations or promises. Any failure to comply with privacy policies may be a violation of section 5 of the Federal Trade Commission (FTC) Act (15 USC section 45) and other regulations, including the California Online Privacy Protection Act (CalOPPA).
1.6.2 Target’s operations in non-US jurisdictions
A target that operates in non-US jurisdictions will likely face separate or additional privacy or data security requirements. For instance, under European Union (EU) law, any disclosure of data that relates to identifiable individuals must comply with the EU General Data Protection Regulation (GDPR).
Step 2 – Conduct data and IT assets due diligence
The general purpose of conducting data and IT assets due diligence is to understand the legal position of the target’s data assets, so as to protect the prospective buyer against any possible future surprises or associated risks. Objectives for due diligence include the following:
- determining the valuation of data and IT assets and liabilities;
- assessing risks within the target’s data and IT infrastructure and policies;
- identifying areas for further investigation; and
- deciding whether to pursue the M&A transaction.
Data and IT assets due diligence generally encompass the following categories:
- collection and storage of data assets;
- data protection and privacy policies;
- data security and cybersecurity measures; and
- litigation matters and regulatory compliance.
The due diligence team determines whether any gaps exist in the target’s data processes, including cybersecurity. These must be addressed before purchase.
2.1 Identify the target’s data and data assets
Data and data assets include any document or system that affects the target’s collection, storage, or use of data. Examples of such data and data assets include:
- data from business partners or other third parties, including customer data;
- privacy and data protection policies and procedures;
- cybersecurity measures and systems; and
- data protection and cybersecurity insurance coverage.
2.2. Conduct data inventory and classification
The due diligence team prepares an inventory of all data obtained, stored, disclosed, and used by the target. The inventory should map the specific data or data type with its storage location to enable the team to easily identify the target’s applicable data obligations.
Categorize each piece of data for ease of identification and review. The following types of categories can be included in a data inventory:
- names of data owners;
- storage location of the data;
- how long the data will be stored;
- type of data (eg, data relating to other businesses or data relating to customers);
- how the data was collected;
- how, and under what circumstances, the data can be used; and
- access and deletion policies for the data.
2.3 Identify red flags
The due diligence team documents any red flags that arise during the due diligence review, such as:
- undocumented or improperly documented privacy or data security practices;
- lack of audits, especially for processes that require specific legal or other regulatory compliance;
- lack of defined security systems;
- lack of proper authentication or password controls; and
- lack of privacy or data security integration within other business practices.
Undiscovered data breaches may result in the prospective buyer paying monetary penalties or becoming embroiled in litigation after the M&A transaction is completed. A history of data breaches, hacks, or other similar attacks may indicate that the target’s privacy and data security systems and policies are inadequate and must be strengthened. The prospective buyer should determine whether the target has maintained records of each past data breach, including any notifications to regulators or other legal officials, and communications with customers or others affected by the breach.
The due diligence team should also determine if regulatory authorities are currently investigating the target for privacy or data security-related issues. Such investigations may affect the target’s valuation or cause additional issues for the prospective buyer after completion of the transaction.
Similarly, the due diligence team should determine if there is current privacy or data security-related litigation in which the target is involved. This is especially relevant if the target is defending itself against claims for breach of privacy or data security. Ongoing litigation may affect the target’s valuation, or it may result in saddling the buyer with additional costs for defense of the claims after purchase.
2.4 Conduct IT asset inventory
Generally, an IT asset encompasses any information, computer system, or computer hardware used for information or data management. The prospective buyer should conduct an inventory of all on- and off-site IT assets to ensure that proper security systems are in place.
The due diligence team should also recognize any new or innovative IT assets developed or used by the target. These assets may include systems, devices, or software that have been specially designed or modified for the target’s particular business purposes. If the target utilizes novel or emerging technologies or services, the prospective buyer must take care to ensure that these services will be in compliance with the target’s data security obligations. This is especially important for new, relatively untested technologies that involve the collection, sharing, and use of personal identifying information.
Step 3 – Determine applicable legal obligations
Determining the target’s applicable legal obligations involves ascertaining which privacy and data security obligations govern the target’s data collection, storage, and data use processes. Both the target’s physical location, as well as the locations of its affiliates, and the locations of the target’s customers will be relevant. In the case of multinational corporations, the target may have different obligations in different jurisdictions. The purpose of determining the target’s privacy and data security obligations is to find out whether the target is compliant with all applicable obligations, and the end goal is to assess the compliance risks of buying the target. If the target is not compliant, the prospective buyer may be exposed to fees and penalties after closing the transaction.
3.1 Determine applicable obligations under federal and state laws
To determine the target’s applicable obligations under US federal and any state law, the due diligence team evaluates which federal and state laws apply to the target and which aspects of the target’s data processes are governed by which law. See further How-to guide: How to determine and apply relevant US privacy laws to your organization.
3.2 Determine applicable contractual obligations
The due diligence team determines applicable obligations that arise from contracts or agreements that the target has made with other companies.
3.3 Evaluate industry and self-regulatory standards
The prospective buyer assesses which standards are prevalent in the industry applicable to the data collected and used by the target, and whether the target’s operations are consistent with those standards.
The prospective buyer also considers the standards applicable to each market in which the target operates. These standards may be published by industry associations or may be mandated by specific jurisdictions.
3.4 Consider applicable obligations for cross-border data transfers
The prospective buyer considers whether the target engages in any cross-border data transfers. If so, the due diligence team should determine whether the target is fulfilling all of its obligations in transferring such data. If your business transfers data between the EU and the United States, on July 17, 2023, the FTC and the European Commission issued an adequacy decision on the EU-U.S. Data Privacy Framework (DPF). This new voluntary Framework, which replaces the Privacy Shield program, provides a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law.
3.4.1 The EU and its member states
The EU has special rules relating to the transfer of personal data outside the EU. These provisions are generally governed by the GDPR. Note that individual EU member states may impose stricter requirements. Under the GDPR, data transfers may be achieved through various mechanisms:
- adequacy decisions, in which the EU determines that a non-EU country has an adequate level of data protection such that further safeguards are not necessary;
- contractual clauses that satisfy the requisite data protection requirements (together with supplementary measures as appropriate);
- where appropriate safeguards have been provided, which include binding corporate rules and certification mechanisms; and
- pursuant to certain derogations, including where an individual has explicitly consented to the transfer after being informed of the risks of the transfer.
3.5 Conduct a compliance gap analysis
For each different type of data, the due diligence team identifies whether gaps exist in the target’s compliance with its obligations and, if so, how to address those gaps. See How-to guide: How to determine and apply relevant US privacy laws to your organization.
Step 4 – Understand target company’s management of data and IT assets
The prospective buyer considers how the target manages its data and IT assets, including the relevant procedures that govern the operation and use of these in order to assess the potential risks and vulnerabilities of the target’s data and IT asset management systems.
The due diligence team then reviews the target’s data and IT asset management processes and lists all applicable procedures and security systems in place for each asset. The team must verify the sufficiency of these procedures and systems and whether they require improvements or upgrades.
4.1 Evaluate target’s information security program and policies
The prospective buyer’s due diligence team examines the details of the target’s information security program. Such a program should generally include a list of initiatives and projects that help the target protect its business procedures, assets, and data.
The due diligence team should also examine the target’s privacy policies, notices, statements, and information security policy and whether the target is complying with its own policies and its legal obligations.
- The target’s privacy policies should state how the target collects, handles, and processes the data of its customers.
- The target’s privacy notices should be based on the target’s privacy policies and should define permissible and impermissible data collection and storage activities.
- The target’s privacy statements can be posted publicly, such as on the target’s website, and must reflect the target’s data collection and use policies. The statements must be clear, direct, and have minimal or no legal jargon.
- The target’s security policy should include guidelines on how the target uses IT assets and resources, as well as how those assets are internally managed and protected. A review of the target’s security policy should also consider workplace policies such as ‘Bring Your Own Device (BYOD)’ policies. The due diligence team should document any red flags that arise during a review of the target’s BYOD policies, including the following:
- undocumented or improperly documented devices;
- lack of security procedures or software installed on such devices;
- lack of audits to ensure employee devices meet relevant privacy and data security standards; and
- lack of privacy or data security integration within other business practices.
4.2 Review data retention and disposal procedures
The due diligence team must determine the target’s data retention and disposal procedures and whether the target is complying with those procedures. The procedures should set out the following:
- how the target retains and stores data;
- for how long the target stores data;
- how the target protects against misuse, damage, and inadvertent destruction of such data; and
- how the target disposes of data.
The due diligence team must also determine if the Fair and Accurate Credit Transaction Act of 2003 (FACTA) disposal rule applies to the target and, if so, whether the target complies with its requirements. The disposal rule requires companies to take reasonable measures to protect against unauthorized access to, or use of, consumers’ information in connection with its disposal.
The due diligence team must also examine if US state laws apply to the target and, if so, whether the target complies with these laws. See further How-to guide: How to determine and apply relevant US privacy laws to your organization.
4.3 Evaluate target’s data incident response program
A data incident response program is a written plan that helps employees recognize, and respond to, cybersecurity incidents such as data breaches or data hacks.
The due diligence team should ensure that the data incident response program contains adequate incident management procedures. These should include an incident management team or manager that oversees actions during detection, containment, and recovery of an incident. Additionally, the target must have procedures in place for each phase of the incident response process (ie, preparation for cybersecurity incidents, identification of such incidents, containment, eradication, recovery of lost or stolen data, and lessons learned for future planning).
The due diligence team should also ensure that the target has policies in place for data breaches, including responses to different types of breaches. A data breach response should include processes to identify:
- the type of breach (eg, whether due to theft or improper authorized dissemination);
- cause and timing of the breach;
- the types or sources of data that are affected;
- the computer or security systems affected;
- the extent of data exposure;
- affected stakeholders or individuals; and
- remediation steps and timeline for resolution.
4.4 Evaluate administrative infrastructure and organizational governance
The prospective buyer determines how the target has organized its administrative and management infrastructure, including the target’s organizational chart and the different responsibilities for each department. The due diligence team should review the documents listed below.
- Documented policies relating to administrative issues, including human resources (HR) policies. The team should ensure that the target complies with its own policies.
- Public-facing statements regarding administrative, business, and organizational issues. The team should ensure that the target complies with its own statements.
- Any assessment reports that have been commissioned regarding the target’s administrative or organizational structure. The team should review any recommendations made by these reports and determine if the target has followed up on these recommendations.
- Any audits, including any independent external audits, to determine if the target has followed up on any recommendations made by auditors. The team should also independently determine if there are any potential areas of risk of vulnerability highlighted by the audit logs and records that have not been addressed.
- Ensure that any certifications are current. For instance, if the target requires International Organization for Standardization (ISO) certifications for specific products or procedures, the team should ensure that the target remains in compliance with those certifications.
- The target’s general governance structure and how employees are trained. Training schedules and content should be examined to ensure that the target’s employees are properly trained on all issues that could expose the prospective buyer to risks or liabilities, including data and privacy protections. The team must also determine if training modules and programs are sufficient to inform employees of their respective roles and responsibilities.
4.5 Evaluate risk from third-party service providers
The prospective buyer must assess the level and type of risk that arises from the target’s contracts and agreements with third-party data service providers. Using and relying on such service providers adds additional security factors, and may impose a heightened risk of privacy issues and data breaches. Examples of third-party service providers include the following:
- internet and data storage providers, including cloud service providers;
- telephone and telecommunication service providers; and
- IT or administrative service providers.
If the target uses such service providers, the due diligence team should determine the types of data for which the target uses such service providers. They should then review the related risks and consider the points below.
- Assess the target’s current contracts with third-party service providers, to determine whether they contain adequate data security protection clauses.
- Do any cross-border data transfer restrictions apply due to the target’s use of third-party service providers? This may occur, for example, if the third-party provider or its data storage assets are located in another jurisdiction.
- Do the target’s contracts with third-party providers result in additional or more complex legal obligations or compliance issues that the target must fulfill? If so, the team must determine whether the target is currently meeting these obligations.
4.6 Evaluate results of due diligence
The due diligence team must evaluate the results of the due diligence investigation, focusing on the risks, liabilities, and business issues that may arise during and after completion of the M&A transaction.
4.6.1 Potential legal liabilities
Both ongoing investigations by regulatory authorities and ongoing private litigation may give rise to liabilities that the prospective buyer will inherit after closing the transaction. The risks of these liabilities, including potential fines and damage awards, should be closely reviewed by the due diligence team.
4.6.2 Indemnification
The due diligence team also reviews any contracts, agreements, or other situations in which the target has promised to indemnify or compensate a third party for data security or privacy matters. Such indemnification clauses or agreements could result in additional expenses for the prospective buyer. The team should review the conditions that would trigger any indemnification, and whether caps exist on indemnification payments.
4.6.3 Do the results justify cancelling the transaction?
Based on the above analysis, the due diligence team must decide whether the results of the investigation, including the potential business risks and legal risks, justify cancelling the M&A transaction or allowing it to proceed. The team should also consider whether the identified risks or potential risks can be dealt with through appropriate language or indemnities in the merger agreement. The team’s recommendation should be set out in writing and provided to management officials of the prospective buyer.
Step 5 – Review negotiation of transactional agreement
The prospective buyer reviews the M&A transactional agreement to ensure it adequately protects the buyer from potential privacy and data security issues. The goal is to assess whether the target’s potential data security risks and vulnerabilities are sufficiently covered in the agreement and whether the prospective buyer is protected against legal exposure. The prospective buyer should ensure that the target makes specific representations and warranties that cover privacy and data security, including those issues uncovered during due diligence. In addition, the agreement’s representations and warranties should address the target’s compliance with existing legal obligations. The agreement should affirmatively state whether the target is in compliance and, if not, whether the target makes specific warranties regarding the obligations for which it is not in compliance.
The transaction agreement should also contain statements and indemnities regarding historical situations, including any of the following:
- past data breaches or security incidents;
- past regulatory investigations; and
- past litigation.
The transaction agreement can also contain additional statements that clarify the understanding of the parties with respect to the target’s current privacy and data security situation.
5.1 Review standard clauses and form of acquisition
The prospective buyer reviews the M&A transactional agreement to ensure that standard or boilerplate clauses do not expose it to additional risk or vulnerabilities that have not been identified. Such standard clauses include the following:
- contract interpretation clauses;
- termination clauses;
- jurisdiction clauses; and
- dispute resolution and damages clauses.
A standard jurisdiction or dispute resolution clause could, for example, require that all disputes be submitted to arbitration, or could require that any dispute resolution be done in an inconvenient, distant jurisdiction. A standard contract interpretation clause may lead to the contract being interpreted according to the laws of a jurisdiction that is unfavorable to the buyer. If the transaction is structured as an asset purchase rather than a merger (ie, the prospective buyer purchases all of the assets of the target, rather than purchasing the target as an entity), the due diligence team should review the asset purchase clauses to ensure this does not lead to increased exposure to privacy and data security risks or obligations.
5.2 Resolve, mitigate, or allocate the risk of material issues
Based on its review of the transaction agreement, the prospective buyer flags any material issues and works with the target to reduce or mitigate potential privacy and data security risks. This may involve the prospective buyer and the target engaging in separate or additional negotiations to arrive at a mutually agreeable resolution or ensuring that one or both parties address any outstanding privacy or data security vulnerabilities, especially ones that have arisen during due diligence. Finally, the prospective buyer can allocate risk to minimize its own exposure. For instance, the buyer can ensure that the transaction agreement contains provisions stating that one party or another assumes the responsibility for certain privacy or data security obligations.
Step 6 – Plan for integration of target’s data and IT assets
The goal of planning for the integration of the target's data and IT assets is to determine whether these assets can and should be integrated with existing systems or databases. Privacy and data security obligations must continue to be met during any merger or disposal of data.
The due diligence team determines if, and how, to integrate the target’s assets after completion of the transaction. The team must evaluate whether any assets are redundant and, if so, whether they can be safely combined with existing systems. Additional integration issues include the following:
- technical ease or difficulty of integration;
- ensuring sufficient security during the integration process;
- specifying the employees or departments responsible for the integration; and
- ensuring proper disposal of data for any non-integrated systems.
6.1 Assess the desirability and risks of merging data
Review any prospective merger of data carefully to ensure that the merger is technologically feasible and does not result in increased risk exposure. The due diligence team should create a list of benefits and risks that may result from any data merger. If the risks outweigh the benefits, the team should evaluate alternative options.
The due diligence team should also examine any potential incompatibilities between the buyer and the target’s data and IT assets. Consider both hardware and software incompatibilities. The team must also consider any technical options that will resolve, or lessen, any incompatibilities.
The due diligence team should also review the planned integration or disposal of the target’s data and IT assets to ensure that the prospective buyer does not encounter unexpected risks.
6.2 Discuss any integration concerns
The due diligence team should present a report regarding concerns relating to the integration of the target’s data and IT assets, as well as suggestions for mitigating or remedying these issues. They should present the report to the members of the prospective buyer’s management in charge of overseeing and managing the M&A agreement.
6.3 Analyze the effect M&A has on privacy and information security programs and obligations
The overall purpose of reviewing the effect of the M&A transaction on the target’s privacy and information security programs is to learn whether the transaction will have negative impacts on the management of privacy and data security, and to determine whether those impacts are reparable. These impacts could be technical or they could relate to incompatible organizational cultures regarding data security. The risk of such a ‘culture clash’ is especially pronounced in transnational M&A transactions. Identifying the negative impacts will help the buyer take steps to minimize legal risk and exposure.
6.4 Evaluate cost of integration
The due diligence team should consider the cost of integrating the target’s systems. This cost includes the following:
- monetary cost of new hardware or software;
- cost of new employee training, including potential hours of lost productivity;
- budgeting for potential integration delays that may affect business operations;
- consultant or contractor fees for integration assistance;
- compatibility testing and troubleshooting expenses; and
- upgrading existing infrastructure to support new systems.
Additional resources
Related Lexology Pro content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Drafting internal privacy policies and procedures
Completing a data and information security risk assessment
Drafting a consumer privacy policy
Developing key privacy and data security contractual terms and provisions (B2C)
Privacy and data security law training
Completing a data incident response plan assessment
Responding to a data breach
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.