Mergers and acquisitions are complex and fast-paced transactions with constantly shifting priorities involving massive quantities of documentation, much of it stored electronically. The privacy and security of this electronically stored information (ESI) has come under increased scrutiny as technologists and litigators alike grapple with the growing threat of data breaches. Stories of data theft by professional groups, competing organizations, and even government agencies occur with alarming regularity. Managing cybersecurity risks must be built into the M&A process from the outset.
There are numerous advantages that lead companies to consider a merger or acquisition. Expansion into new geographical regions, adding products or services to an existing offering, and the overall efficiency of operations are just a few of the reasons companies consider an M&A transaction. Underlying each of these desired benefits is a trove of data management issues. Parties to such a transaction must carefully consider a range of technical, regulatory and practical elements, many of which may be unexpected or novel, such as:
- Data stored in international jurisdictions: International data privacy laws can block companies from exporting ESI for review in the United States. Be prepared to address cross-border data handling issues that may arise.
- Personally Identifiable Information (PII): It is likely that client information will be contained in the files to be reviewed during the M&A process. Identify data stores where PII resides early in the process to ensure this information is properly handled and secured.
- Intellectual Property (IP): With many M&A transactions, new products and services will be incorporated into an existing business model. It’s likely that highly confidential IP will be contained in ESI stores. Be sure to take both companies’ privacy and security policies into account when working with this information.
The various types of ESI subject to the M&A process will be routinely handled by the purchasing entity after a successful transaction. Therefore, the protocols surrounding ESI during the initial stages of the M&A process and integration planning will provide a baseline for day-to-day business operations post-merger.
Data assessment during the valuation and diligence stages should be undertaken for good reason. The sensitive data mentioned above is a highly attractive target for hackers. ESI is often stored in vulnerable repositories with multiple access points. Data can also be widely transferred within buyer and seller organizations, as well as outside an organization to various domestic and international regulatory bodies (where relevant), consultants, and advisors. It is therefore of the utmost importance that measures are taken to secure information. A number of steps should be taken to reduce security risks for deals undergoing regulatory review:
- Review for PII: Before submitting data for agency review, make sure that customer data has been redacted or anonymized. Companies can leverage technology assisted review (TAR) and auto-redaction technologies for speed, but they must have a QA process included in their workflow to ensure accuracy.
- Data encryption: Data is especially vulnerable to breaches during transmission. From collection onwards, all data should be encrypted whether it is transported on physical media or transmitted electronically. For further security once data is to a deal room or electronic review platform, ensure that it features data encryption at rest on its servers.
- Mark documents “confidential:” Place language in document bates stamps and footers using confidentiality “endorsements that specify information should be kept confidential, before submitting it to regulators.
- Understand data retention: Be specific in asking regulatory agencies the duration of time that submissions are kept on their servers. Additionally, if possible, obtain an accurate picture of how submissions are destroyed after the retention period has ended.
A final but critical component of cybersecurity that must be considered is the third-party personnel who will be working with data during the process. Be sure to ask vendors, consultants or other parties that will be hosting or handling ESI specific questions relating to staff screening, credentials, and workflows to ensure they are aligned to the corporation’s policies.
While the unexpected will always arise during the M&A process, good planning can greatly reduce the potential for a data breach. Taking a thorough approach to cybersecurity throughout the M&A process will ensure that sensitive data is protected from compromise.