In recent years, the adoption of the General Data Protection Regulation (GDPR) in the European Union (EU), the passing of the California Consumer Privacy Act (CCPA), and several other state-level regulations in the legislatures across the United States have brought privacy regulation into the spotlight. These regulations have come with additional reputational and regulatory risk (e.g., fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity.
Due in large part to public and damaging privacy scandals such as Cambridge-Analytica’s misuse of social networking site Facebook’s profile data or the breach of credit reporting agency Equifax consumer information, the public is asking more than ever where and how their personal information is being used.
When evaluating potential acquisition or merger of target organizations, it is important to scrutinize the risks and benefits of large data sets that contain personal or sensitive information.
While privacy policies will not stop a breach from happening, looking at applicable controls an organization has in place during the due diligence process will serve to make the integration of systems more efficient, highlight any trouble spots where response to regulatory frameworks and requirements do not align, and identify missing controls before integrating disparate systems.
What is the geographic scope of the target organization? How does this change the regulatory landscape?
Based on the physical location of the organization and types of data they collect, process, transmit, and store, an acquisition target may be simultaneously subjected to multiple state, federal, international, and industry-specific privacy and compliance standards and laws. As more states and countries consider passing legislation, the complexity of the privacy regulatory landscape continues to shift. If there is a privacy program, this requires organizations to swiftly react and comply to newly scoped legislation with varying degrees of change and impact.
When assessing a target organization, it is paramount to confirm that the cybersecurity program and controls consider the full geographic scope. Likewise, review your own compliance function to ensure that your organization is ready to handle the added complexity that the acquired company will bring.
The U.S. Federal Trade Commission (FTC) has published clear guidance communicating that regardless of a merger or acquisition, organizations must continue to honor the promises made to consumers in privacy policies. The FTC considers failure to comply with published privacy policies a violation of Section 5 of the FTC Act, which bars unfair or deceptive acts in commerce.
Does the organization share personal data or other protected information with third parties? Do they have an adequate process to implement security and privacy safeguards over that data transfer?
As with related IT and cybersecurity risks, the greater number of third parties involved in the use of personal or other sensitive data, the more complex compliance with privacy regulations becomes. Some legislative bodies, such as the European Commission and state of California, have provided specific instructions and definitions around who qualifies as a third party and what requirements need to be in place to meet the letter of the law. Protecting in-scope data necessitates a comprehensive and mature process, inclusive of legal, compliance, IT/ cybersecurity, and privacy teams. During due diligence, ensure that the data protection policies and procedures in place are adequate. Otherwise, you may find your organization inheriting significant risk. Moreover, if the acquisition target does not have a robust data protection program in place, ensure that the integration plan includes strengthening this function.
Does the target organization have a process for identifying, classifying, and protecting data based on sensitivity or regulatory requirements?
Many organizations struggle after a breach because they do not have existing analysis and robust data mapping capabilities in place to proactively identify data in use or storage. Additionally, data is collected at such a rapid pace and volume that keeping track of what the organization currently possesses is an ongoing challenge. With potentially dozens of “data owners” and disconnected systems, it is difficult to identify what has been collected, where it is stored, how it is being used or processed, and if proper notice has been provided to customers.
During due diligence, review the data classification process and confirm that the organization has a good understanding of what it uses and stores on behalf of customers. Organizations should maintain robust data governance plans, data architectures, and detailed data flows and maps that can demonstrate where sensitive elements exist in the environment, and who is responsible for its maintenance.
As unique data protection regulations become more common and increase the number of requirements to protect sensitive elements, organizations must consider the amount they store and what is shared with third parties, which is critically important during any merger or acquisition. Privacy and data governance capabilities should be an area of focused attention when conducting due diligence on a potential target organization and throughout the integration process.
To learn more, click the image below to view our guidebook “Avoiding Cybersecurity Risk Through Enhanced Due Diligence”