COVID-19 Update: How we are continuing to serve our clients

350 Million Reasons to Upgrade Your Privacy and Data Security Practices Before a Corporate Transaction

Is your company considering a transaction to become acquired or to take in additional financing?  If so, the time is now to upgrade your privacy and information security practices before you are in serious discussions or receive a term sheet for the transaction.  One obvious question is:  why now?  Aren’t data protection issues something for the lawyers to handle later in negotiating the agreement and during due diligence?  In answer to the question why now, I have 350 million reasons why now is the best time to tackle data protection challenges.

The 350 million refers to the transaction in which Verizon purchased the web business of Yahoo.  After Verizon found out that Yahoo was in the midst of a data breach at the time of the purchase transaction, Verizon went back to Yahoo and shaved off $350 million from the purchase price.  Simply put, the ongoing weakness in Yahoo’s data protection program reduced the valuation of the business and Verizon wanted to slash the transaction value to reflect that reduction in value.

Executives of a target company that want to avoid taking a haircut later in the value of their M&A transaction or valuation during a financing transaction can prepare now to avoid problems later.  Taking care of data protection concerns now not only preserves valuation for the target company but also:

  • Avoids nasty surprises to the acquiring company or entity providing the financing;
  • Preserves the reputation of the executives of the target company as competent professionals, which may be important for later employment arrangements or future business; and
  • Preserves the reputation of the target company among customers, shareholders, and other stakeholders.

Any acquiring company or entity providing financing will likely want assurances from the target company that:

  • The target company complies with all applicable data privacy requirements in law and agreements, including with respect to transferring personal data across national borders, and it complies with its own privacy policy.
  • The target company complies with all applicable data security requirements in law and agreements, and it complies with its internal security policies and procedures.
  • The target company has implemented and maintains reasonable and appropriate administrative, physical, and technical security safeguards sufficient to protect systems, devices, and data from security threats.
  • The target company has not been the victim of a data breach or significant service outage.
  • The target company is permitted, under applicable privacy laws, to undertake the transaction, which may involve additional access or change of control over personal data in the target company’s possession.
  • The target company has not been sued or investigated by a government agency regarding its data privacy or security practices.
  • The target company’s software or hardware does not contain any security vulnerabilities or malicious code.
  • The target company’s services provide the availability and service levels necessary to meet contractual commitments.
  • There are no undisclosed liabilities (including those involving data protection) that may affect the target company’s business.
  • The target company has proprietary information or nondisclosure agreements with all of its employees and contractors.

The process to upgrade a privacy or security program takes time.  Target companies that put off the process to make needed upgrades until the middle of a negotiation of a deal may find that it is too late to make upgrades before a deal closing.  The result may be a reduction in the deal size or valuation.  To avoid such a reduction, target companies can prepare now for a transaction that won’t occur until later.  Taking a proactive approach can help avoid awkward challenges later.

Stephen Wu has practiced data protection law since 1997, has written or co-written seven books on data protection legal topics, and heads Silicon Valley Law Group’s data protection practice.  He assists with corporate transactions such as mergers, acquisitions, and financing transactions.  He served as Co-Chair of the Information Security Committee of the American Bar Association Science & Technology Law Section from 2001 to 2004, and later served as Section Chair.  For data protection assistance to prepare for a future transaction, please contact Stephen Wu by completing the web form here.

Contact Information