Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.
The past few years have witnessed the unprecedented rise of Big Data. Fully 90 percent of today’s data was created over just the past two years. Businesses now double the amount of data they capture and store every 1.2 years. And every two days we create as much information as we did from the beginning of time until 2003. Much of the data collected by companies today contains sensitive and/or protected information. This can consist of everything from employee data, intellectual property and financial information to credit card information and data subject to litigation holds.
Unfortunately, far too many companies do not know the extent of the information they possess or where it is located. They also have stores of antiquated media, which may or may not contain accessible data. Many have never assessed the security of their computer networks or implemented policies affecting the collection, use and disposal of information.
The past year has also witnessed the re-emergence of mergers, acquisitions and similar corporate deals at a rate not seen since before the financial downturn in 2008. But because of the rise of Big Data and information-related liability, due diligence practices today should not be a return to business as usual for acquiring or target companies. Information management, privacy and information security should be addressed in modern corporate transactions.
When selecting deal counsel, are you evaluating their ability to identify digital risks (do they have templates and checklists for privacy and security issues)? Or do you need to bring in a specialist as co-counsel?
If you are the acquirer, how are you evaluating risks, what representations do you need and, when it becomes crunch time, how do you prioritize what is a must and where you can give? Can you negotiate for a chance to do an actual compromise assessment of the company’s network before buying, or are you relegated to only reviewing their policies?
If you are selling, how far can you go on representations and indemnity? Do you know enough about your data, how you’re handling it and how you’re managing its use to make accurate disclosures to a potential buyer?
We assist our clients with due diligence practices tailored to client demand according to the size, complexity and sensitivity of the deal. We have helped clients address and appropriately modify representations and warranties associated with customer, supplier and third-party data. We have helped address inquiries regarding website data collection, use, storage, and related security and privacy implications. We have advised on appropriate deal scope, as well as final deal structuring and choice of acquisition vehicle (e.g., domestic subsidiary, international parent, asset purchase, etc.). And we offer a structured approach that can assist with detailed due diligence analysis, from initial target employee interviews and data mapping all the way through post-deal integration efforts.
No deal-maker wants to buy a breach or compromised data set that will results in years of costly litigation, especially if those issues could have been identified during the due diligence process. Information governance inquiries aimed at uncovering the big risks that might be associated with Big Data should be an important component of today’s corporate deal-making processes.