Privacy Battles in M&A Transactions Kate Black Greenberg - - PowerPoint PPT Presentation

privacy battles in m a transactions
SMART_READER_LITE
LIVE PREVIEW

Privacy Battles in M&A Transactions Kate Black Greenberg - - PowerPoint PPT Presentation

Jan 25, 2024 266 likes •612 views

Thursday, May 7, 2020 Privacy Battles in M&A Transactions Kate Black Greenberg Traurig Jill Green Morris Green Edward Hu TrustArc Speaker Kate Black Shareholder, Data, Privacy & Cybersecurity Greenberg Traurig Kate Blacks

slide-1
SLIDE 1

Thursday, May 7, 2020

Privacy Battles in M&A Transactions

Kate Black Greenberg Traurig Jill Green Morris Green Edward Hu TrustArc

slide-2
SLIDE 2

Speaker

Kate Black

Shareholder, Data, Privacy & Cybersecurity Greenberg Traurig

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Prior to joining GT, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.

slide-3
SLIDE 3

Speaker

Jill Green

Principal

Morris Green LLC, providing expert privacy and legal consulting services

2014-2020

Deputy General Counsel, Global Privacy Officer - Genomic Health (acquired by Exact Sciences)

Jill holds CIPP/E and CIPP/US certifications

slide-4
SLIDE 4

Speaker

Edward Hu

Senior Counsel & Data Protection Officer TrustArc

Edward serves as legal and regulatory counsel for the internal privacy and data governance program at TrustArc and also supports the TrustArc privacy solutions product

  • lines. In his prior role at the company, he worked with the

privacy, security, and legal teams at dozens of companies seeking to improve or certify their programs against a variety of legal frameworks. He holds CIPM, CIPT, CIPP/E, and CIPP/US certifications.

slide-5
SLIDE 5

Privacy Battles in M&A Transactions

  • Purpose of Session

○ Provide firsthand experience from privacy professionals in the M&A context from the beginning to end as well as the post-close integration. ○ Provide a priority list of considerations and practical tips useful for any privacy professional. ○ Provide a forum in which conference participants can share their own wisdom regarding privacy considerations in M&As.

  • Presentation Sections

○ Due Diligence ○ Pre-Close to Day 1 ○ Post-Close Integration

  • Q&A + Sharing
slide-6
SLIDE 6

Session Title

The “Why This Matters” Slide

  • According to one report, more than a third (40%) of acquiring companies engaged in M&A

discovered a cybersecurity/privacy problem during the post-acquisition integration of the Target

  • More often than not, lawyers ask a battery of out-of-the-box question not germane to the

Target’s actual business ○

  • veremphasis on data breaches

○ lack of awareness of broader privacy/cybersecurity issues

  • If you’re in-house counsel at the Acquiror, you can’t punt to your outside counsel handling

the transaction

  • Changes to the economic climate are likely to result in changes to the corporate landscape.
slide-7
SLIDE 7

Due Diligence

Navigating the Fog of War

slide-8
SLIDE 8

Privacy Battles in M&A Transactions

So you’re going to buy a company...

...and you’re in charge of privacy due diligence How are you going to start?

  • Understand the Target’s business - stat

○ Public filings, Google, Target’s website

  • What privacy regs are likely to apply?

○ Use a checklist/questionnaire to organize your questions and Target’s response

  • Lots of examples online - and if you’re using outside counsel, they will have one
slide-9
SLIDE 9

Privacy Battles in M&A Transactions

The Fog of War...

  • Vulnerability
  • Uncertainty
  • Complexity
  • Ambiguity

...requires agility, analysis, creativity, and resources.

Contributing Factors:

  • What’s your own company’s risk appetite and

awareness of privacy risks?

  • What other deal issues are competing for attention?
  • Does the timeline keep changing?
slide-10
SLIDE 10

Privacy Battles in M&A Transactions

How do you move forward, effectively?

Focus on what you are really trying to achieve: enough knowledge of the Target’s privacy compliance program to provide your CEO a risk-based assessment of maturity and any specific risks to mitigate in the merger agreement or in the closing period.

First steps:

  • Do send that checklist and keep track of responses/holes in documentation
  • Do your own review of public facing policies

○ Are they tailored to the business? Accurate under current law? ○ Test the email addresses - does anyone respond if you email privacy@targetco.com? How quickly? ○ Ask (but verify) if Target has been on HHS Wall of Shame, subject to FTC Settlement or

  • therwise publicly reported incidents.

○ Any mention of adherence to a InfoSec framework (ISO 27001, HiTRUST, NIST)? If so, ask for documentation.

slide-11
SLIDE 11

Privacy Battles in M&A Transactions

Second phase of diligence

  • You’ve received the initial set of responses to your checklist. What are the GASP responses?

Where was there no response (this will happen): ○ Pick what matters most, you won’t have time to chase every thread and you will need to prioritize due to limited time/resources/executive patience with privacy matters ○ Modify reps, warrants, and closing covenants accordingly ○ Review the draft disclosure schedule: does what you are seeing match your work so far? What’s missing?

  • Get buy in to schedule one or several calls with Target Privacy Lead/Compliance Officer

○ What if they are not over the wall? Push for this - can’t get adequate visibility without it ○ Address your priority list - GASP, missing responses ○ Ask open ended qualitative questions, even as far as “what privacy issues keep you up at night?”

slide-12
SLIDE 12

Privacy Battles in M&A Transactions

Second phase of diligence, Part Deux

  • Don’t ignore other parts of the data room!

○ Finance - review scope of insurance, especially cyberinsurance coverage ■ fact check - are there contracts in place with approved incident response vendors? ○ Material contracts ■ Is Target a DoD supplier? Look for NIST compliance in the IT folder ■ Key customer contracts

  • What are Target’s obligations and is there evidence of compliance? (Does

Target have a clear, defined process for reporting incidents to customers?) ■ Customer Service & Sales

  • Any SOPs on DSARs?
  • What are marketing practices? Good compliance with CCPA?

■ IT/InfoSec

  • is there a data flow map? What’s the system architecture, and are there

appropriate contracts with key suppliers/cloud providers ■ Generally: how sophisticated is Target in contracting? How robust are data protection clauses in templates?

slide-13
SLIDE 13

Privacy Battles in M&A Transactions

Down to the wire..

  • No one is looking at the diligence checklists anymore
  • Negotiating the merger agreement and the disclosure schedule at the same time

○ What reps can you get into the agreement vs. your “to do” list during sign-to-close and post-close integration ■ Ideally, reps specifically address compliance with all relevant privacy regimes (and not just a blanket “compliance with laws” rep ■ Reps should require disclosure of past enforcement actions, security incidents, and any legal proceedings in the privacy arena

  • Common ‘last’ issues:

○ Materiality qualifiers ○ Lookback period (“Since July 1, 2015….”) ○ Forward-looking covenants to improve security and privacy practices in pre-close period

  • Clearly communicate to your client a list of resources needed to resolve major gaps post-close.
slide-14
SLIDE 14

Privacy Battles in M&A Transactions

So you’re getting bought...

  • First of all, are you, as the leading privacy professional in your organization, over the wall?
  • Second, what are your ethical responsibilities in the diligence process?

○ Answer the questions asked, truthfully and with integrity, while reminding yourself that your company is your client ■ This is of course true whether or not you are an attorney for the company ○ But what if the Acquiror isn’t asking the right questions? ■ What are your practical concerns? ■ What are the ethical considerations in play, especially for attorneys?

  • Model Rule 4.1
  • But this is not an area for “puffery”

■ Make sure the lead negotiating attorney knows this - it’s another data point

  • Same issue - it’s a fog of war, and even a little worse than on the acquiror side!
slide-15
SLIDE 15

Pre-Close to Day 1

slide-16
SLIDE 16

Privacy Battles in M&A Transactions

So you signed the deal…

  • Depending on what happened during the fog of war, you may be in a variety of situations

○ As an acquiror, you might… ■ Have a robust understanding of the Target’s maturity level and any associated risks relating to privacy and InfoSec programs; or... ■ Have a sense of Target’s compliance level, and a good list of follow-on questions and “to dos” to start with ■ Have only the level of information that you could find publicly, with no real input from Target ○ As a Target, you might… ■ Be very curious about the acquiror’s own privacy/InfoSec program. After all, you didn’t get to ask any questions! ■ Be completely unmotivated to help with the integration process. After all, you just got bought!

  • Role of in-house legal team v. outside counsel

○ Once the deal is signed, internal counsel has to build relationships with their new

  • colleagues. Outside counsel may be in a better position to play “bad cop”.
slide-17
SLIDE 17

Privacy Battles in M&A Transactions

The Integration Process. In an ideal world…

  • The combination of the two companies takes the best practices
  • f each, to maximize synergies and shareholder value

Show of hands - how often does this happen??

slide-18
SLIDE 18

Privacy Battles in M&A Transactions

No matter which side you’re on, your task is singular: INTEGRATE Step 1: Get a handle on internal structure, politics, and allies.

  • Great time to make friends and influence people.
  • Intended reporting structure?

Step 2: Assess what you’ve learned through the acquisition diligence process.

  • If you acquired, take stock of red flags, gaps, and map regulatory overlap.
  • If you were acquired, you have a lot to learn about your new owner.

Step 3: Get together with your privacy counterparts to set the basics.

  • If leadership allows, now is a great time to get together and learn how the other

privacy team works, what regulations they have to comply with, and how their program runs.

  • Include any security or IT team members if you can
  • Take time to get to know each other - you’re all on the same team now!
slide-19
SLIDE 19

Privacy Battles in M&A Transactions

Substantive Investigation

  • Understand Data Flows, Processing Activities, and Key Business Data

Needs

  • Key 5 Compliance Issues

○ Regulatory obligations of each entity ○ Contract obligations and management ○ Data subject rights requirements and processes ○ Security ○ Governance & Oversight ■ Internal ■ External

slide-20
SLIDE 20

Privacy Battles in M&A Transactions

Next Up: Make a plan Once you begin to understand the overall privacy program needs, the privacy leadership should make an initial, prioritized plan:

1.

What is needed before Day 1?

a.

Are any business critical contracts in need of updating? Do you need to execute an intercompany data sharing exhibit between corporate subsidiaries?

b.

Do DPO or CPO roles need to change?

c.

Assist IT / Security integration to “go-live” on Day 1.

i.

Public website changes

ii.

Internal corporate communication (email, chat, etc)

iii.

Backend storage and interoperability

slide-21
SLIDE 21

Privacy Battles in M&A Transactions

First 90 Days

Considering your resource constraints and what you’ve learned you prioritize a set of 5-10 discrete, quantifiable goals for the privacy team in the first 90 days.

  • Goals should focus on the team as well as substantive privacy issues.
  • Accountability & dependencies should be
  • Some common areas of focus include:

○ Third Party Risk ■ Execute updates to top 20 vendor agreements. ■ Execute intercompany data ○ Compliance ■ Implement compliance repository approach for new combined company. ■ Document CCPA compliance requirements for new company.

  • Ex) Is the new group of entities likely to be considered “third parties under the CCPA? If

so, establish a plan for compliance. ○ Data Breach ■ Update data breach response plan.

slide-22
SLIDE 22

Post-Close Integration

Operational Considerations

slide-23
SLIDE 23

Preliminary

1. Plan for a lot of work (project plan, milestones) 2. Integration vs. Segregation 3. Organizational changes a. Hybrid vs. Centralized vs. Decentralized b. Leverage key personnel (across departments) c. Who makes the decisions? d. Culture and relationships 4. Philosophical or positional differences a. Risk aversion/appetite b. Leader/follower c. Varying interpretations of law (e.g. CCPA “sale”)

Privacy Battles in M&A Transactions

slide-24
SLIDE 24

Data Inventory & Mapping

  • Personal information flows

○ Foundation and prerequisite to taking action ○ Notice, records of processing, determining legal requirements, transfer mechanisms, etc.

  • Be systematic - it pays off

○ Every department ○ Use key personnel

Privacy Battles in M&A Transactions

Who

Data subjects, recipients, controllers, processors

What

Data elements, IT systems

When

Data retention

Where

Collection, processing, transfers (incl. sales)

Why

Processing purposes, legal bases

How

Security, controls, transfer mechanisms

slide-25
SLIDE 25

Primary Considerations - Legal Obligations (1 of 2)

  • New regulatory obligations

○ Data types (e.g. PHI, special categories) ○ Data subjects (e.g. children, CA residents) ○ Jurisdiction (e.g. GDPR, CCPA) ○ Review each law

  • Contracts

○ DPA notice re change to subprocessors ○ Review contract notice provisions ○ New paper? ○ How to prioritize ○ How to manage workload

Privacy Battles in M&A Transactions

This image is licensed under the Creative Commons Attribution 2.0 Generic

  • license. https://creativecommons.org/licenses/by/2.0/legalcode
slide-26
SLIDE 26

Primary Considerations - Legal Obligations (2 of 2)

  • Notices

○ Merge privacy notices? Give notice (minimum any time data handling practices change or degradation of individuals’ rights.) ○ Give notice of notice or specialized notice re changes ○ Intermingled data - notice for new uses ○ Employee privacy notice

  • Data Subject Requests

○ Consolidating operations ○ Adjusting response times and procedure ○ Branding

Privacy Battles in M&A Transactions

This file is licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license. Attribution Chris 73 / Wikimedia Commons. https://creativecommons.org/licenses/by-sa/3.0/legalcode

slide-27
SLIDE 27

Secondary Considerations

  • Update scope of certifications

○ SOC, ISO, Privacy Shield, APEC CBPR ○ Industry-specific

  • Update internal policies and procedures

○ Privacy policy ○ BCDR plan and breach insurance

  • Record of Processing (GDPR Art. 30)

○ Consider software solution. Going manual? Download the ICO templates.

○ https://ico.org.uk/media/for-organisations/documents/2172937/gdpr-documentation- controller-template.xlsx ○ https://ico.org.uk/media/for-organisations/documents/2172936/gdpr-documentation- processor-template.xlsx

1. Privacy program management act

Privacy Battles in M&A Transactions

This image is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. https://creativecommons.org/licenses/by-sa/4.0/legalcode

slide-28
SLIDE 28

Privacy Battles in M&A Transactions

Integrating Privacy Programs - Use a Framework! Why?

1. Checklist manifesto. Even experts with decades of experience use a checklist when there is sufficient risk involved. 2. Blind spots. Each legacy organization may not have a process or policy addressing something that the other requires a process or policy for. 3. Centralized organization. As the organizations transition, projects may fall

  • ff, responsibilities may change.

4. Useful for presentation. Presentation to internal stakeholders about the scope of work contemplated or completed.

slide-29
SLIDE 29

Privacy Battles in M&A Transactions

https://info.trustarc.com/Web-Resource-2020-01-20-Privacy-Data-Governance-Framework_LP.html

slide-30
SLIDE 30

Privacy Battles in M&A Transactions

Controls-based Framework

(55 Controls under 16 Standards) Example of Standard: “Enable individuals to choose whether personal data about them is

  • processed. Obtain and document prior

permission where necessary and appropriate, and enable individual to opt out of ongoing processing.” Example of Control: “Ensure consent is clear and conspicuous, freely given, and able to be withdrawn at any time.”

slide-31
SLIDE 31

Privacy Battles in M&A Transactions

Activities-based Framework

(139 PMAs under 13 Categories) Example of Category: “Managing Third Party Risk” Example of Privacy Management Activity: “Maintain a vendor privacy risk assessment process.”

slide-32
SLIDE 32

Privacy Battles in M&A Transactions

Privacy Management Activity Categories

1. Governance Structure 2. Inventory of PI and Data Transfer Mechanisms 3. Internal Privacy Policy 4. Operationalizing Data Privacy 5. Training and Awareness 6. Managing Information Security Risk 7. Managing Third Party Risk 8. Maintaining Notices 9. DSRs and Complaints 10. New Operational Practices 11. Incident Management and Breach Response 12. Monitoring Data Handling Practices 13. Track External Requirements

https://info.trustarc.com/Web-Resource-2020-01-20-Privacy-Data-Governance-Framework_LP.html

slide-33
SLIDE 33

Privacy Battles in M&A Transactions

slide-34
SLIDE 34

Questions + Contact

Jill Green

Principal Morris Green LLC 650-575-7560 jillgreenlaw26@gmail.com

Kate Black

Shareholder Greenberg Traurig BlackK@gtlaw.com

Edward Hu

Senior Counsel & DPO TrustArc 415-992-3137 ehu@trustarc.com