Show me your data — the new precondition to M&As

---

GUEST:

In 2017, the total value of merger and acquisitions (M&As) exceeded three trillion dollars. Some of the more notable M&As in the past year include Amazon’s acquisition of Whole Foods, Intel’s purchase of autonomous vehicle tech firm Mobileye, and Verizon’s acquisition of Yahoo, which became a high-profile example of the cost undisclosed data breaches have on valuations — in this case a $350 million drop in the final price tag.

To better prepare for the growing threat against corporate, customer, and employee data, companies are enforcing new data management and protection practices. One such change is the practice of requiring that each party in an M&A transaction demonstrate compliance with industry privacy and security standards before finalizing a deal. Under the new precondition, buyers and sellers are making more granular requests for visibility into the other side’s entire information repository and lifecycle to safeguard their own business assets and brands.

While the extent of required compliance varies with each buyer, seller, and deal, it is a key component now nonetheless. From pre- to post-M&A, all parties should consider how their privacy and data security posture could have a material effect on the proposed deal. To that end, here are a few key points to consider when you’re entering a deal:

• Visibility into the entire information life cycle – How does a company that is contemplating an M&A collect, store, encrypt, and destroy personal data? What information is stored on what systems, and for how long? How is the information inventoried, mapped, and categorized? How, and with whom, is data shared? These are threshold questions for which any acquirer or target company should have answers.
• What types of data – What types of personal data would potentially be involved in the transaction? For example, does the deal involve direct marketing contact information, personal data originating from new markets, or sensitive data that could subject the company to new, industry-specific laws?
• Merging corporate data – Is it a transactional goal that one company will become fully incorporated into another, thereby merging the two distinct data sets, or will the target remain a standalone unit that continues to operate as a discrete division with segregated personal data?
• International data transfers – What are the parties’ legal transfer mechanisms for cross-border personal data transfers? Would the merger itself lead to a cross-border transfer of personal data and, if so, would any country-specific laws then come into play, such as from China or Russia?
• History of data breaches and the risk of compromised data – Are all transactional parties prepared to provide a history of any known or suspected data incidents or cyberattack attempts, and the responses to all? Beyond just corporate reputation, compromised data could mean any underlying intellectual property’s value has been diminished or that other vectors of attack may exist.
• Breach response plans and encryption – Are data security plans such as breach response, disaster recovery, and business continuity in place and tested? What levels of encryption are used throughout the organization and how is this determined and monitored?
• C-suite buy-in – Do the directors, officers, and executives have access to appropriate internal and external resources to help them evaluate data privacy and security issues and make informed business decisions? Have they allocated budgetary resources for personnel and technology solutions needed to automate privacy-compliant best practices well in advance of a transaction?

In a world of growing cyber threats and attacks, these privacy and data security considerations actually go far beyond just M&As. They can help businesses understand the ramifications of worst case scenarios and for evaluating the impact of data security and privacy solutions and policies on company value. Regulators are also more acutely monitoring companies’ privacy practices and statements. For instance, the EU General Data Protection Regulation (GDPR), the most sweeping change to data protection in the past 20 years, will impact any U.S. company that handles EU resident data. Failure to comply with GDPR by the mandated May 25 deadline may lead to fines of up to €20 million or 4 percent of global annual turnover, whichever is higher.

In today’s business climate, not adhering to privacy and data protection practices risks leaving money on the table in M&A deals, incurring regulatory fines, and losing brand assets.

Chris Babel is CEO of TrustArc.