The seller, on the one side, is expected to give representations and warranties in respect of the target business and, therefore, is required to take into appropriate consideration the increasingly significant field of data security. The buyer, on the other side, must ensure that it conducts appropriate privacy and data security due diligence on the sellers and/or target companies and that the purchase or merger agreement’s provisions (in particular, the R&Ws given by the sellers) adequately address the target business and its past and current practices.
1. Data breach: an underestimated (and partially unknown) phenomenon
Verizon has recently published its “2016 Data Breach Investigations Report” regarding (i) data breaches (incidents that result in the confirmed disclosure and not just potential exposure of data to unauthorized parties) and (ii) information security incidents (security events compromising integrity, confidentiality or availability of information assets) affecting organizations in 82 countries and across a very large number of industries, demonstrating that “no locale, industry or organization is bulletproof when it comes to the compromise of data”.
Some numbers: The 2016 dataset was made up of over 100,000 incidents, of which 3,141 were confirmed data breaches and, of these, 64,199 incidents and 2,260 breaches comprised the finalized dataset that was used in the analysis and figures throughout Verizon Report. Although it seems a very complex framework, over 90% of the numerous incidents and breaches fell into one of “the nine incident classification patterns” created by Verizon in 2014 on the basis of the recurring combinations of “who” (actors), “what” (assets), “how” (actions) and “why” (motive), among other incident characteristics (wording taken directly from the Report):
(i) Web App Attacks: any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms;
(ii) Point-of-Sale Intrusions: remote attacks against the environments where card-present retail transactions are conducted. POS terminals and POS controllers are the targeted assets;
(iii) Insider and Privilege Misuse: all incidents tagged with the action category of Misuse—any unapproved or malicious use of organizational resources—fall within this pattern. This is mainly insider-only misuse, but outsiders (due to collusion) and partners (because they are granted privileges) show up as well;
(iv) Miscellaneous Errors: incidents where unintentional actions directly compromised a security attribute of an information asset;
(v) Physical Theft and Loss: any incident where an information asset went missing, whether through misplacement or malice;
(vi) Crimeware: any incident involving malware that did not fit into a more specific pattern. The majority of the incidents that comprise this pattern are opportunistic in nature and have a financial motivation behind them. This pattern frequently affects consumers and is where “typical” malware infections will land;
(vii) Payment Card Skimmers: all incidents in which a skimming device was physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g., ATMs, gas pumps, POS terminals, etc);
(viii) Cyber-espionage: incidents which include unauthorized network or system access linked to state-affiliated actors and/or exhibiting the motive of espionage;
Denial-of-Service Attacks: any attack intended to compromise the availability of networks and systems. Includes both network and application attacks designed to overwhelm systems, resulting in performance degradation or interruption of service.
2. Yahoo – Verizon deal: a true story
In addition to the above data and numbers included in its latest annual Data Breach Investigations Report, Verizon directly experienced the increasing importance of addressing the risk of a data breach when negotiating an acquisition.
As many media outlets reported in December 2016, the $4.8 billion acquisition between Yahoo Inc. and Verizon Communications Inc. (announced in July) is actually on stand-by due to the confirmation made in September by Yahoo regarding two different data breaches (one in 2013 and one in 2014) affecting more than one and half billion of its user and customers e-mail accounts (which involved also some large law firm in the US). For the time being, Verizon has at least three options currently under evaluation: (i) stepping away from the deal, probably by triggering a material adverse effect clause; (ii) negotiating a lower price for the acquisition; or (iii) having Yahoo assume responsibility for lasting damage caused by the breaches.
Regardless of the decision Verizon is going to make, this case clearly shows that the risk of data breaches is taking on a bigger role in M&A agreements and, therefore, more specific representations about data security, compliance with privacy laws, data breaches and hacks should now be included in SPAs and other transaction documents.
But this scenario does not only refer to an agreements’ drafting and negotiation stage: preliminary surveys and analysis made by the potential buyers should be more focused on these “new” areas of risk, whether by means of specific requests within the due diligence process, or by investigating the incident history of the target company regarding previous data breaches and relevant remedies, or through deeper examinations of the relevant regulatory compliance.
Given the above, buyers could also require from the seller’s management some kind of assessment, which could trigger their liability in case of untrue or reticent representations, without prejudice to additional specific statements made by the seller to address the risk of a breach. This will, of course, be included within transaction documents, requiring strenuous negotiations for providing limitations or qualifications such as knowledge qualifiers or time limitations.
3. How to deal with data breaches within M&A transactions: minimal hints and samples
In light of the above, below are some very basic indications on how to handle data breach issues in M&A transactions:
a) Due diligence checklist: sample request
When assisting a buyer in a potential M&A transaction, it is advisable to make one additional request within the Intellectual Property and Information Technology Section of the Legal Due Diligence Checklist:
“Please provide details of any actual or potential data and information security breaches, unauthorized use or access of the Company’s IT systems or data, or data and information security issues affecting the Company [in the past [number] years]”.
Depending on the business and the industry of the target this request may be expanded significantly.
b) Representations and warranties: sample clause
When negotiating the transaction documents, the data breach issue is usually contained in the R&Ws, irrespective of the business of the target company. Please find below a very basic sample:
“Security Breaches and Unauthorized Use. [To the knowledge of the Seller,] [T/t]he Company has not[, in the past [number] years,] experienced any loss, damage, or unauthorized access, disclosure, use, or breach of security of any personal information in the Company’s possession, custody, or control, or otherwise held or processed on its behalf”.
Whether you are on buyer’s or seller’s side, negotiations can lead to a well-balanced and fair wording or, alternatively, to a clause which is more favorable to one of the parties. In this respect, a limitation to the “knowledge” or “best knowledge” of the seller can be a fair concession to the seller, as well as a limitation in terms of times which, of course, will be more favorable to the seller the more the time frame is limited, and vice-versa.