The Diligence Process for Privacy and Data Security

Telltale Indicators of a Data Program’s Strengths and Weaknesses

The rapid expansion of data security and privacy laws and regulations — both in the United States and internationally — harbors the potential for substantial liability, with the consequence that cyber compliance has become an important focus of the mergers and acquisitions (M&A) diligence process. Until recently, unless a company was data heavy, its privacy program, documentation, and data security and acquisition programs were likely minor considerations for an acquirer. Today, companies cannot undertake an M&A process without thinking about data. Whether a target collects employee data, client data, consumer data or some combination of the three, an analysis of how that data is collected, processed and protected will be critical to the due diligence process.

This article focuses on privacy and data security from the perspective of an acquirer looking in. The concerns identified are of equal importance, however, to companies or their sponsors considering a sale. Before going to market, companies are well advised to assess their privacy and data security hygiene and ensure their compliance with cyber regulations and industry best practices before subjecting themselves to the microscope of the diligence process.

The Public Privacy Policy

An acquirer’s first stop in assessing a target company’s privacy practices should be the target’s website homepage, where the absence of a privacy policy can be a telltale sign of weakness in — or the absence of — a company’s privacy program. Many states have statutes requiring that a company post a privacy policy to its public website. While provisions vary around the margins, a robust and thorough policy will include disclosures concerning:

• What personally identifiable information or personal data (PII) the company collects and processes
• Whether it collects sensitive data, such as Social Security numbers, financial information or biometric data
• How it uses and processes that PII
• Who it shares the PII with — e.g., vendors, third-party relationships, the government when required, or acquirers in a sale or merger
• What cookies and internet tracking tools or analytics it uses
• What steps it takes to protect the PII from unlawful or unauthorized access
• Whether it responds to do-not-track signals
• Whether it sells or leases PII to third parties
• Whether PII originates outside the U.S. and/or crosses any international borders
• Whether it collects the PII of minors

If the company is within the jurisdiction of the California Online Privacy Protection Act or the 2020 California Consumer Privacy Act (CCPA), the privacy policy must include specific information, such as a list of the rights of data subjects available under the CCPA and information for consumers on how to exercise those rights. Similarly, if the company markets or conducts business in the European Union or European Economic Area (EU) and collects or processes the PII of EU residents, the company must comply with the EU’s General Data Protection Regulation (GDPR). This regulation contains similar, though not identical, data subject rights and requires specific disclosures on how those rights can be exercised, which must be posted to the privacy policy.

In the due diligence process, a precursory review of the target company website is often a window into the company’s privacy program overall. While not a perfect measure, a company that has no privacy policy or a very thin, underdeveloped one is likely to have an equally nonexistent or thin privacy program. Conversely, a robust and detailed privacy policy often portends an equally robust and detailed privacy program — and a strong data security program as well.

Privacy Professionals

Another strong indicator of a healthy privacy and data security program that should be a point of inquiry for cyber diligence is the identification of a designated individual responsible for the target company’s data compliance. Often, the company will have a privacy professional who reports to management, the C-suite or even the board. While finding such an individual at a larger company has become increasingly common, even smaller companies that collect and process client or consumer PII — particularly sensitive data such as Social Security numbers, driver’s licenses or personal health information — may have an individual tasked with privacy and data security compliance.^[1]

A target that has a designated privacy professional is more likely to be aware of the many — and ever multiplying — privacy laws to which the company is subject, where its data resides (see Data Mapping, below), and how the data is used and protected. This privacy professional, along with senior IT leadership, will be an invaluable resource for conducting privacy and data security due diligence.

Penetration Testing, Vulnerability Scans, Data Security Certifications and Audits

A company’s data security program is also fundamental to its privacy program. The absence of a robust data security program and routine risk assessments of a company’s data security systems should raise red flags in the due diligence process, both as to security and to privacy.^[2] If a target company lacks a meaningful security program, little confidence can be placed in its representations and disclosures regarding security incidents or that it has not experienced a systems breach (see Security Incidents and Breaches, below). A company that has a deficient data security program or does not conduct penetration testing or vulnerability scans is less likely to even be aware of intrusions into its systems.

Penetration Testing and Vulnerability Scans

A company cannot claim to have a robust security program if it has never done a penetration test or vulnerability scan. Penetration testing and vulnerability scans are mechanisms both to detect intruders in the company’s system and to prophylactically identify weaknesses and remediate them. Remedial action might include patch management, firewalls, system upgrades, implementation of encryption or multifactor authentication, and other measures specifically designed to address identified vulnerabilities.

In the due diligence process, an acquirer should ask for recent penetration tests or vulnerability scans, ascertain whether they were conducted internally or by independent third parties or auditors, and probe the risks that were identified and their remediation.

If the target company has a weak data security system and has never probed its vulnerabilities with a third-party audit, vulnerability scan or penetration test, the buyer may consider requiring the target to conduct pre-signing testing. Based on the results, the buyer will have a clearer sense of the need for remediation of actual or potential vulnerabilities. Remediation could range from a “quick fix” that could be implemented before closing — for example, updating system patches or introducing an inexpensive software upgrade — to substantial, costly post-closing improvements required to address significant deficiencies. Many auditors can provide estimates of the cost and timetable for post-closing remedial efforts.

Security Audits and Certifications

Buyers should also inquire whether the target company has obtained one or more third-party certifications demonstrating the existence of an industry standard data security program. Certifications such as ISO, SOC, FedRAMP or NIST will provide a buyer with comfort that the target has robust data security. While a buyer’s own IT due diligence may be capable of drilling down into the target company’s systems and security protocols, a current certification — or a bridge letter reporting on an ongoing audit or certification update — will enhance and possibly shorten the diligence process.

Data Mapping

A critical component of a privacy program — and a company’s ability to respond to the requests of data subjects or even basic consumer complaints about data use — is knowing:

• What data the company has
• Whether the data is sensitive
• Where the data is located
• Whether the data is classified (public, confidential, highly confidential)
• Whether the data is subject to a legal, regulatory or litigation hold
• Whether the data is encrypted at rest and/or in transit
• How and whether the data can actually be deleted, corrected or provided to a consumer on request

Many privacy regulations — including GDPR and CCPA — require data mapping and PII inventories. Disclosures in a privacy policy concerning data subject rights and contact information for addressing data subject access requests (DSARs)^[3] are only one aspect of compliance. A company must also be able to respond to DSARs, and to do so, it must know what data it has, where it is stored, and how to correct or retrieve it.^[4] A target company that is subject to regulations that provide for DSARs must also have procedures for responding to them. These would typically include training employees who receive DSARs on how to identify and channel a DSAR to the appropriate company personnel for response.

When a target warrants that it is GDPR or CCPA compliant, it is implicitly representing that it knows what data it has and where it is located, and that the company has a policy or procedure for responding to DSARs. But a buyer should not simply take the target at its word. Data mapping and DSAR compliance, where applicable, must also be an important focus of the diligence process.

Privacy Program Documentation

As part of its privacy and data security due diligence process, the buyer should request and review copies of the target company’s written cyber policies. The existence of appropriate written procedures provides assurance that the target is serious about its data privacy and security, and gives some indication that the target is prepared to effectively deal with data security incidents and material disruptions of its systems and services. Critical policies that the target should provide include:

• An information security policy (also known as a WISP)
• An incident response plan
• A breach communication or notification plan
• A business continuity and disaster recovery policy and procedures
• A vendor management policy

Other policies that demonstrate a healthy data security and privacy program include:

• A data classification policy
• A patch management policy
• An acceptable use policy
• Data protection impact assessments
• A data subject access request policy and response template
• A password policy
• An email and internet use policy
• An encryption policy

Some of these policies may be embedded in larger policies such as an employee handbook or a WISP.

Just as important as a buyer’s diligencing the policies themselves is verification that the target has tested the policies and trained its employees in their application.

Vendor Management

Many privacy and data security regulations impose obligations on a data collector to require the vendors and third parties with whom it shares or transfers PII to maintain a rigorous level of data security over the information. An unaudited or nonexistent vendor management program suggests weak privacy and data security programs. Vendor management should therefore be a central focus of security and privacy due diligence, particularly where the target:

• Outsources IT or human resources functions
• Hosts PII in the cloud or in cloud-based software
• Partners with third-party vendors and applications to process PII

The due diligence process should, as a first step, include a review of third-party master service agreements or licenses to ensure that those documents impose data security obligations on the vendor to, at a minimum, ensure the confidentiality of the data and protect it against unauthorized access. Companies subject to the CCPA, GDPR or similar regulations are obligated to memorialize specific security provisions in their vendor contracts and may be subject to fines for failing to do so.^[5]

A review of vendor documentation alone may be insufficient, however. Should a vendor of the target company suffer a security incident (see Security Incidents and Breaches, below), the target may face significant regulatory or consumer liability for failing to diligence the vendor and placing customer or employee data in an unsafe environment. A buyer will therefore want to understand whether there is potential exposure from the data security programs of the target’s vendors and whether those vendors have been vetted thoroughly and are being reviewed on an ongoing basis.

Security Incidents and Breaches

A major focus of cyber and data security diligence will obviously be the target company’s history of security incidents, such as breaches, hacks or ransomware attacks. A similar review should be conducted of the company’s vendors to determine whether they have experienced incidents that put the company’s data at risk of exposure or unauthorized access.

Where a target has experienced a security incident, a buyer will want to ascertain whether the matter has been resolved and deemed “closed” or whether there is still pending or potential liability as a result of the breach. The buyer should also investigate whether the target has maintained records of the security incident, including:

• Documentation of how the security incident was detected, what vulnerabilities were exposed, and steps taken to remove the intruders and block unauthorized access
• Notifications to regulators and data subjects
• Communications with the target’s cyber insurance carrier
• Documentation of all systemic remediation

The buyer should also determine whether the target has conveyed knowledge of the incident to its employees and incorporated the lessons learned into its policies, procedures and training. For example, following a successful phishing attack, did the company conduct employee training in response to the incident?

If the target company retained a forensic vendor to assist in handling a security incident, the buyer should request the reports produced by the vendor. These reports would typically provide a thorough account of the nature of the incident, how it was detected and addressed, whether PII was accessed, and necessary steps to remediate the vulnerabilities that precipitated the incident.

The buyer should also investigate whether the target has a well-documented, practiced and utilized incident response plan, robust remediation procedures, procedures for breach notification to regulators and data subjects, and, where appropriate, made reparations to data subjects, such as providing credit monitoring. Evidence that these steps were taken following a security incident will provide greater assurance that a matter represented as “closed” has in fact been fully and finally resolved.

Cyber Insurance

Cyber insurance is another key component of a robust privacy and data security program. Policies come in all shapes and sizes and may cover, among other things, breach response and notification, business interruption, man-in-the-middle or ransomware payments, and computer fraud.

The absence of an adequate cyber insurance policy — or no coverage at all — may suggest that the target company does not appreciate the exposures and vulnerabilities presented by its data collection and processing. A buyer will therefore want to ascertain the amount of cyber coverage — including excess coverage — maintained by the target, the types of coverage included in its policy and the claims history under the policies.

Conclusion

A critical aspect of contemporary M&A due diligence is determining whether a to-be-acquired company has a mature, compliant privacy and data security program. The diligence should be multipronged and should include an assessment of the target company’s data privacy and security policies, protocols and systems, compliance with all applicable data privacy laws and regulations, monitoring capabilities and audits, data mapping, vendor management, business continuity and disaster recovery capabilities, and cyber insurance. The buyer should also identify the employees and professionals engaged by the target to oversee its privacy and security programs, and devote adequate time and resources to obtaining their perspectives on the quality of the target’s cyber infrastructure.

As evidenced by recent news stories, even the most sophisticated enterprises and organizations can be exposed to cyberattacks. Through appropriate diligence, however, a buyer can at least make an informed assessment of the target company’s vulnerability, its ability to rebound from a hostile intrusion and the resources available to it to compensate data subjects for potential losses.

^[1] _{The International Association of Privacy Professionals and FTI’s 2020 Privacy Governance Report noted that “one in four privacy pros works for an organization that has fewer than 1,000 employees.” View here.}

^[2] _{Beyond sound data management practices, certain legislative regimes mandate commercially reasonable data security programs — for example, the Health Insurance Portability and Accountability Act (health care) and the Gramm-Leach-Bliley Act (financial institutions).}

^[3] _{A DSAR is a written request for information made by a data subject — or the owner of the PII — often an employee to his or her employer, or a customer or consumer to an entity or service provider that has collected his or her personal data. Among other things, a DSAR could be a request for (i) confirmation of whether any PII has been collected or is maintained about the employee or customer, (ii) a description of the PII, (iii) the reasons it is being maintained, (iv) information concerning what persons or third parties outside the organization the PII has been transferred to, (v) correction of incorrect PII, or (vi) copies of the data itself. Different regulations provide for different information categories in a DSAR, but there is significant overlap.}

^[4] _{While a company may decline certain requests from data subjects based on exemptions in the regulations, it will need a documented basis for doing so. Without thorough data mapping, establishing eligibility for an exemption will be difficult at best.}

^[5] _{Other regulators, such as the Federal Trade Commission and the New York Department of Financial Services, also impose explicit vendor (or third-party service provider) obligations and oversight on data controllers and have initiated investigations and levied sanctions for failure to do so.}