Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Cyberattacks, Privacy Legislation Shape M&A Dealmaking Process

June 14, 2021, 9:00 AM

Rising cybercrime, and an increasingly complex legal framework in the U.S. and abroad, has translated into companies paying more attention to privacy and cybersecurity to avoid potential liability after a merger or acquisition.

Spooked by heavier regulations and massive cyberattacks such as those on Colonial Pipeline Co. and JBS SA, businesses are diving deep into potential target companies’ security records and compliance programs before executing deals, attorneys say.

“The combination of privacy laws and the expanding data-driven nature of deals has caused companies to look at privacy and security in M&A as not just another legal compliance area but something that’s essential to business,” said Christine Lyon, a privacy and data security partner at Morrison & Foerster LLP in Palo Alto, Calif.

Data can be a significant asset for companies but, if improperly collected or handled, can also present sizable legal risks, Lyon said. That makes serious due diligence during dealmaking—in an era of bigger, frequent, and ever more sophisticated cyberattacks—nonnegotiable.

“I’ve certainly seen companies taking a step back and looking at privacy and security through a wider lens,” Lyon said.

Legal Risk

Three or four years ago, privacy and cybersecurity weren’t necessarily major considerations in the M&A dealmaking process, said Cynthia Cole, a privacy and data security partner at Baker Botts LLP in Palo Alto.

But large-scale cyberattacks have “caused everybody’s hairs” to go up, she said, adding that poor security posture and improper data regimes can negatively impact an asset’s value.

And risk related to privacy and cybersecurity in M&A is only set to increase as additional state privacy statutes are passed across the U.S., said Pritesh Shah, a partner at Davis Polk & Wardwell LLP in New York focused on intellectual property and technology transactions.

California and Virginia already have consumer privacy laws on the books, and Colorado is set to join them after its bill passed both chambers earlier this month. In the absence of preemptive federal legislation, companies must deal with disparate privacy statutes across the country that expand legal risk.

Meanwhile, the potential for huge fines stemming from violations of existing privacy laws, including the California Consumer Privacy Act and the European Union’s General Data Protection Regulation, is forcing businesses to think long and hard about target companies’ data regimes, including their cybersecurity measures and data flows for consumers’ personal information.

“Companies are saying: Should I even buy that asset?” Cole said. “Am I going to spend millions or billions of dollars for there to be a latent problem?”

Businesses can be fined up to $7,500 per violation under the CCPA and may find themselves on the hook for violations from companies they acquire even if the parent company wasn’t aware of them during the deal. Violators of the GDPR face potential fines of up to 20 million euros ($24 million) or 4% of the firm’s worldwide annual revenue, whichever is higher.

Acquiring data collected in violation of such privacy statutes can also usher in regulatory scrutiny or consumer-led litigation, Cole added.

Greater attention from buyers around data security has also translated into sellers becoming more aware of their strengths and shortcomings related to privacy and cybersecurity compliance, said Matthew Bacal, a corporate attorney at Davis Polk in New York focused on intellectual property and tech transactions.

“You see this with companies at the IPO stage as well,” Bacal said. “Smaller companies still working on compliance want to show that they have a plan, that they’re planning ahead.”

And throughout the deal process, data processing agreements that outline the scope and purpose of how data is used, and further define the relationship between companies, are becoming increasingly common, he said.

Vendor management has also come into the fore during negotiations as hacks on third-party companies have escalated, said Behnam Dayanim, the Washington-based chair of Paul Hastings LLP’s data privacy and cybersecurity practice.

That includes understanding how a target company manages its vendors, what provisions in vendor agreements look like, and how actively they oversee those companies’ practices, Dayanim said.

Due Diligence

Analyzing a target company’s data posture goes beyond collection; it should also look at how that data is used, shared, and disclosed, said Colleen Brown, a privacy and cybersecurity partner at Sidley Austin LLP in Washington.

“Diligence shouldn’t just be a check-the-box legal exercise,” Brown said. “It should be a holistic look into the data governance of the company, and how that aligns with the future as well.”

Companies are increasingly getting into “a level of nitty gritty” in requesting information from target companies about how data is collected and shared to help shift potential risks, Cole said.

But it’s also important to note that not all companies will have fully established compliance programs, Dayanim said.

Some businesses are too small to fall under the purview of data privacy laws, while others don’t process personal data in a way that makes such statutes applicable, he said.

Still, even newer companies should show a diligence toward data—and make it clear they are willing to step up to the plate for compliance down the road, Shah said.

“You can no longer join diligence calls and assume there’ll only be basic questions on privacy and cybersecurity, as most buyers will spend considerable time and effort on the topic,” Shah said. “Sellers need to be prepared to talk about what their program looks like, where their shortcomings are, and what changes need to be made.”

As data breaches continue to escalate, companies should recognize that just because a company was hit doesn’t mean it was necessarily negligent or employed poor cybersecurity standards, Lyon said.

“If a company did the right thing to try and prevent it and then did the right thing to remediate it and investigate it, that’s a good sign,” she said. “There are still unknowns, but people recognize that just because a company has had a cyber incident doesn’t mean no one should be interested in buying them.”

Even so, sloppy data management and cybersecurity can result in lowered valuations during the M&A process or potential legal liability and exposure for both companies in a deal.

“It’s important to look under the hood and go beyond just relying on what the company has to say,” Bacal said. “Because of the risks involved and the increased focus, it’s really worth digging into.”

To contact the reporter on this story: Jake Holland in Washington at

To contact the editors responsible for this story: Melissa B. Robinson at; Kibkabe Araya at