The tight time frame gives Microsoft and Bytedance little time to conduct needed privacy, cybersecurity, and national security reviews to assuage regulators, Congress, the White House, and potential litigators. The work done in the next month will help executives and investors weigh whether the deal is worth it.
Meeting the deadline would be a hard lift “even in the best of times,” said Theresa Payton, a cybersecurity consultant and former White House chief information officer in the George W. Bush administration. When and if a deal gets done, investors and executives will need to factor lawsuits and possible enforcement actions against the Chinese-owned company into the value of it, she said.
Microsoft’s possible acquisition of the U.S. operations of ByteDance Ltd.'s TikTok shows how privacy and cybersecurity is a central consideration for Microsoft to avoid surprises, such as high litigation costs, later.
Trump said Monday TikTok must end its U.S. activities by Sept. 15 unless it reaches a deal to sell its operations in the nation to Microsoft or some other American company. Microsoft said in an Aug. 2 blog post it wants to finish a deal for TikTok’s operations in the U.S., Canada, Australia and New Zealand by Sept. 15.
Regulatory investigations, congressional probes, and litigation “don’t go away if the company is sold,” said Cynthia Larose, chair of Mintz Levin’s privacy and cybersecurity practice. The market will look at these challenges and factor that into a seller’s overall “risk profile,” she said.
Microsoft will want to conduct detailed data maps of where TikTok’s information is going and which countries would have access to it under national security laws, attorneys said. Hiring third-party advisers to conduct the data mapping would give Microsoft a clearer picture of the risks they are buying. Bytedance will also want to make sure to do a complete systems check for any past and ongoing privacy and security concerns, attorneys said.
The Trump Administration, Sen. Josh Hawley (R-Mo.), and other lawmakers have raised concerns over TikTok’s connections to China. They argue that U.S. citizens’ data could wind up in the hands of foreign surveillance authorities when user information is sent to China.
TikTok also faces scrutiny over its handling of children’s data. TikTok’s predecessor Musical.ly paid $5.7 million in February 2019 to end Federal Trade Commission claims that the company violated the Children’s Online Privacy Protection Act.
TikTok is under the consent decree from that FTC settlement, and any future violation could lead to fines and data-use restrictions under that agreement.
The obligations under the decree would likely flow to TikTok’s would-be U.S. acquirer, said Justin Brookman, former policy director in the Federal Trade Commission’s office of technology research and investigation. “The sins still exist and must be expunged,” said Brookman, now director of consumer privacy and tech policy at Consumer Reports.
Microsoft declined to comment beyond its blog post. Microsoft’s new structure for TikTok would add “world-class security, privacy, and digital safety protections,” the company said in its post.
TikTok said in a statement it’s committed “to bring joy to families and meaningful careers” for workers. “TikTok will be here for many years to come.”
Privacy and security issues have become front-of-mind concerns in recent years as data use and targeted advertising has grown in scope, said Michael Overly, tech transactions partner at Foley & Lardner LLP.
Companies should be asking what “are the security measures in this software, how is the data being handled, where is it being stored, and who has access to that data,” Overly said.
Class plaintiffs are likely to sue both the buyer and seller for privacy violations, and depending on the terms of the deal, “the acquirer may end up bearing liability for fines and damages,” said Andrew Baer, chair of the technology, privacy and data security group at Cozen O’Connor.
Buyers and sellers need to make the deal lucrative while accounting for future privacy and security risks, said Payton, chief executive officer of cybersecurity consultants Fortalice Solutions. The more work Microsoft and TikTok do before the deadline will improve their chances with regulatory and national security officials, she said.
Acquiring companies can take steps to alleviate their risks, attorneys said, such as buying insurance or putting money in escrow.
Failing to focus on privacy and security carries risks for merging companies.
Verizon Communications Inc. cut its acquisition price of Yahoo! Inc. by $350 million in 2017 after Yahoo! disclosed two previous data breaches.
In November 2018, Marriott International Inc. announced a data breach that exposed information on up to 500 million guests. The breach of Starwood guests occurred in 2014, before Marriott acquired that company for $13.6 billion in 2016.
Some companies now conduct detailed analyses of privacy and security, including data maps, threat reports, and hiring third-party auditors, before closing merger deals, said Wynter Deagle, privacy and cybersecurity partner at Troutman Pepper Hamilton Sanders LLP.
There has been “a significant uptick both in acquirers requesting specific reps and warranties around privacy compliance and data security, and in including those risks when negotiating the indemnification provisions and hold-backs,” said Deagle, who is also managing partner of the firm’s San Diego office.
“Privacy and cybersecurity,” Deagle said, “have become significant risks that should be considered when negotiating.”
-- With assistance from Andrea Vittorio in Washington