Data Privacy Moves Front and Center for Investors and Merger Partners
Data privacy used to be back burner due diligence. That has changed. The Snowden leak made personal privacy Topic One for months. Since then, the OPM hack, the iCloud hack, and other well publicized data breaches have raised data privacy awareness both in M&A and investor due diligence. No longer an afterthought, federal and state data privacy regulations affect every business that has data intensive services. Investors and merger partners want to know that they will not inherit a data breach in the making or have to operate under a 20-year consent decree. IT compliance and due diligence have become topics of frequent discussion among boards of directors, and data security can be one of the determinative factors in a company’s valuation.
Consider these questions for your business:
- What is the data and privacy regulatory climate that faces your business?
- Do you conduct regular privacy risk assessments for the data your business handles?
- Do you have distinct procedures in place for personally identifiable information, trade secret/sensitive information, financial information, medical information, information collected from children?
- How does information move within your organization?
- How does information move into and out of your organization?
- Who actually owns the data you possess?
- Who may access and handle the data you possess?
- What information do you collect without knowledge or consent of the subject?
- What are your policies relating to log files, cookies, and exchanges of information with third parties and business partners?
- What opt-in or opt-out choices do you give users?
- What physical and system software security measures do you have in place for identification, authentication, and access to data?
- Do you control the merging of protected and unprotected data?
- Do you handle IT security internally or is that function outsourced?
- If you operate or plan to expand internationally, will your current security practices comply with what are often stringent foreign data and privacy controls?
Good business practice requires early and periodic review of data and security practices with your information security advisor and attorney. Bear in mind that data privacy and data security present specialized and unique challenges. Be sure your business advisors, including your IT consultant and your business attorney, are well-versed in privacy and security issues.