10 Morrison Foerster 4 Virtually every M&A deal has data privacy and security implications, and the potential exposure continues to grow. Continuously Evolving U.S. and Global Legislative Landscape The U.S. has historically lagged with respect to omnibus (i.e., not sector-specific) privacy legislation, but by the end of 2023 five U.S. states had omnibus privacy laws and more will follow in 2024. Most U.S. state laws apply only to personal data collected in a business-to-consumer context, though the California Consumer Privacy Act (CCPA), like most non-U.S. privacy laws, applies to any personal data, so also, for example, to personal data collected in a business-to-business or employment context. The U.S. state laws regulate the collection and processing of “personal data,” defined very broadly. The U.S. state laws provide for significant penalties; the CCPA, for example, authorizes civil penalties of $2,500 per violation, which could be based on the number of individuals affected by the violation and can be trebled for intentional violations. In jurisdictions outside the U.S., we continue to see a steady drumbeat of data privacy and security legislative and enforcement developments. Data Security Threats and Preventive Measures Threat actors persist in finding new ways to compromise systems and data. Strong data security measures are crucial, and we are seeing more buyers engage information technology specialists to assist with review of a target company’s systems. A company’s data security procedures should be measured against applicable laws (e.g., the Massachusetts Rules Regarding the Protection of Personal Information), as well as against the general standard of “commercially reasonable” measures, which has been used by the Federal Trade Commission. A company’s contracts with customers, service providers, and others may also impose data-related obligations. Data Security Incidents Even with tight security, breaches occur, and companies must be prepared to respond to, remediate, and, as and when appropriate, disclose them. It can take months, though, for a company to detect a security breach. A buyer may find that it has closed with a target that has experienced a breach, or, worse, that the same breach has infected the buyer’s systems as the buyer integrated the target. Public companies now must disclose certain breaches publicly under the SEC’s July 2023 rules.14 In 2024, data privacy and security issues are expected to continue to grow as key considerations in M&A, as data becomes more valuable (sometimes emerging as an unexpectedly large asset of a company as well as a source of a company’s obligations to others) and threats more pervasive and insidious. The increased privacy and security risks and evolving regulations will require appropriate planning, diligence, negotiation, and other deal steps. Privacy and Security Issues Grow as Data Value Rises “In jurisdictions outside the U.S., we continue to see a steady drumbeat of data privacy and security legislative and enforcement developments.” See our July 28, 2023 client alert, “SEC Adopts Cybersecurity Disclosure Rules for Public Companies.”
RkJQdWJsaXNoZXIy NTU5OTQ5