TODAY’S GENER AL COUNSEL SPRING 2018
Cybersecurity
and real estate, you need to conduct an initial analysis of the company’s information security infrastructure and business operations to determine the preliminary scope of privacy-focused diligence. This initial diligence sweep may involve obvious areas of interest, e.g., an assessment of whether the company operates in a highly regulated area, such as health care or financial services, or whether it has suffered a significant breach involving personal information. It may also include asking questions about the location of employees, customers and vendors to determine whether the target’s practices may trigger obligations under foreign jurisdictions such as the
your diligence inquiries. For example, merely asking whether the target collects “personal information” will likely not get the complete response needed to assess potential risk. Instead, using the knowledge from the initial sweep, ask specific questions about whether the target may be collecting certain types of regulated information in addition to your general inquiries. For example, if the target is running analytics cookies on its website, ask whether it receives Internet Protocol (IP) addresses back from the trackers. Although many people may not think of IP addresses as personal information (indeed, many still consider IP addresses to be “anonymous”), the collection of
account creation, to newer and increasingly scrutinized practices, such as the collection of location information from a closed app on a smartphone. FIND OUT HOW THE INFORMATION IS USED
Once you’ve identified the information under the target’s purview, it is important to understand how this information is used within its organization, as well as how it is shared outside. At this point, you have likely identified the relevant areas of regulation that apply to your target (HIPAA, GLBA, etc.). During this phase, you will want to compare its uses and disclosures of information against any pertinent restrictions to determine
Once your team gets the green light, use your initial analysis to create an in-depth roadmap for diligence. European Union, which are more sensitive than United States laws with regard to collection of common identifiers. Also of importance during this phase is consulting your team about the deal structure, including whether the purchase will be limited to assets, in which case past liability is of lesser concern, or whether the target will be acquired as part of a merger or interest acquisition, where liability for past breaches and non-compliance with privacy laws will become your company’s obligation. Getting a read on your team’s general risk tolerance, and understanding whether the plan is to leverage representations and warranties insurance, is also paramount to guiding the diligence process. Once your team gets the green light to proceed, use your initial analysis to create an in-depth roadmap for diligence. In particular, you will want to focus on three key issues: (1) what information the target is collecting, (2) what the target is doing with the information and (3) how the target is protecting the information. When examining the target’s information collection practices, be granular with
such identifiers is coming under increasing scrutiny and regulation in the United States, and has been regulated in the European Union for years. For this phase of diligence, it is important that you identify individuals who play certain roles within the target’s organization and ask them to provide answers. The person responding to the diligence requests on behalf of the target may not think to query people in the marketing department, for example, about their information collection activities. The quality of the diligence response may suffer as a result. In addition to asking what information the target collects, you should also ask how this information is collected. This will be helpful in determining whether the target is living up to its promises in any consumer-facing privacy disclosures, such as its website privacy policy, as well as identifying any contracts where the target may have data privacy or security obligations. Depending on what type of products and services the target offers, the means of information collection may range from common practices, such as the collection of consumer information through online
where there are gaps between practices and legal obligations. In addition, similar to the discussion above regarding information collection, the target’s information use practices should be compared with the promises it makes in consumerfacing disclosures and contracts to ensure that it is fulfilling such assurances. This is also the time to identify whether it is engaged in any “high risk” practices, such as telemarketing and text message marketing, where the laws impose strict consent requirements and high statutory fines, and the class-action bar is extremely active. What is perhaps the most important phase of diligence, examining the target’s security controls, can be a two-team job. As an initial matter, your legal team will need to determine what security controls the target has in place to protect the information under its purview, and whether such safeguards satisfy legal and contractual obligations. You may also need to enlist an information technology focused team to examine the effectiveness of these safeguards, and determine whether they sufficiently protect the target’s information. continued on page 37
33