PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS

Similar documents
M&A ACADEMY. Privacy and Data Security Issues in M&A Transactions. Ezra Church, Don Shelkey, Pulina Whitaker March 5, 2019

TAX ISSUES IN M&A TRANSACTIONS

M&A ACADEMY: TAX ISSUES IN M&A TRANSACTIONS

THE TRANSFORMATION OF INVESTMENT ADVICE: DIGITAL ADVISERS AS FIDUCIARIES

EMPLOYMENT & COMPLIANCE ISSUES & PITFALLS IN CROSS- BORDER M&A TRANSACTIONS

IP ISSUES IN MERGERS & ACQUISITIONS

UNDERSTANDING CLOSED- END INTERVAL FUNDS Sean Graber, Partner Thomas S. Harman, Partner David W. Freese, Associate. June 7, 2017

M&A ACADEMY INDEMNIFICATION

M&A ACADEMY: THIRD PARTY REPRESENTATIONS AND WARRANTIES INSURANCE IN STRATEGIC AND PE DEALS

M&A ACADEMY CHOOSING AN ACQUISITION STRUCTURE AND STRUCTURING A DEAL

M&A ACADEMY PURCHASE PRICE ADJUSTMENTS & EARN- OUTS

PREPARING FOR A CHANGE IN CONTROL

FROM VIE TO SAFE: TECH INVESTMENTS INTO AND FROM CHINA

BENEFITS AND COMPENSATION: MISSION CRITICAL FOR TECH COMPANY SUCCESS

IMPLEMENTING THE BENEFICIAL OWNERSHIP RULES. April 18, 2018 Charles Horn, Melissa Hall, Ignacio Sandoval

SEC PROPOSED STANDARDS OF CONDUCT. FOR RETAIL ADVICE Chris Cox Jennifer Klass Steven Stone Brian Baltz May 9, Morgan, Lewis & Bockius LLP

DEBT FINANCING FOR EARLY STAGE VENTURES

NAVIGATING US TAX REFORM:

M&A ACADEMY TECHNOLOGY M&A ISSUES

BLOCKCHAIN IN HEALTHCARE TECHNOLOGY

NAVIGATING US TAX REFORM:

Biography. Mary B. Hevener Washington, D.C. T F

UNDERSTANDING THE NEW BEAT TAX

IP ISSUES IN MERGERS & ACQUISITIONS

2016 PLAN SPONSOR BASICS 401(k) ISSUES. Presenters: Lisa Barton and Elizabeth Kennedy November 9, 2016

SOUTH DAKOTA V. WAYFAIR

IMPLICATIONS OF US TAX REFORM FOR HEDGE FUNDS, INVESTORS, AND MANAGERS

NAVIGATING US TAX REFORM:

CONSUMER-DRIVEN HEALTHCARE POST-ACA. Presenters: Andy Anderson and Sage Fattahian March 30, 2016

M&A ACADEMY EXECUTIVE COMPENSATION AND EMPLOYEE BENEFIT PLAN ISSUES IN M&A TRANSACTIONS. Presenters: Colby Smith and David Zelikoff February 14, 2017

SECTION 4062(e) PLANT SHUTDOWN LIABILITY

M&A ACADEMY CHOOSING AN ACQUISITION STRUCTURE AND STRUCTURING A DEAL

COMPENSATION CLAWBACKS: TAX CONSEQUENCES FOR ISSUERS AND EXECUTIVES

NAVIGATING US TAX REFORM:

CONFLICTS OF INTEREST

NAVIGATING US TAX REFORM:

DISRUPTIVE TECHNOLOGIES IN INVESTMENT MANAGEMENT: THE REGULATORY LANDSCAPE FOR ASSET MANAGERS

OIL AND GAS: REGULATORY ROUNDUP. Levi McAllister and Pamela Wu June 29, Morgan, Lewis & Bockius LLP

PLAN SPONSOR BASICS: RETIREMENT PLAN. Presenters: Lisa H. Barton and Mark J. Simons September 22, 2015

REQUIREMENTS AND HIGHLIGHTS OF THE VOLCKER RULE AND ITS REGULATIONS

M&A ACADEMY TECHNOLOGY M&A ISSUES. April 5, 2016 Steve Browne and Laurie Cerveny

NAVIGATING US TAX REFORM:

PLAN TERMINATION ISSUES

UPDATE ON RECENT SEC COMPLIANCE AND DISCLOSURE INTERPRETATIONS (CD&I)

BE PREPARED FOR THE NEW EU DATA REGULATION

AFFORDABLE CARE ACT: POTENTIAL CHANGES, LIKELY EFFECTS

Affordable Care Act Tasks:

SEC PROPOSES LIQUIDITY RISK- MANAGEMENT RULES. Christopher D. Menconi, Sean Graber, Beau Yanoshik, David W. Freese January 20, 2016

NAVIGATING US TAX REFORM:

HOT TOPICS IN EMPLOYEE BENEFITS: WHAT WE RE SEEING Presenters: Amy Pocino Kelly (moderator), Andy Anderson, Althea Day, Brian Dougherty, Julie

Bad Actor Disqualification in Private Placements New Rule 506(d)

U.S. Private-sector Privacy Certification

MAJOR LEGAL TRENDS FOR 2018 JEGI MEDIA & TECHNOLOGY CONFERENCE

February 2015

2016 PLAN SPONSOR BASICS PLAN AUDIT ISSUES. Presenters: Amy Pocino Kelly and Susan Lastowski November 16, 2016

HOT TOPICS IN EMPLOYEE BENEFITS: WHAT WE RE SEEING

Mergers, Acquisitions, and Other

LOOKING BEYOND THE TECH IN FINTECH Fintech Regulatory Pitfalls and Best Practices November 16, 2017

Preparing For and Managing g Plan Audits

M&A ACADEMY: ISSUES IN RETAIL M&A TRANSACTIONS. David McManus and Christina Melendi May 10, 2016

HIPAA s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals

Acquisition Financing in M&A Transactions: Reconciling Deal Terms With Loan Terms and Closing Conditions

Developing Effective Resolution Strategies and Plans for Systemically Important Insurers; Consultative Document 3 November 2015

Anatomy of a Deferred Compensation Plan

Part-Timers and Locations and Turnover Oh My! An Overview of Employee Benefits Issues for Retail Organizations

Fiduciary Issues for Retirement

Responding to Commercial Bribery Investigations What to Do When the Chinese Administration for Industry and Commerce (AIC) Arrives At Your Door

SEC Approves Final NYSE and NASDAQ Compensation Committee Rules

TAX REFORM : THE DEVIL S IN THE DETAILS

Cross-Border European Insolvency in the Brexit Era

Shareholders' Rights in a Russian Joint-Stock Company

NAVIGATING US TAX REFORM:

OSHA to Offer Alternative Dispute Resolution for Whistleblower Complaints

UK Investment: Tech Issues for Entrepreneurs, Start-Ups and Investors. presenters Amy Comer Matthew Howse Kate Habershon Tracy Evlogidis

ISDA 2013 EMIR NFC Representation Protocol: Factors to consider in deciding whether to adhere

Global Investing: Limited Partner Perspective October 5, Morgan, Lewis & Bockius LLP

Wells Fargo Bank, N.A. as Trustee v. Chukchansi Economic Development Authority, et al., Index No /2013

OIL AND GAS: REGULATORY ROUNDUP. Levi McAllister and Pamela Tsang Wu January 11, 2017

Tax Alert. China Issues New Tax Rules on Corporate Restructurings. I. Overview

Arbitrability of IP Disputes in Russia

Investment Management Alert. New Interactive Data XBRL Filing Requirements for Mutual Funds

Jujitsu Techniques for Enforcing & Defending Contract Liability Claims

MiFID II 31 December MiFID II. Third country access

Introducing the New Multi-Level Marketing Governing Act

Directors and Officers Liabilities in Russia

DOING BUSINESS IN THE GOLDEN STATE WEBINAR SERIES


DOL Releases Final Disclosure Regulations for Participant-Directed Individual Account Plans. October 26, 2010

ASSET MANAGERS: A NEW ERA OF REGULATION?

WEEK 1/FEBRUARY 17, 2016 MODULE #1

FINRA s Most Significant 2016 Enforcement Actions

IRS Moves Forward with Plan to Change the Determination Letter Process

SEC Delays Municipal Advisor Registration and Record-Keeping Obligations

Changes to Hedge Fund Disclosure and Reporting Obligations

Joining the Crowd: SEC Adopts Final Crowdfunding Regulations - Part I

Zürich, October 22, Yannis Samothrakis

May Global Growth Strategy

$500 Carryover Opportunity for Cafeteria Plan Health FSAs: Worth the Effort?

401(k) Plan Issues Presenters: April 16, 2013

MiFID II 31 December MiFID II

Transcription:

PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS Don Shelkey and Ezra Church May 22, 2018 2018 Morgan, Lewis & Bockius LLP

Overview Introduction Why should I care? Five Key Legal Requirements Sector-Specific laws Privacy Policies Data Security Requirements Breach Notification Laws International Privacy Rules / Cross-Border Restrictions Implementing Privacy and Security in Deals Diligence Reps and Warranties TSAs 1

Why should I care? If a target company cannot collect and deploy data consistent with data privacy laws, there may be flaws in the premise for the deal or the business model itself Failure of target company to meet its data privacy and security obligations can be a major risk for acquiring company Transfer and sharing of data in connection with diligence and after the transaction may in itself violate data privacy laws 2

Good News / Bad News Good News there is no all-encompassing data privacy or cybersecurity statute in the U.S. Bad News there is no all encompassing data privacy cybersecurity statute in the U.S.: Attorney General Enforcement FTC Act FCRA CAN-SPAM COPPA Breach Notification Laws Data Disposal Laws FERPA Gramm-Leach-Bliley MA Data Security Laws Red Flags Rule FACTA EU safe harbor rules Consumer Class Actions PCI and DSS Credit Card Rules Document Retention Requirements HIPAA CA Online Privacy Act Stored Communications Act / ECPA Do Not Call Lists Telephone Consumer Protection Act Video Privacy Protection Act Wire Tapping liability Invasion of Privacy Torts Data Encryption Laws E-Sign Computer Fraud and Abuse Act Communications Decency Act Spyware Laws RFID Statutes FDCPA Driver s Privacy Act Social Security Number Laws Regulation Z Others State Laws 3

1. Sector Specific Privacy Laws Money Health Kids Gramm-Leach-Bliley Act Fair Credit Reporting Act (FCRA) State Laws Health Insurance Portability & Accountability Act (HIPAA) Family Educational Rights & Privacy Act (FERPA) Children s Online Privacy Protection Act (COPPA) State Laws Consumer Marketing! Telephone Consumer Protection Act (TCPA), CAN- SPAM, and Do Not Call regulations 4

2. Privacy Policies FTC and CA Online Privacy Act Self-imposed regulation Basic principles Notice Access and Control Must notify regarding material, retroactive changes Language to look for: Transfer of assets language Restrictions on sharing Promises about security Look at the language for all entities involved; website and mobile Other public statements about privacy and security? 5

3. Data Security Requirements Sector-specific laws may apply Contracts may require certain security standards MA Security Regulations Have a written information security plan Additional administrative discipline Social security numbers Encryption Training 6

4. Breach Notification Laws 50 States and D.C. Based on the individual s residence Triggering elements vary Encryption / lack of use exception sometimes Issue of who s obligation? Timing of notice as soon as practicable, but need information to notify Vendor management 7

5. International Privacy Rules / Cross Border Data Transfers EU General Data Protection Regulation Comprehensive privacy regime that applies to any collection of personal data relating to an identified or identifiable natural person. Apply extraterritorially to any processing of EU resident data by company offering goods or services in the EU or monitoring individuals in the EU. Fines as high as 4% of global revenue or 20 million Euros. Transfers out of EU Privacy Shield Model clause agreements: good, but must have right language and foreign counterparty who retains liability. Binding Corporate Rules: hard to implement at multi-national level; can be good for isolated transfers. One European entity retains liability. Consent of Data Subjects: really only works at an individual level; can be revoked at will; not good for database or large-scale transfers. Can be good if just a few European employees or customers. Necessary for Contract Performance: very limited to necessary ; e.g. address for shipping. Transfers from APEC Countries; Russia 8

M&A - Reps and Warranties Privacy and Security related reps and warranties are most often included in the Intellectual Property section. Three common Privacy related reps: Compliance. Seller is in material compliance with all applicable Laws, as well as its own rules, policies and procedures, relating to privacy, data protection, and the collection, use, storage and disposal of personal information collected, used, or held for use by Sellers in the conduct of the Business. Claims. No claim, action or proceeding has been asserted in writing or, to the Knowledge of Seller, threatened in connection with the operation of the Business alleging a violation of any Person s rights of publicity or privacy or personal information or data rights. Security. Seller has taken reasonable measures, including, any measures required by any applicable Laws, to ensure that personal information used in the conduct of the Business is protected against unauthorized access, use, modification, or other misuse. 9

M&A - Privacy related Diligence Privacy related diligence typically involves: Buy Side: Reviewing applicable privacy policies to ensure data transfer is permitted. Most should expressly permit transfers in a M&A context. Buy Side: Ensuring industry specific rules permit the transfer (kids, money, health, EU, etc.) For these industries, it may make sense to have a conference with the Privacy Officer. Sell Side: We always recommend hitting privacy head on, especially in the regulated industries or retail, uploading privacy policies to the data room and describe data collection and transfer issues. Sell Side: Keep logs of any data security breaches, remediation efforts, and steps to prevent access in the future. These are more common than one would expect. 10

M&A - TSAs Transition Services Agreements; common in M&A transactions. Often involve some of the most sensitive data that the company (employee data, customer data). Involve a member of the privacy team early when discussing the TSA. Could require an information security audit from Buyer (which is somewhat counter intuitive) Think of them as an outsourcing or hosting deal the issues are the same! 11

QUESTIONS? 2016 Morgan, Lewis & Bockius LLP

Biography Doneld Shelkey Boston +1.617.341.7599 doneld.shelkey@morganlewis.com Don represents clients in global outsourcing, commercial contracts, and licensing matters, with a particular focus on the e-commerce and electronics entertainment industries. Doneld assists in the negotiation of commercial transactions for domestic and international manufacturers, technology innovators, and retailers, and counsels clients in the e-commerce and electronics entertainment industries on consumer licensing and virtual property matters. Ezra Church Philadelphia +1.215.963.5710 ezra.church@morganlewis.com Ezra regularly represents and counsels clients in privacy and cybersecurity matters. His work in this area includes representation of companies faced with class action litigation, government investigations, and he has advised hundreds of companies in connection with data breaches and privacy and data security compliance issues. He has earned designation as a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals and regularly speaks and writes on these topics. 13

Our Global Reach Our Locations Africa Asia Pacific Europe Latin America Middle East North America Almaty Astana Beijing* Boston Brussels Chicago Dallas Dubai Frankfurt Hartford Hong Kong* Houston London Los Angeles Miami Moscow New York Orange County Paris Philadelphia Pittsburgh Princeton San Francisco Santa Monica Shanghai* Silicon Valley Singapore Tokyo Washington, DC Wilmington *Our Beijing office operates as a representative office of Morgan, Lewis & Bockius LLP. In Shanghai, we operate as a branch of Morgan Lewis Consulting (Beijing) Company Limited, and an application to establish a representative office of the firm is pending before the Ministry of Justice. In Hong Kong, Morgan Lewis has filed an application to become a registered foreign law firm and is seeking approval with The Law Society of Hong Kong to associate with Luk & Partners.

2018 Morgan, Lewis & Bockius LLP 2018 Morgan Lewis Stamford LLC 2018 Morgan, Lewis & Bockius UK LLP Morgan, Lewis & Bockius UK LLP is a limited liability partnership registered in England and Wales under number OC378797 and is a law firm authorised and regulated by the Solicitors Regulation Authority. The SRA authorisation number is 615176. *Our Beijing office operates as a representative office of Morgan, Lewis & Bockius LLP. In Shanghai, we operate as a branch of Morgan Lewis Consulting (Beijing) Company Limited, and an application to establish a representative office of the firm is pending before the Ministry of Justice. In Hong Kong, Morgan Lewis has filed an application to become a registered foreign law firm and is seeking approval with The Law Society of Hong Kong to associate with Luk & Partners. This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Attorney Advertising. 15

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback