Privacy and cybersecurity laws and the accompanying risks involved in M&A are rapidly evolving. While your business team is wrapping its arms around traditional areas of diligence, conduct an initial analysis of the company’s information security infrastructure and business operations to determine the preliminary scope of privacy-focused diligence.
Use your initial analysis to create an in-depth roadmap for diligence. Focus on three key issues: (1) what information the target is collecting, (2) what the target is doing with the information and (3) how the target is protecting the information. Merely asking whether the target collects “personal information” will not get the response needed to assess potential risk. Instead, using the knowledge from the initial sweep, ask specific questions about whether the target is collecting certain types of regulated information.
There are three key concepts that help create your own diligence framework. First, keep in close contact with your business team to understand its risk tolerance and the potential measures that may be available to mitigate identified risks. Second, incorporate internal privacy counsel into your legal team early in the process — or seek outside counsel if you don’t have a specialist in-house — to assist with initial diligence, and provide insight into any significant areas of risk that need to be communicated to your business team. Third, work with your team to understand how the target collects, uses and secures its information; and use this knowledge to provide a full-risk picture to your business team.