When organizations set their sights on a merger or acquisition target, conducting thorough due diligence across all business units is a vitally important first step.

Acquirers should be looking at the target’s operations, finances, and business performance including revenue, operating expenses, profitability, cash flow, assets, liabilities, and working capital. Legal experts should review the target’s contracts, litigation history, and ongoing disputes and compliance issues that could impact the transaction or post-deal business outcomes.

One element of the transaction process that doesn’t get enough emphasis or is often rushed is performing due diligence on data privacy compliance and cybersecurity. This specific component of due diligence is critical to ensure that acquirers don’t get blindsided; undetected data privacy and cybersecurity exposure could result in litigation, fines, penalties, and reputational damage. For example, incomplete knowledge of the target’s data privacy and cybersecurity posture could leave the acquirer vulnerable to data breaches or the theft of sensitive customer data, intellectual property, or trade secrets. The financial impact or headline/reputational risk of these oversights can be significant. Costs related to incident response, legal fees, regulatory fines, and lawsuits can erode the expected value and benefits of the acquisition.  

Assess data and data privacy risks

Most companies have large volumes of data that are subject to strict regulations. Acquiring teams should set up data rooms to evaluate the data footprint and how it will evolve post-merger with the same rigor they examine financial information. Automating this process by using eDiscovery technology can help identify and manage the data collection and sorting, and can save huge amounts of time and money.

M&A teams must have knowledge of the laws and regulations that apply to data privacy — including GDPR, CCPA, and CPRA — and be aware of the types of PII and PHI the target has collected. Teams also need to review practices for obtaining individuals’ consent for collecting and storing personal data and verify the legitimate interest and necessity of possessing it.

Risks related to downstream data practices also merit careful consideration. If the target is a service or cloud provider storing or processing information on behalf of other organizations, for example, due diligence should incorporate evaluation of these and other third parties’ data privacy and compliance practices. Acquirers often overlook this step, yet third-party exposure levels can lower the target’s overall valuation.

Evaluate data security

Security protocols can be a weak spot, so acquisition teams should closely review the target’s accreditations and certificates. They should evaluate all current employees’ credentials as well as data governance, data security protocols, and protocols for incident response, regulatory response, and business continuity. No single process can completely eradicate security risk and regulatory exposure, but M&A teams should be aware of obvious red flags such as previous data breaches, regulatory violations, inadequate security protocols, weak controls, unpatched IT systems, and inexperienced staff.

Due diligence for cybersecurity should involve information security leadership from the acquiring organization as well as third-party cybersecurity forensics experts who can audit the target organization’s environments, identify and rate potential risks, and recommend remediation measures for any weaknesses. 

In addition to scrutinizing data privacy and security protocols, M&A teams should examine data management and security synergies, such as how the target handles personal information, data retention, and cybersecurity. For example, healthcare and financial services acquirers will want to verify that the target is following similar best practices for personally identifiable information (PII) and protected health information (PHI) data. Dissimilarities in business models and data-handling practices can introduce risk. When Google bought Fitbit, for example, concerns about commingling individuals’ health and wellness data with Google ad data created backlash.

Cross-border considerations

Cross-border issues, such as incongruent data privacy and protection requirements, jurisdictional challenges, and cultural differences can add unwanted complexities that are expensive. In the case of a target that has offices in countries where the acquirer doesn’t have a presence, M&A teams should evaluate the local political and regulatory landscape, including transaction structures, labor law rules, data privacy, and information security compliance to gauge whether the exposure in the new territory will pay off.

When evaluating all factors in multi-national M&As, teams can encounter technical and logistical difficulties related to dispersed data sets, secure data transfer, and local laws and regulations. These all require scrutiny to help a buyer decide if the acquisition is worth the effort.

Build the data privacy and compliance team

When examining the target’s privacy and security posture, including third-party vendors, dedicated M&A teams should insist on full transparency. Merging data across organizations requires a robust plan to keep the newly merged organization protected.

During due diligence, every team should include members from both the acquirer and the target. In addition to data specialists, compliance professionals, and privacy leads (which are often rolled up within IT), the team should include system owners, such as marketing or HR leaders.

The data privacy and compliance team, in particular, should also include a business lead. All parties need to understand how data privacy requirements will impact the use of the target’s data assets. This group sets the objectives, designs the roadmap, manages risk, and creates the data transition plan.

Post-merger, teams must maintain a data-privacy mindset to ensure that data-access rights, permissions, and controls are properly provisioned. Applying a solid information governance framework that covers the entire IT estate will clarify the overall data picture by identifying where the most sensitive data is held and specifying the data management roles of different teams and individuals. Such a framework should also establish best practices for data retention, security, access, compliance, and disaster recovery right from the start.

This process should include the creation of a data inventory that maps and catalogs data across the entire merged entity. For data transfers, privacy policies and security protocols must be consistently applied. Teams need to ensure compliance, implement safeguards and document chain of custody.

All these measures will save time down the road; establishing a new information security baseline and updating annual audit and compliance plans can take six months to several years.

Appropriate technologies can help

No M&A due diligence exercise can be successful without the help of specialized technology. Accuracy is paramount, and time is too scarce to perform this long list of demanding tasks without automation. M&A teams will typically use a combination of spreadsheets/checklists in Microsoft Excel along with virtual data room software such as DealRoom, FirmRoom, or Intralinks. They might also use project management and automation software such as Smartsheet, and cybersecurity assessment solutions such as Redscan.

Some M&A teams also leverage eDiscovery tools as part of their diligence process to review contracts, run searches in large volumes of data and data types, compare near similar documents, and look for patterns or specific information. Working with a trusted technology partner can help the team find and tailor a tech solution, not only for the due diligence period but also later for the merged entity.

The excitement surrounding an M&A transaction can distract from important details. Staying on track with privacy and security due diligence — which is necessary to protect both the acquirer from unforeseen issues and the target from potential breaches or theft of customer data, intellectual property or trade secrets — requires a thorough, methodical approach, as well as the deployment of appropriate technology. Deploying eDiscovery technology during the M&A due diligence process can help teams sift through and review large amounts of documents and data methodically, often faster than a normal document review with the use of AI, analytics, and advanced search capabilities saving both time and money. It will also allow the M&A team to proactively identify any potential data-related issues and come up with risk mitigation plans both before and after a merger — a step that could make a huge difference between success and failure.