BreachExchange mailing list archives
Don’t neglect personal data security in mergers and acquisitions
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 12 Jan 2015 18:27:23 -0700
http://www.insidecounsel.com/2015/01/12/dont-neglect-personal-data-security-in-mergers-and When hackers burrow into a company’s data, it can be expensive and embarrassing. Sony Corporation found out just how embarrassing it can be when North Korean hackers stole and then released financial data and executives’ embarrassing emails. Large corporations like Home Depot and Target have also been targeted and forced to spend tens of millions of dollars fixing data breaches that compromised the personal information of customers who used debit or charge cards at their stores. In just about every case, there also was injury to the company’s brand, too, because breaches erode trust in a company’s ability to protect its customers and employees, and run its affairs properly. While it gets less attention, companies are particularly vulnerable to data breaches when they exchange information as part of due diligence in mergers and acquisitions. Businesses may set aside normal security protocols when they are wrapped up in negotiations and focused on completing a transaction. They may not be aware of best practices that govern exchanges of information in due diligence, and they necessarily must rely on the good faith and competence of employees and agents of the other company. All of this creates a window of vulnerability for a company that is in the midst of a merger, and it is imperative that C-level executives recognize that it’s their responsibility to create a deal framework that protects the safety of customer and employee data. This article includes a prepared checklist of considerations for companies in transactions who want to ensure that data they share as part of due diligence doesn’t end up in the wrong hands. Start by identifying the data: Personal data usually involves two categories: inside information on employees and outside relationships with customers, clients and vendors. Employee data may include socialsSecurity numbers, health information, compensation, dates of birth, names and addresses, evaluations and identifying information about family members. All this information is useful in identity theft and some of it, if released, is potentially embarrassing. For customers and vendors, information may include credit card numbers that could be used in identity thefts, as well as contracts, pricing, intellectual property and similar information from vendors that could compromise their operations or your business relationship with them. What’s the law? Once the data is identified, look at what regulations or laws apply. This often is industry-specific and can involve federal laws, such as the Sarbanes-Oxley, the Gramm-Leach-Bliley Act, HIPPA, the Fair Credit Reporting Act and state laws. Many industries — financial services and health care, for example — are governed both by state and federal laws, and your transactional legal counsel may find it helpful to call on resources in practices areas that support those industries. The non-disclosure agreement is only a starting point: The NDA often is too general to cover the fine points of securing data. Consider identifying the data that will be shared and setting out the rules for its security. Remember to check whether federal or state regulations apply to the data and determine whether provisions should be included as an attachment or whether a separate agreement between parties receiving data should be signed. And don’t forget that third-party financial advisers may need to be part of the agreement. Who’s in charge? There should be a person on the acquisition team who is in charge of data security. Ideally, this person is a lawyer who has a working knowledge of both the technology and the laws that apply to data security in the relevant industries. In some cases, it may be appropriate to have a two-person, legal-technical team. This person or team should have direct access to all first-tier executives and everyone in both organizations should be informed of their role. Make sure everyone knows the rules: If the rules surrounding data security during a merger are a departure from the company’s normal procedures, then everyone must understand the rules. Otherwise, people will be unsure of what’s permitted. Put down a framework in writing that says, here’s what we can do, here’s what we can’t do. If liability issues emerge in the event of a breach, this document also will affirm that the company took measures to prevent unauthorized disclosures. Secure the data room: Companies in mergers often create a virtual “data room,” a website where they place information that can be shared. This room must be as secure as a bank vault, with a high level of encryption, clear rules for who can place information in the room as well as who can access it. In most cases, there will be levels of security clearance with the most sensitive information available only to a few people who need it. The data room should have a log that records who accesses information and when. There should be rules on whether downloads or permitted and if access or downloads are permitted using mobile devices such as laptops and cell phones. Mobile devices are more vulnerable to theft and hacking, and some companies limit access through these devices. Data security is industry-specific: Recognize that each industry has its own rules and best practices, some of them based on legal and regulatory requirements. While this may seem obvious, a horizontal combination of companies creates a situation where the acquiring company may not fully understand the laws that apply to its target. Don’t take consent for granted: Consent may or may not be an issue with employee information. Many companies have employees sign releases at the front end of their employment that allow information about them to be released in limited circumstances, such as due diligence in a merger. Companies may have to obtain consent from employees if these releases have not already been signed. All companies should have such boilerplate disclosure permission in employment agreements. If things go wrong, what’s the plan? Nobody expects a data breach, but they do happen. Have a crisis plan in place so that you’ll know how to respond as soon as the breach is identified. This includes addressing the technology issues and preventing further leaks, notifying the individuals or companies whose information was compromised, immediately assessing liability with your legal team and putting into place a crisis public communications plan that limits damage to the company’s brand.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Don’t neglect personal data security in mergers and acquisitions Audrey McNeil (Jan 16)