Don’t neglect personal data security in mergers and acquisitions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/01/12/dont-neglect-personal-data-security-in-mergers-and


When hackers burrow into a company’s data, it can be expensive and
embarrassing.

Sony Corporation found out just how embarrassing it can be when North
Korean hackers stole and then released financial data and executives’
embarrassing emails. Large corporations like Home Depot and Target have
also been targeted and forced to spend tens of millions of dollars fixing
data breaches that compromised the personal information of customers who
used debit or charge cards at their stores. In just about every case, there
also was injury to the company’s brand, too, because breaches erode trust
in a company’s ability to protect its customers and employees, and run its
affairs properly.

While it gets less attention, companies are particularly vulnerable to data
breaches when they exchange information as part of due diligence in mergers
and acquisitions. Businesses may set aside normal security protocols when
they are wrapped up in negotiations and focused on completing a
transaction. They may not be aware of best practices that govern exchanges
of information in due diligence, and they necessarily must rely on the good
faith and competence of employees and agents of the other company.

All of this creates a window of vulnerability for a company that is in the
midst of a merger, and it is imperative that C-level executives recognize
that it’s their responsibility to create a deal framework that protects the
safety of customer and employee data.

This article includes a prepared checklist of considerations for companies
in transactions who want to ensure that data they share as part of due
diligence doesn’t end up in the wrong hands.

Start by identifying the data: Personal data usually involves two
categories: inside information on employees and outside relationships with
customers, clients and vendors.

Employee data may include socialsSecurity numbers, health information,
compensation, dates of birth, names and addresses, evaluations and
identifying information about family members. All this information is
useful in identity theft and some of it, if released, is potentially
embarrassing.

For customers and vendors, information may include credit card numbers that
could be used in identity thefts, as well as contracts, pricing,
intellectual property and similar information from vendors that could
compromise their operations or your business relationship with them.

What’s the law? Once the data is identified, look at what regulations or
laws apply. This often is industry-specific and can involve federal laws,
such as the Sarbanes-Oxley, the Gramm-Leach-Bliley Act, HIPPA, the Fair
Credit Reporting Act and state laws. Many industries — financial services
and health care, for example — are governed both by state and federal laws,
and your transactional legal counsel may find it helpful to call on
resources in practices areas that support those industries.

The non-disclosure agreement is only a starting point: The NDA often is too
general to cover the fine points of securing data. Consider identifying the
data that will be shared and setting out the rules for its security.
Remember to check whether federal or state regulations apply to the data
and determine whether provisions should be included as an attachment or
whether a separate agreement between parties receiving data should be
signed. And don’t forget that third-party financial advisers may need to be
part of the agreement.

Who’s in charge? There should be a person on the acquisition team who is in
charge of data security. Ideally, this person is a lawyer who has a working
knowledge of both the technology and the laws that apply to data security
in the relevant industries. In some cases, it may be appropriate to have a
two-person, legal-technical team. This person or team should have direct
access to all first-tier executives and everyone in both organizations
should be informed of their role.

Make sure everyone knows the rules: If the rules surrounding data security
during a merger are a departure from the company’s normal procedures, then
everyone must understand the rules. Otherwise, people will be unsure of
what’s permitted. Put down a framework in writing that says, here’s what we
can do, here’s what we can’t do. If liability issues emerge in the event of
a breach, this document also will affirm that the company took measures to
prevent unauthorized disclosures.

Secure the data room: Companies in mergers often create a virtual “data
room,” a website where they place information that can be shared. This room
must be as secure as a bank vault, with a high level of encryption, clear
rules for who can place information in the room as well as who can access
it. In most cases, there will be levels of security clearance with the most
sensitive information available only to a few people who need it. The data
room should have a log that records who accesses information and when.

There should be rules on whether downloads or permitted and if access or
downloads are permitted using mobile devices such as laptops and cell
phones. Mobile devices are more vulnerable to theft and hacking, and some
companies limit access through these devices.

Data security is industry-specific: Recognize that each industry has its
own rules and best practices, some of them based on legal and regulatory
requirements. While this may seem obvious, a horizontal combination of
companies creates a situation where the acquiring company may not fully
understand the laws that apply to its target.

Don’t take consent for granted: Consent may or may not be an issue with
employee information. Many companies have employees sign releases at the
front end of their employment that allow information about them to be
released in limited circumstances, such as due diligence in a merger.
Companies may have to obtain consent from employees if these releases have
not already been signed. All companies should have such boilerplate
disclosure permission in employment agreements.

If things go wrong, what’s the plan? Nobody expects a data breach, but they
do happen. Have a crisis plan in place so that you’ll know how to respond
as soon as the breach is identified. This includes addressing the
technology issues and preventing further leaks, notifying the individuals
or companies whose information was compromised, immediately assessing
liability with your legal team and putting into place a crisis public
communications plan that limits damage to the company’s brand.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!