()

It remains to be seen whether Yahoo Inc.’s recently-revealed data breaches will nix its sale to Verizon Communications Inc. But whatever happens, M&A lawyers say the Yahoo-Verizon deal illustrates the increasing importance of addressing the risk of a data breach when negotiating an acquisition.

It didn’t’ take long for the $4.8 billion acquisition, announced in July, to get thrown into question. In September, Yahoo confirmed that a 2014 hack impacted at least 500 million customer email accounts. And on Dec. 14, Yahoo admitted that it had suffered yet another breach in 2013, this time affecting more than one billion user accounts, leading to reports that Verizon might be looking to back out of the deal, negotiate a lower price or have Yahoo assume responsibility for lasting damage caused by the hack. Verizon has said it is evaluating the situation and “will review the impact of this new development before reaching any final conclusions,” Bloomberg reported.

The risk of a data breach is taking on a bigger role in M&A agreements, says James Abbott, a partner at Seward & Kissel. “We are now seeing in purchase agreements more-specific representations about data security, compliance with privacy laws and data breaches and hacks,” he says. “Counsel and companies are going to focus on it more because it’s a scenario that brings more risk.”

In fact, the entire M&A process is showing signs that data security is a priority, says Brandon Robinson, a partner in Balch & Bingham’s Birmingham, Alabama, office. “What you’re seeing is cybersecurity and privacy is increasingly being addressed in the M&A process,” he says. “And it’s a combination of due diligence and representations and warranties that address that.”

While Robinson says it’s hard to make blanket statements about these deals, there are generally some key areas of risk that should be dealt with, either by asking a target company or including it in the deal. For starters, the incident history should be looked at to see if there have been previous data breaches and how they were dealt with, he explains.

Contractual liability related to vendor management should also be considered, says Robinson. “You want some sort of assessment of the company’s vendor management because that’s a key area where data breaches often reside,” he says.

Regulatory compliance should additionally be examined, Robinson says, to see where a target company might fall short of legal obligations. This goes hand in hand with looking at the privacy representations that were made to consumers when it comes to data being collected, he adds.

The deal itself also might include statements from the seller to address the risk of a breach, says David Czarnecki, senior attorney at firm Morse, Barnes-Brown & Pendleton. “There may be specific statements that there is not a breach or a knowledge qualifier” to say there are no known breaches and/or vulnerabilities, he says. “There is a whole section that is added to agreements now that deals with data privacy and security. Or at least there should be and [these statements] should be considered.”

In the Verizon deal with Yahoo, there are, in fact, a number of knowledge qualifiers related to data security, according to a proxy statement filed by Yahoo with the U.S. Securities and Exchange Commission on Sept. 9. One, for instance, says to Yahoo’s knowledge, there have been no third-party claims of a security breach. Another reads that if there has been a failure to implement proper policies related to privacy and data security, any theft or unauthorized access is not reasonably expected to have a “Business Material Adverse Effect.”

A material adverse effect may be Verizon’s way out of the deal, if it can be shown. Though this a pretty high threshold, says Abbott. “When something significantly negative happens between signing and closing, you always have the possibility that the acquiring company will want out of the deal,” he says. “This revolves around a materially adverse effect. But that’s a really high standard, so it’s often a bluff.”

Indeed, pursuing the possibility of using a material adverse effect clause may be a strategy to cut the cost of the deal, says Jeffrey Gordon, a Richard Paul Richman professor of law at Columbia Law School. “If revelation of the prior hack had a ‘Business Material Adverse Effect,’ this could give Verizon the right to terminate the transaction,” he says. “Although these things are hotly contested. More likely, Verizon would have some leverage to renegotiate the price.”

It remains to be seen whether Yahoo Inc. ‘s recently-revealed data breaches will nix its sale to Verizon Communications Inc. But whatever happens, M&A lawyers say the Yahoo-Verizon deal illustrates the increasing importance of addressing the risk of a data breach when negotiating an acquisition.

It didn’t’ take long for the $4.8 billion acquisition, announced in July, to get thrown into question. In September, Yahoo confirmed that a 2014 hack impacted at least 500 million customer email accounts. And on Dec. 14, Yahoo admitted that it had suffered yet another breach in 2013, this time affecting more than one billion user accounts, leading to reports that Verizon might be looking to back out of the deal, negotiate a lower price or have Yahoo assume responsibility for lasting damage caused by the hack. Verizon has said it is evaluating the situation and “will review the impact of this new development before reaching any final conclusions,” Bloomberg reported.

The risk of a data breach is taking on a bigger role in M&A agreements, says James Abbott, a partner at Seward & Kissel . “We are now seeing in purchase agreements more-specific representations about data security, compliance with privacy laws and data breaches and hacks,” he says. “Counsel and companies are going to focus on it more because it’s a scenario that brings more risk.”

In fact, the entire M&A process is showing signs that data security is a priority, says Brandon Robinson, a partner in Balch & Bingham ‘s Birmingham, Alabama, office. “What you’re seeing is cybersecurity and privacy is increasingly being addressed in the M&A process,” he says. “And it’s a combination of due diligence and representations and warranties that address that.”

While Robinson says it’s hard to make blanket statements about these deals, there are generally some key areas of risk that should be dealt with, either by asking a target company or including it in the deal. For starters, the incident history should be looked at to see if there have been previous data breaches and how they were dealt with, he explains.

Contractual liability related to vendor management should also be considered, says Robinson. “You want some sort of assessment of the company’s vendor management because that’s a key area where data breaches often reside,” he says.

Regulatory compliance should additionally be examined, Robinson says, to see where a target company might fall short of legal obligations. This goes hand in hand with looking at the privacy representations that were made to consumers when it comes to data being collected, he adds.

The deal itself also might include statements from the seller to address the risk of a breach, says David Czarnecki, senior attorney at firm Morse, Barnes-Brown & Pendleton. “There may be specific statements that there is not a breach or a knowledge qualifier” to say there are no known breaches and/or vulnerabilities, he says. “There is a whole section that is added to agreements now that deals with data privacy and security. Or at least there should be and [these statements] should be considered.”

In the Verizon deal with Yahoo, there are, in fact, a number of knowledge qualifiers related to data security, according to a proxy statement filed by Yahoo with the U.S. Securities and Exchange Commission on Sept. 9. One, for instance, says to Yahoo’s knowledge, there have been no third-party claims of a security breach. Another reads that if there has been a failure to implement proper policies related to privacy and data security, any theft or unauthorized access is not reasonably expected to have a “Business Material Adverse Effect.”

A material adverse effect may be Verizon’s way out of the deal, if it can be shown. Though this a pretty high threshold, says Abbott. “When something significantly negative happens between signing and closing, you always have the possibility that the acquiring company will want out of the deal,” he says. “This revolves around a materially adverse effect. But that’s a really high standard, so it’s often a bluff.”

Indeed, pursuing the possibility of using a material adverse effect clause may be a strategy to cut the cost of the deal, says Jeffrey Gordon, a Richard Paul Richman professor of law at Columbia Law School. “If revelation of the prior hack had a ‘Business Material Adverse Effect,’ this could give Verizon the right to terminate the transaction,” he says. “Although these things are hotly contested. More likely, Verizon would have some leverage to renegotiate the price.”