Think You're Done Your M&A Deal? Not Until You Can Answer These Data Breach Questions
As companies collect and process more data than ever before, they face ever-increasing breach risks, especially during mergers and acquisitions, when firms tend to be at their most vulnerable to cyberattacks.
November 01, 2019 at 01:00 AM
7 minute read
The original version of this story was published on Corporate Counsel
Marriott International Inc.'s disclosure last fall that it had inherited a massive data breach when it merged with Starwood Hotels & Resorts Worldwide in a $13.6 billion deal should've been a wake-up call from the front desk of cybersecurity and due diligence.
But only for those who hit the snooze button as Verizon Communications Inc.'s merger with Yahoo Inc. was thrown into jeopardy in late 2016, when Yahoo revealed that about 500 million of its customer email accounts had been hacked.
The revelation spurred Yahoo to slash $350 million from its acquisition price and led to the resignation of its general counsel, though the merger still happened.
The cyberattacks in the Marriott and Yahoo cases are believed to have occurred in 2014, meaning that it took years for both companies to bring the incidents to light, underscoring the difficulty of determining how and when breaches should be disclosed.
"You see companies struggling with this all the time," noted Ed Ryan, who served as Marriott's general counsel for more than a decade and retired in 2017, before the Starwood breach disclosure.
"The pressure, on the one hand, is to say something right away, because you'll get faulted for not saying something right away even though you didn't know what you should be saying," he said. "But on the other hand, they don't want to go out and publicly say that we've been hacked when they don't really know what happened.
"You could be building a fire where there is no fire," he added.
As companies collect and process more data than ever before, they face ever-increasing breach risks, especially during mergers and acquisitions, when firms tend to be at their most vulnerable to cyberattacks.
To mitigate risk, in-house leaders and executives should be prepared to answer three key questions before and after a breach is suspected during an M&A deal.
|What Are the Potential Risks?
A primary role of the legal department is having a thorough understanding of the nature and volume of regulated or sensitive data that will be flowing into the company, according to Brian Vecci, the field chief technology officer for New York-based software company Varonis Systems.
"Most companies don't really understand the risks that they're undertaking, which is why these data breaches take them by surprise," he said.
Vecci added the "really smart companies are doing detailed air-gap risk assessments of the systems and data of an acquisition target before they ever connect any devices to their network."
Risk assessments also should include consideration of how often a target company is reviewing the security of its data and, of course, whether it has experienced a prior breach or regulatory incident. If questions or doubts arise, the acquiring company might want to establish a reserve fund in case there's litigation.
Companies also need to look within and fully consider the potential insider threats that they face during M&A deals.
"There are lots of moving parts and you lose a lot of visibility. And there are lots of opportunities for insiders to walk off with data, to walk off with valuable information, or just to cause havoc," Vecci said. "We see that kind of thing happening more and more."
|When Did the Breach Occur?
Regulators at the state and federal levels are placing more emphasis on when a company confirmed the existence of a data breach, according to former federal cybercrime prosecutor Mark Krotoski, now a partner at Morgan, Lewis & Bockius.
Krotoski, whose specialties include cybersecurity and privacy, added the timeliness of a breach notification also "has become more of an issue with regulators over the last several years."
"That is something that is paramount now," he added.
Making matters more difficult: Notification requirements and deadlines vary by state. Colorado and Florida, for instance, have a 30-day notification period for residents. Other states have a 45-day deadline, including Arizona, Maryland, New Mexico, Ohio, Oregon, Rhode Island and Vermont. In Delaware, Louisiana and South Dakota, the notification period is 60 days.
Other states, including New York, require notification "without unreasonable delay." But if the company falls under the jurisdiction of the New York State Department of Financial Services, which regulates an array of domestic and foreign financial services businesses that are licensed to operate in New York, the notification period is a mere 72 hours.
"You have to manage it [disclosure] by prioritizing which ones have the first deadlines and then hopefully you can learn everything about the incident so you can notify everyone in all the jurisdictions at the same time," Krotoski said.
"This patchwork of standards has become, in my view, unnecessarily complex, cumbersome and costly," he added. "The remedy is uniform standards. And one way of doing that is to have a federal standard that would apply consistently."
|What Was Accessed or Stolen?
Determining what cyberattackers saw and confirming whether they made off with sensitive information is a critical but difficult task that typically requires the help of information technology specialists.
"Sometimes the technical parts of it quickly overwhelm what most lawyers know about breaches and how breaches occur and getting down into the depths of what was stolen and who's affected," said Ryan, the retired Marriott general counsel.
"The crossover between those who are legally trained and those who are technically trained is pretty small. So the law department has to rely a whole lot on the IT department to explain what happened and what was affected," he added. "They have to be able to speak the same language, which is part of the challenge sometimes."
Knowing what data was compromised allows the legal department to determine the scope of potential liability. Some jurisdictions require breach victims to show that the incident resulted in actual harm, not just the potential for harm, Krotoski noted.
"We've had financial services companies that inadvertently sent Excel spreadsheets with taxpayer IDs or Social Security numbers to the wrong email address," he said. "That was an unauthorized disclosure. But if you're able to immediately contain and delete the data and get verification of that, that shows that it was not used and there would be no harm."
As the first anniversary of its breach disclosure approaches, Marriott is banking on the no-harm argument, which has become a go-to defense in data breach litigation, as it seeks the dismissal of a consumer class action lawsuit over the leak of personal information of 383 million guests.
The company argued in a motion filed in September that the plaintiffs had failed to allege or show that hackers misused the data, which includes a trove of credit and debit cards and passport numbers.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Court of Appeals Clarifies Parental Status
- 2Critical Mass With Law.com’s Amanda Bronstad: Third Circuit Hears Post-Purdue Arguments in Boy Scouts Case, Lead Prosecutor in Tom Girardi Trial Joins Edelson
- 3Standing on Less Shaky Ground: 'Guthrie' Decision Impact on NY Wage and Hour Matters
- 4Lingering Questions at Supreme Court About Climate Change Litigation Need Resolution
- 5The First Amendment on Trial: Factors That Influence Juror Receptivity
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250