Corporate acquisitions are like poker games—players have only limited opportunities to improve their hands before the betting ends. When one company acquires another, whether in a friendly deal, the sale of stock or assets in a Chapter 11 bankruptcy, or a hostile takeover, the result is the same: the acquirer bets on the privacy and security practices of the acquired entity. It not only assumes responsibility for protecting acquired personal information but also liability for any pre-acquisition security breaches. Assessing risks is difficult because often the acquiring company has little opportunity to evaluate the cards it does not see.  It lacks visibility into the target’s cybersecurity protocols and practices. In a friendly transaction, the target will be reluctant to allow any “outsider” to examine its sensitive security secrets; in Chapter 11, time pressures may limit any opportunity for scrutiny; and in a hostile takeover, the acquirer will not have any chance to examine these matters. The result: acquisitions are often consummated with the acquiring company having little knowledge of the target’s privacy and security protocols, the type of data subject to protection, the risks associated with that data, how the target uses the data, or the tools it uses to protect the data.  An acquiring company may be forced to gamble with the cards it has been dealt, and the resulting losses can be significant.

The Gamble—the Potential Cost of Not Being Prepared

Enforcement actions related to information security represent more than 70% (€332,967,397) of the fines issued by EU Data Protection Authorities under GDPR as of June 2020. Similarly, the FTC has entered consent orders—including a $5 billion settlement with Facebook related to cybersecurity deficiencies—and has entered strong remedial orders against numerous other companies. Although the CCPA does not generally support a private right of action for all potential damages, California law gives consumers a right to seek statutory damages for breaches caused by poor security practices. Additionally, there is the ever-present threat of class-action litigation based on federal and state statutes. In short, the stakes for an acquiring company are high.