Data due diligence in M&A deals
Early last year, when Facebook announced plans to acquire messaging app WhatsApp, the Federal Trade Commission’s (FTC) consumer protection bureau stepped in to warn both companies about potential data privacy infringements that could result from the merger. In a letter, bureau director Jessica Rich reminded them about their promise to consumers that after the acquisition WhatsApp would continue to uphold its pre-merger privacy practices.
Invoking Section 5 of the FTC Act, Rich said if the acquisition was completed and WhatsApp failed to honor these practices, both firms could be in violation of not only Section 5 but also possibly the FTC’s order against Facebook for previous broken promises to customers on data privacy. While Section 5 is better known for its unfair competition safeguards, it also offers protection from unfair or deceptive practices affecting commerce, including representations/ omissions likely to mislead consumers.
Although data has become ‘the lifeblood of organizations now, it’s rare in big M&A transactions for there to be significant due diligence on data-related issues in the way companies typically conduct due diligence on employees, litigation or other potential liabilities,’ says Lisa Sotto, chair of the global privacy and cyber-security practice group at Hunton & Williams. She finds this odd given the immense value of the assets in many cases.
A company has to conduct the appropriate due diligence to be able ‘to know what information the company being acquired collects, what permissions were given [by the target’s customers], and how that data is stored,’ Sotto says. ‘Has there been an event where there’s been material non-compliance with privacy or data security law? Is there a consent order – a settlement with the FTC – in place? Are there any individual lawsuits with consumers or employees with respect to the use of data?’
Monitoring vs privacy
One reason Facebook’s proposed acquisition of WhatsApp was on the FTC’s radar is that Facebook has a consent order from settling charges that it deceived customers by failing to uphold its privacy promises in 2011. One of several actions the social networking company was required to take as part of the settlement was to fulfill its promise to give consumers ‘clear and prominent notice’ and get their ‘express consent’ before their information is shared beyond the privacy setting they have selected.
The first step in conducting due diligence on data assets is understanding the privacy requirements of the industry the target company is in and the geographic region where it is domiciled, says Michael Pace, co-leader of FTI Consulting’s global risk and investigations practice and senior managing director of its forensic litigation consulting unit. An industry such as healthcare, for example, has enormous privacy restrictions due to the sensitivity of customers’ personal data.
In the defense industry, an acquirer needs to know whether a target firm monitors its employees, Pace says. Defense contractors that perhaps have Chinese nationals working for them are obliged to investigate if they receive information that certain of their intellectual property or technology assets may have fallen into the hands of the Chinese military or the Chinese government, he explains. That investigation typically would include employee monitoring.
‘One challenge is that different countries have different laws and regulations regarding the level of monitoring you can do,’ Pace adds. ‘So one needs to understand whether a target company is doing monitoring and whether [that monitoring] is permissible under the law. It gets complicated because you could have a company operation in a country that prohibits employee monitoring when the monitoring’s being done from a country where employee monitoring is permissible. Where does that fall in the spectrum?’
For what it’s worth
An acquiring company’s due diligence must include examining the target company’s customer onboarding process, ‘looking for any point where there would be confusion about what was being done with the data and how it was being obtained,’ says Daragh O’Brien, managing director of Castlebridge Associates, a data quality, privacy and governance consulting firm based in Dublin.
‘If you are mining data from someone’s cell phone through an app, there would have to be some disclosure of that under EU law. And if you have that data and you haven’t disclosed it, you haven’t got consent for that [process] so that data has not been obtained lawfully and therefore technically can’t be used. It could be a valueless asset unless the acquiring company is willing to spend some money to retrospectively get the permissions for it.’
Any constraint on a company’s ability to process data can affect the real value of the data assets bought when acquiring another firm, especially when regulators in some jurisdictions are authorized to order the deletion of unfairly obtained data, O’Brien says. That’s exactly what the Office of the Irish Data Protection Commissioner has done in the past in lieu of a fine and it has a much swifter impact on the viability of a business than financial penalties would have, he adds.
The need for bulletproof due diligence may be even more compelling when a merger involves a company in a foreign jurisdiction known for having strict data privacy regulations, such as Europe or Argentina. Under European privacy laws, if the target company has not gathered the data in compliance with local privacy law (or in the US, under Section 5 of the FTC Act), ‘that data could be worthless. It might not be worth the trouble of transferring it from one jurisdiction to another,’ says O’Brien.
Boards need to be focusing on issues like this because they potentially present significant business risks, says Sotto – and Pace agrees. He sees board involvement in due diligence as a balancing act between, on the one hand, the granular work the technologists do and, on the other, the oversight required to be confident that a target company or joint venture partner has the proper cyber-related policies and procedures to protect the enterprise.
That boils down to the board asking the right questions of the people either operating the business or those who are responsible for structuring the deal. Data due diligence is not that different from the board’s responsibility regarding other M&A areas such as the target company’s financial reporting, other non-technology controls and the state of its global compliance program, Pace notes.
The board should certainly play a role in the selection and hiring of outside counsel familiar with a foreign jurisdiction where a company expects data privacy compliance issues to arise, says Oral Pottinger, a director at Huron Legal. The outside counsel’s primary role would be to help smooth the way for any data transfers that need to take place.
Pepco Holdings, whose acquisition by Exelon has been thwarted for now by the DC Public Service Commission, signed its merger agreement with the energy company in April 2014, by which time Exelon had presumably completed its due diligence process. The acquirer’s board will typically ask to ensure any representations the target firm has made to the acquirer about its business and assets haven’t changed between the time it made them and the closing date, says Jane Storero, vice president of corporate governance and assistant secretary at Pepco. ‘As long as that’s true, it’s the acquirer’s responsibility to ensure any data assets it’s buying can be used.’
Pepco has some data assets such as CEO Online, a program that enables its commercial customers to manage their energy load data online to make more informed energy management decisions and better manage their energy costs. ‘But the vast majority of a utility’s assets are the power lines, substations and hard physical assets,’ Storero says. ‘Data assets are a relatively small portion.’
Consequently, she says Pepco’s merger agreement doesn’t get into such granular detail about CEO Online. ‘The representations and warranties in a merger agreement are broader and more global,’ she explains. ‘They don’t get down to those kind of specifics, at least not in utility mergers, though it may be true if you’re buying something like Facebook or Google, where assets are very data-based.’
At a time when more and more companies are being enticed by the promise of Big Data analytics, hoping to drive higher profits by unlocking more effective ways to market products and services to customers, M&A deals involving data assets cannot help but become more complicated and fraught with risk.
Sotto believes boards are not as well educated about privacy issues as they should be even though privacy issues could impose significant constraints on a company’s business. ‘In the course of due diligence, there should be a panoply of questions asked about the [target’s] data and any compliance obligations,’ she says. ‘If the answers do not clearly allow the acquiring company’s intended future uses of data, that should be a red flag. And this could have a very significant financial impact. If you’re buying a company largely for its customer list and you can’t use that list following the acquisition, the purchase is for naught.’
Given how routine it’s become for boards to be hit with shareholder lawsuits over the terms of M&A deals, it’s interesting that the ever-opportunistic plaintiffs bar has not yet smelled blood when it comes to deficient due diligence of a target’s data assets. There may not be much for plaintiffs’ lawyers to base such a case on, however, if an acquiring company, despite not being aware of the constraints on the target’s data at the time of closing, is able to manage those constraints in a way that will prove to be not material to it, Sotto notes.
One key challenge with aggregated data, no matter what uses a company contemplates for it, is whether or not it’s possible for an individual to be singled out within the dataset. That would raise potential privacy issues that need to be addressed, O’Brien warns. ‘That may require the acquiring company to do a risk management [assessment] on how it would communicate those new purposes to the customers and get any renewed or additional consent it requires,’ he points out. The alternative, he adds, would be to gauge whether the acquirer can achieve its objectives with anonymized data or aggregated data that doesn’t identify individuals.
The latter option is more challenging than it might at first seem. O’Brien cites a 2007 research study at the University of Texas at Austin that found Netflix users could be identified based on ratings they gave to a handful of movies they watched, without there being any other identifying data about them. ‘So using enough data, statistically it becomes easy to identify individuals based on their patterns, and that’s something acquiring companies, when they’re [proposing] a new use or new purpose for data, need to be planning for [in terms of] how they’re going to engage customers,’ he says.
‘That’s almost separate from the due diligence process. It’s down to the data governance process of the acquiring company, and what it does to fulfill its obligations under the privacy laws in the various jurisdictions it’s going to be operating in. Big Data is the shiny BMX bicycle of the data world, and if you don’t treat it with respect, somebody’s going to take that toy away from you.’
This article was published in the fall 2015 print issue of Corporate Secretary magazine