[BreachExchange] How data privacy practices could make or break the sale of your company

[Audrey McNeil]

http://www.geekwire.com/2016/data-privacy-practices-make-break-sale-company/

Yahoo’s sale to Verizon could be in jeopardy or severely discounted due to
its recent disclosure about a 2013 data breach. This isn’t just a big
company problem; smaller firms seeking to be acquired also need to be
concerned because privacy violations become a liability that transfers to
the acquiring company regardless of the acquisition size.

Over the last year, data privacy has become a tier-1 consideration for
investors, lawyers, and startup founders alike when trying to sell their
companies.

According to recent reports, fines for violations of data privacy could
equal or exceed $150B USD in the next year. Because of this, data privacy
is already having a considerable impact on M&A valuations, as well as the
indemnifications directors and officers need to provide to execute a sale.

Compliance with data privacy regulations is not easy; in many cases, each
customer must consent to each use of their personal data. They also have
the right to know how companies are using their data, the right to object
to that use, and can request to be forgotten from your company’s systems.
It’s imperative to understand your data privacy risk exposure when
regulators or potential business partners come calling.

The Impact on M&A Valuations

Until roughly a year ago, privacy was, at best, a secondary consideration
in deal valuations. However, as more buyers see customer data as a primary
asset from acquisitions, and better understand their risk exposure from the
target company’s data handling policies, privacy practice assessments have
become an important component of the overall acquisition’s risk assessment
and valuation. The larger the customer base is, the greater the buyer’s
risk exposure from your data privacy practices.

Former Madrona Venture Group Venture Partner and current CEO of Qumulo,
Bill Richter, recently completed a transaction where he had to take out
insurance to indemnify the buyer against any privacy violations the company
may have made.

“When a big company buys a small company there’s asymmetric sensitivity to
data privacy. Giant consumer brands think about privacy in totally
different ways,” he said.

Regulators tend to focus on the “top of the pyramid” in terms of company
size and work their way down to smaller companies. According to Richter,
the only time the top and bottom of the pyramid meet is in an M&A
transaction. This can create massive liability and risk concerns for buyers
and consequently impact valuations.

Deadlines Loom

No matter where your company is headquartered, founders must familiarize
themselves with global privacy regulations.

For example, the European Union’s (E.U.) General Data Protection Regulation
(GDPR), begins enforcement of one of the strictest privacy policies
globally in May 2018, and it’s already becoming the blueprint for other
countries setting data privacy standards. Even if you’re a small company in
the United States, GDPR would apply if you collect information about E.U.
consumers, sell services or ship products there, or even if you have an
E.U.-specific website. In fact, you don’t even need to have a single
employee in the E.U. for GDPR to apply. Penalties for breaches are up to 4
percent of a company’s worldwide revenue – a significant blow to any size
company.

For companies in growth mode, especially startups, careful planning around
data privacy practices could make or break a lucrative sale. Here are some
things you should consider:

Think Globally: Stay on top of privacy regulations in all jurisdictions
that matter to you — or that will in the future — paying close attention to
where and how countries are applying their laws extraterritorially. This
will save time and money down the road.

Value your Data: Marcus Morissette, eBay’s Global Privacy Officer,
recommends that companies first understand whether company data of any sort
will be of value in a transaction. He likens data to plutonium: “It’s very
valuable if you’re running a nuclear reaction, but if you’re not, it’s just
going to make you sick.” If your data is of value, you need to be able to
verify its origination, any past enforcement actions, if there are transfer
clauses, and certify there aren’t any problems that will impact the buyer.

Notice and Consent: Make sure you notified your customers on how their data
is being used, and consider getting consent as well. With GDPR looming,
express consent is likely to be more important. It’s also necessary to have
a way to track notice to and consent from customers on an ongoing basis.
Your privacy notice should be clearly accessible, accurate, forward-looking
– i.e., broad enough to contemplate future use cases – and address what
happens in the event of a sale or transfer of your business or assets.

Investors are becoming more aware of the significant risk they take on by
acquiring companies that haven’t prioritized privacy and data security.
Kate Lucente, an expert privacy attorney at DLA Piper, says investors are
now more attuned to risks related to how the data is collected, stored and
used internally, as well as to how it can be transferred to an acquiring
company.

She also advises knowing what rights are transferred with the use of that
data, whether all or part of data can be transferred at all, and whether
customers must be notified of transfers in advance – the answers to these
questions vary depending on what your privacy notice says, the type of deal
(e.g., merger or asset sale), and the jurisdictions in scope.

Lucente has seen a deal significantly discounted due to poor record
keeping. In the deal, about 80 percent of the company’s customer base was
in the U.S., and about 10 percent was in the E.U. and Canada (both of which
have stricter privacy laws than the US, with respect to the transfer of
personal data in an acquisition), and because the acquisition target
couldn’t document that they had the right privacy practices in place the
deal was significantly discounted because the acquirer viewed a significant
portion of customer data as unusable post close.

Prove you Operate with Integrity: As GDPR and similar regulations expand,
we’re likely to see greater audits and even high-profile lawsuits.

Under GDPR, companies are required to notify customers and regulators of a
data breach, the latter of which will most likely trigger an audit of the
company’s privacy policies. Make sure you have a way to prove, in an audit
or lawsuit, that you’re using people’s data in a manner consistent with the
consent you have from them.

Effective data privacy practices are essential to any company’s growth
strategy. And when companies don’t handle their customer or employee
privacy data correctly, it can severely devalue a company or potentially
even kill an M&A transaction entirely.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161223/cc649ddf/attachment.html>