Data privacy, protection, security policies and procedures have moved squarely into the governance spotlight. Boards of directors and senior management are increasingly focused on data privacy, as are customers, employees and shareholders. And the frequency of high-profile data security incidents emphasizes the necessity of implementing data privacy and security policies and procedures in connection with both the M&A process and the satisfaction of compliance and disclosure obligations.

In 2018, companies have had to come to grips with wide-ranging data protection legislation.  The data landscape has changed quickly, and some companies have had to face some very difficult lessons.  Many of those lessons have been through data security incident disclosure and regulatory authorities have not failed to notice. Those regulatory authorities are paying increasing attention and are showing a willingness to approach record numbers in fines. On February 21, 2018, the Securities and Exchange Commission (the “SEC”) issued updated interpretive guidance to assist public companies in preparing disclosure regarding potential cybersecurity risks and incidents.1 As Baker Botts explored here, the European Union’s General Data Protection Regulation (the “GDPR”) went into effect on May 25, 2018, codifying compulsory security practices, disclosure, accountability and transparency obligations for multi-national organizations and companies with operations that touch Europe.  Individual states and local municipalities are even flexing regulatory muscle in this space; most recently, the California Consumer Privacy Act of 2018 (the “CCPA”) was signed into law on June 28, 2018, giving individual residents in California broad rights with respect to the nature and use of their personal information by corporations and a private right of action for a data breach.

While regulatory bodies heighten their focus on cybersecurity, public companies are increasingly data breach targets.  In addition to efforts to improve data security practices and to comply with regulatory requirements, there are a number of specific best practices for companies to consider as they engage in M&A activity. 

M&A Due Diligence

Data and the security of data has not always been a standalone consideration in M&A due diligence. Lawyers historically asked a series of routine, privacy-related questions of a company and cybersecurity concerns were often embedded in questions about other risk areas. More recently, there has been significant attention paid to the risks associated with data breaches, but less has been known about how best to uncover these risks and liabilities. 

As part of its efforts to uncover potential cybersecurity risks or incidents at a target, some key areas for an acquiring company to direct its focus include: 

  • IT and data assets: What IT assets, systems, software, platforms, websites and applications exist and are critical to the target?  How is company data stored, and is it encrypted?
  • Governance practices: Who has responsibility for privacy compliance and data security within the company and for overseeing security preparedness? Is there a specifically appointed data protection officer?
  • Security risk management: What is the target’s data security infrastructure? Has the target experienced any interruptions, outages or suspensions of system operations?  Does the target have a comprehensive written security management program and show proof of vulnerability testing? Consider hiring an outside firm to do penetration tests or security audits.
  • Insurance: Does the target have data security insurance coverage? Does the target require vendors to maintain such coverage? 
  • Historic incident or loss experience: Has the target received complaints from customers, employees, contractors or other third parties regarding data privacy and security practices?  Have any such complaints resulted in litigation or other proceedings?
  • Sharing information with third parties:  How does the target vet third party security infrastructure, policies and records?  Does the target ensure audit rights in contracts with third parties?  Has the company assessed its obligations to notify customers and regulators in case of a breach? 

Ultimately, while these examples provide a starting point for appropriate cybersecurity diligence, it is critical that the acquiring company tailor its diligence on data privacy and security matters to the target company. 

Post-Acquisition Integration

A fulsome diligence effort focused on data privacy and security matters should be designed to prevent the unfortunate situation where an acquiring company learns of ongoing data breaches at the target company after the transaction has closed. Even with heightened awareness and diligence, efforts to uncover cybersecurity weaknesses prior to closing the acquisition may prove unsuccessful, and so organizations should prioritize efforts to learn of any existing breaches during the integration process. Measures should be targeted to the specific risks faced by the target company but may include having the target company adopt the acquiring company’s existing cybersecurity policies, performing a risk assessment to determine the adequacy of the target company’s cybersecurity measures and implementing training programs to ensure knowledge across the target company’s key personnel. 


Finally, companies must remain mindful of key disclosure requirements and ensure that they are responsive to such requirements in an actively changing regulatory landscape. The SEC’s February 2018 guidance recognizes that immediate disclosure of a data security incident may not be appropriate, but also stresses that “an ongoing internal or external investigation which often can be lengthy would not on its own provide a basis for avoiding disclosures.” While this may seem to provide some comfort with respect to the timing of U.S. disclosure requirements, companies must continue to pay close attention to how a breach may impact their filing obligations, including which filings are implicated.  A material data security breach may trigger an obligation to file a Current Report on Form 8-K (including if the issuer has a duty to correct prior disclosure) and should also be evaluated in connection with the preparation of Annual Reports on Form 10-K or 20-F and Quarterly Reports on Form 10-Q.     

While the SEC provides some flexibility in timing disclosure depending on the facts and circumstances of the breach and any related investigation, the GDPR takes a strict approach, requiring disclosure to the relevant European Union authority no later than 72 hours after the data breach is confirmed – a tight timeframe when a company is in the throes of investigating the extent and severity of the issue.  Failure to notify authorities or individuals within the deadline may result in significant fines and subjects the company to widespread multi-jurisdictional litigation. Ultimately, in the event of a material data security breach, the GDPR aligns with the SEC guidance in that public disclosure will, sooner rather than later, be necessary. 

In order to comply with regulatory requirements and avoid fines or enforcement actions, companies are encouraged to maintain an incident response plan that identifies a response team, key timing factors and a sequence of action items in the event of a breach to help analyze what notifications and disclosure requirements apply. In addition, a well-formulated response plan should include implementing blackout periods when appropriate while investigations of cyber security incidents may be pending. The SEC flagged this as an important consideration, noting in their February 2018 guidance that “companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material.” 

Data security is key. Companies engaging in M&A are looking for growth and revenue and a data security incident after the fact is a very unwelcome surprise. Data security should be a dynamic area of focus in both the diligence and integration process.  It should be tailored to the target and the risk and should not be taken lightly. Establishing strong practices in each of these areas, as well as regulatory and compliance policies that are regularly updated as regulations evolve, can help prevent or minimize the adverse consequences of a data security breach.  

 1 Available at

Next Story / OUR LAWYERS

Rob Maier Appointed as Chair of the Firm's New York Intellectual Property Group

NEW YORK, November 30, 2018 – Baker Botts L.L.P., a leading international law firm, today announced that Rob Maier, a New York based Intellectual Property partner, will become Chair of the New York Intellectual Property Group effective December 1st.

Mr. Maier succeeds Rob Scheinfeld, who has led the Practice for the past 15 years, and will remain Partner-in-Charge of the firm's New York office.

“Rob Scheinfeld has done an outstanding job of leading our New York Intellectual Property Group for a very long time.  Under his leadership, we have increased the breadth of our services, the number of highly qualified New York based Intellectual Property lawyers, and the group to its largest size ever, as well as dramatically expanded the number of client engagements and relationships,” said Bart Showalter, Chair of the firm's Intellectual Property Practice.

“I have enjoyed leading the New York Intellectual Property team and working to grow our business through a single focused commitment to meeting and exceeding client expectations. Rob Maier is an outstanding lawyer and will do a tremendous job in continuing to grow the practice in the years to come,” said Mr. Scheinfeld.

Mr. Maier is an intellectual property and patent trial lawyer and his practice serves multinational clients involved in patent cases across a broad spectrum of technologies, from smartphones and display technologies, to drink packaging and stem cells.

Recognized for his depth of skills and experience in all phases of litigation, Rob regularly handles Markman hearings and complex patent trial work in high profile matters in district court and at the International Trade Commission. His practice also extends beyond litigation, into patent preparation and prosecution, counseling, in connection with IP and big data issues, licensing, Intellectual Property asset evaluation, and due diligence in connection with mergers and acquisitions.

Mr. Maier graduated from George Washington University with a B.S. in Computer Engineering and received his J.D from Fordham University School of Law.

Next Story / OUR LAWYERS

Former Acting Chair and Commissioner of Federal Trade Commission Joins Baker Botts

WASHINGTON D.C., December 6, 2018 – Baker Botts L.L.P., a leading international law firm today announced that Maureen K. Ohlhausen has joined the firm, and will become a partner and a Co-Chair of the global Antitrust Practice effective January 1, 2019.

From January 2017 to May 2018, Ms. Ohlhausen was Acting Chair of the Federal Trade Commission, the highest-ranking position in the agency, charged with antitrust enforcement and consumer protection. She served as FTC Commissioner from 2012 until her appointment as acting Chairman. She also led the FTC's Office of Policy Planning, as its Director, from 2004-2008 before leaving the agency in 2008 to serve clients in private practice.

During her distinguished tenure at the top echelon of the FTC, Ms. Ohlhausen was a leading voice in shaping the current standards that apply to antitrust, privacy and consumer protection laws, both in the U.S. and globally through her interactions with regulators, elected officials, judges and scholars, both at home and abroad. She has received numerous awards, including the FTC's Robert Pitofsky Lifetime Achievement Award and the George Mason University Distinguished Alumni Award.

In early 2018, Ms. Ohlhausen was nominated by President Trump to serve on the United States Court of Federal Claims. She recently withdrew her nomination in favor of her decision to serve the needs of clients in private practice.

"Maureen has an exceptionally impressive background highlighted by her significant and influential recent tenure as Acting Chairman of the Federal Trade Commission and as a former Commissioner at the Federal Trade Commission. Our clients will directly benefit from having a lawyer with Maureen's depth of experience available to work with them on their antitrust and FTC related matters," said Andrew M. Baker, Managing Partner of Baker Botts.

"I have known Maureen for many years and worked with her very closely when we were both at the FTC. We are thrilled to welcome her as a Co-Chair to our global Antitrust team, and know that clients will benefit from her unique insights and experience in this increasingly complex business environment. Maureen brings a wealth of experience, not only in the antitrust sector, but also in the data privacy and cybersecurity arena," said Steve Weissman, Co-Chair of the firm's global Antitrust Practice and former Deputy Director for the FTC's Bureau of Competition between 2013-2015.

"Over the past six months, we have added five very highly regarded partners to our Competition Practice which was already recognized as one of the strongest in the world. In addition to Maureen, Matthew Levitt joined our team in Brussels, Peter Huston in San Francisco, and Mark Botti and Anthony Swisher in Washington, D.C. These additions are a testament to our commitment to serve our clients on the important strategic and challenging competition, consumer protection and data privacy, and security matters that they face, and to assemble the highest-level expertise to succeed on their behalf. We're building on the success of the Baker Botts Antitrust Practice and couldn't be happier that Maureen has joined our team," said John Taladay, Co-Chair of the firm's Antitrust Practice.

Before joining the FTC, Ms. Ohlhausen spent five years serving as a law clerk at the U.S. Court of Appeals for the D.C. Circuit and as a staff attorney. She earned her J.D. from Antonin Scalia Law School at George Mason University and her B.A. from the University of Virginia.

Next Story /

Statement of James A. Baker III, 61st U.S. Secretary of State and White House Chief of Staff for President George H.W. Bush

The legacy of George H.W. Bush will be forever etched in the history of America and the world. It is a lifelong record of selfless patriotic service to our nation. He was the youngest Navy pilot in World War II, a Texas congressman, UN ambassador, America's first envoy to China, CIA director, vice president and president. In each and every one of these positions, he led with strength, integrity, compassion and humility -- characteristics that define a truly great man and effective leader. With a singularly unique consistency, he always demonstrated these traits, whether on the global stage or interacting with people in his everyday life. His passion was a deep love of family and country. It was my great joy to have had him as my special friend for more than 60 years. My wife, Susan, joins me in grieving the passing of our dear friend and sending the entire Bush family our deepest love and condolences.


2018 A Year in Review: Lessons in Data Protection and Cybersecurity in M&A