26 November 2020
The value of data is at an all-time high. Data has been both a driver for and time bomb in M&A transactions across all sectors over recent years, both in more traditional businesses where data is not typically recognised as a core component of the business, and where data is the critical asset.
Despite often representing a significant share of the value of a company, the value of a company’s data and data risk profile is frequently underestimated during the course of an M&A transaction. This creates three key risks:
We consider below how these three risks can be minimised during the sale process. Those that take the time to properly diligence and understand the value of data during an M&A transaction will benefit exponentially long after completion.
Another risk specific to data deals are the proposed amendments to the national security test under the Foreign Acquisitions and Takeovers Act (to commence from January 2021). These amendments will have the effect of allowing the Treasurer to block or impose conditions on investments by foreign persons in ‘sensitive national security businesses’ on national security grounds, irrespective of the value of the investment. ‘Sensitive national security businesses’ that could be caught by this test include:
Read more on the proposed FIRB changes here.
There is no agreed method for valuing data which poses a challenge to the buyer and the seller when trying to agree it as a component of the purchase price. Negotiations in respect of valuing data will often be complex and protracted.
Focus should therefore be placed on this at an early stage of the process, with specialist input and advice obtained from the parties’ financial advisors to agree the methodology that will be applied to identify the value of the data. This will give all parties a baseline price to work from for the negotiations to follow.
Unauthorised access to or loss of valuable data can cause considerable damage to a business and give rise to litigation and regulatory action. Breach of confidentiality may be alleged by business partners, commercially sensitive data could be exposed to competitors and (in the case of personal information) regulators may commence regulatory action.
The Verizon acquisition of Yahoo in 2017 is often used as a case study for the impact that data security lapses pose on M&A transactions. In July 2016, Verizon announced it intended to acquire Yahoo’s core internet business for US$4.38 billion. As part of the transaction, Verizon would acquire one billion Yahoo users and a wealth of data that Verizon could then use to offer more targeted advertising.
After the sale was announced, but prior to closing, Yahoo disclosed two separate data breaches that occurred in 2014 affecting over 500 million user accounts. Verizon used this as a bargaining chip and lowered its price by US$350 million (or about 7%). The terms of the deal were renegotiated and closing was delayed while the parties assessed the impact the breaches would have on Yahoo’s reputation. The parties revised the terms of the sale to work out the split of future liability and costs arising from the breaches. Verizon agreed to share with Yahoo any liability which may arise from investigations into the data breaches and any resultant third party litigation, however Yahoo remained responsible for liabilities from shareholder lawsuits and investigations by the US Securities Exchange Commission (SEC).
The Verizon acquisition of Yahoo shines a spotlight on the importance of proper scrutiny of a target during a sale process to flush out issues which can then be dealt with commercially between the parties. If Verizon had only discovered the breaches post-closing, this story would likely have had a very different outcome.
Pursuing a traditional approach of surface legal due diligence only and a stand-alone IT report with no collaboration between advisors and commercial teams could cause a buyer to fail to identify significant risks related to the data assets of the target, and potentially undermine the transaction as a whole.
There is often a significant time lag between when a data attack occurs and when it is discovered. For example, a 2019 IBM Security study found that the global average time taken to identify and contain a breach was 279 days. The time period can also be significantly longer, for example:
This time lag means proper scrutiny during the due diligence process of each of the key points of value and the vulnerabilities associated with data is paramount. Due diligence questions asking the target about data breaches which the target is unaware of will not elicit meaningful answers. Technical due diligence in relation to the cyber security practices of the target (including penetration testing) can assist to identify potential issues.
Proper due diligence is the best weapon in the parties’ arsenal for addressing the risk around timely identification of liabilities. Legal teams need to work with technical advisors and commercial teams to sufficiently understand the target’s data assets, including the manner in which it is collected, stored, secured, used, disclosed and destroyed and the data governance measures that are implemented around those processes.
We also recommend that a broker is engaged to assess the insurance coverage of a target, in particular that it has robust cyber and business continuity coverage for all relevant periods and to assess any limitations on when a claim can be made, noting the often significant time lag between when a breach occurs and when it is discovered. A broker can also assess the impact of a buyer replacing the current insurance arrangements of the target with those of the buyer.
If the parties are considering getting W&I insurance, underwriters will expect a stand-alone cyber risk policy to be in place to cover cyber risks (including data breach or malware hack), as well as data protection and privacy compliance, and accordingly, such areas are often exclusions to the W&I policy. However, subject to underwriting, in certain circumstances W&I insurers may restrict exclusions to sit in excess of existing insurances on a no ‘difference in cover’ basis).
The particular risks presented by data assets could also be addressed with specific indemnities in the sale agreement.
If an issue has arisen during due diligence that the parties are struggling to quantify (the outcome of which is not certain or the parties are not even sure if it is a ‘real issue’ at the time of signing), a specific indemnity can be included in the sale agreement such that if any liability arises during the claim period the buyer can look to claim the amount of any loss from the seller dollar-for-dollar.
The key risk with this approach from the buyer’s perspective is ensuring the seller has the funds for the claim period, again noting the high quantum of fines associated with data breaches and the period of time between attack and discovery. However, this still provides a level of comfort for a buyer.
If the nature or quantum of a claim is uncertain, this can be a better position for a seller than, for example, taking a price chip on a hypothetical.
Parties can also consider including a holdback or escrow mechanism such that a certain amount of cash from the purchase price is withheld from the seller and can be drawn on by the buyer in the event certain facts trigger release of the cash.
This removes the risk to the buyer that the seller will not have the cash to pay up in the event of an indemnity claim. However, holdbacks and escrow are typically for a shorter period than a specific indemnity and for a much smaller amount. For these reasons, holdbacks and escrow may be preferable to an indemnity regime from a seller’s perspective.
The sale agreement should include robust warranties tailored to the data and information assets of the business (including in relation to cybersecurity). Boiler plate warranties that are not subject to review are not appropriate and the specialist teams (legal, commercial and technical) should all work together to ensure proper coverage.
As data protection regimes expand to keep up with industry and public concerns, the buyer needs to gain comfort through a robust set of data warranties that the target’s prior handling of data complies with all applicable laws. Sellers are typically expected to provide warranties as to data protection compliance, which will include providing details of adequately documented and implemented measures together (where relevant) with terms for data migration at completion. If the target includes a dataset gathered and stored in numerous countries, the warranties will need to confirm compliance with the relevant data laws in each of those countries.
As buyers will be aware, a claim can only be made for a breach of warranty that the buyer becomes aware of post close (i.e. warranties are not appropriate to address any issues that have been disclosed to the buyer as part of the due diligence process). This again stresses the importance of having proper due diligence with experts reviewing the information who are skilled at identifying a risks and liabilities. Similarly, from a seller’s perspective, it should work with its advisors to fully disclose against warranties to thereby prevent a claim being made.
The parties should also consider a transitional services agreement and what arrangements may be required for data separation following completion to allow for integration and ensure business continuity. Negotiations in respect of such arrangements will often be complex and can become protracted.
A focus on these requirements, with specialist input, should therefore be given at an early stage of the process, enabling the parties to establish what specifically is required and whether the proposed arrangements and separation can be achieved and the costs of attending to such measures.
We recognised a recurring theme in M&A where the value of a company’s data and data risk profile was often underestimated during M&A transactions, giving rise to the three key risks identified above.
In response, Corrs has established Corrs Cyber, a unique coordinated legal, forensic and cyber approach to conducting cyber due diligence and advising on cyber resilience planning, investigations into cyber incidents (using our in-house IT forensic experts), dispute resolution with IT service providers, regulatory engagement and enforcement action.
Authors
Partner
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.