In order to keep a merger or an acquisition moving forward without stalling or—even worse—collapsing altogether, it is important for businesses and their legal counsel to keep privacy and cybersecurity top of mind.
Some key considerations include the following:
- If a target company cannot collect and deploy data consistent with data privacy laws, there may be flaws in the premise for the deal or the business model itself.
- Failure by a target company to meet its data privacy and security obligations can be a major risk for the acquiring company.
- The transfer and sharing of data in connection with diligence and after the transaction may in itself violate data privacy laws.
Additionally, in terms of the status of data privacy laws in the United States and United Kingdom, there are some conflicting views.
- Some see the fact there is no all-encompassing data privacy or cybersecurity statute in the United States as an opportunity for companies to continue operating more freely.
- However, others look at this as an area of confusion given that there are varying bodies—state attorneys general, federal agencies, etc.—trying to address data security in their own ways.
- In Europe, the General Data Protection Regulation applies the desired structure for some, but for others the rules are too complicated.
This presentation was part of the Morgan Lewis M&A Academy webinar series. We invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.