Attorneys that practice within the area of Mergers & Acquisitions (fondly, M&A) follow specific guidelines to delineate the parameters of the transaction. With the onslaught of security breaches and privacy concerns, M&A Attorneys need to exercise effective due diligence while preparing clients that are in the position of buyers. In addition, M&A counsel need to include special representations and warranties (reps and warranties) in the definitive acquisition agreement. Lastly, we advise our clients to make a wise decision to consider and purchase cyber insurance.
M&A attorneys counseling buyers should require that the seller provide schedules to the acquisition agreement, listing any history of problems with security protocols, reported security breaches, employee-related security breaches, damages caused by such breaches, and also delineate which laws affect the entity and data mapping as to sources of personal information. The foregoing will then allow specific representations and warranties to be drafted which will cover privacy and data security, data breaches, filing of insurance claims, and organizational safeguards in place.
Moreover, the sellers should attest to compliance with privacy and data security laws and specific requirements regarding sensitive information protection specific to the business being acquired (e.g., HIPAA, PCI, DSS).
Counsel should also consult carefully with clients businesses regarding cyber insurance and evaluate the balance of cost versus risk. Errors and Omissions Insurance, D&O Insurance or Commercial General Liability coverage will not ensure enough coverage (or sometimes result in no coverage) when there is a “cyber loss.”