S12 | MONDAY, JUNE 5, 2017 | Cybersecurity
| NYLJ.COM
Diligence
« Continued from page S8
trial pursuant to consent forms signed by the study participants, and those consent forms say that the PII collected will only be used to perform the study and for no other purpose, then a buyer needs to understand that it may be limited in its ability to use the PII for other purposes, like for an unrelated research study.
The example that the FTC made of Facebook and WhatsApp illustrates some of these con- cerns. In 2014, the FTC notified Facebook and WhatsApp about their obligation to protect the privacy of their users in light of Facebook’s then-proposed acquisition of WhatsApp. WhatsApp had made clear privacy promises to consumers, and both companies had told consumers that after the acquisition they would continue the current privacy practices of WhatsApp. The FTC warned that, if What- sApp failed to honor these promises after the transaction, both companies could be in viola- tion of §5 of the FTC Act for deceptive trade practices. So, before making material changes to how they use data collected from WhatsApp subscribers prior to closing, the FTC said that the companies must get affirmative consent from the subscribers. And, for changes that would only apply to subscriber data collected after the closing, the FTC said that subscribers should be given the opportunity to opt-out of such prospective changes.
Conducting privacy due diligence can give buyers confidence that information assets can be used in the ways they expect post- closing, and that the continuation of seller privacy practices will not result in regulatory fines or penalties.
Considerations in Conducting Due Diligence
It is important that technical diligence be conducted on the target’s cybersecu- rity protocols to reveal vulnerabilities that could require the buyer to make significant expenditures. Often external security con- sultants are engaged by the buyer to con- duct such technical diligence. But conduct- ing privacy and cybersecurity diligence is not just an IT issue—it must include legal diligence review.
For both the technical and the legal review, the first step is to get a lay of the land. The buyer needs to understand the target’s most
important information assets and systems. The target should be able to explain this easily to the buyer, because companies with sophis- ticated data protection programs will have completed an inventory. An initial meeting to walk through basic questions will give the buyer a good idea of how seriously the seller has taken privacy and security concerns. It is a red flag for the buyer if a target is not able to readily identify its most important and/or sensitive information and systems, and the administrative, physical, and tech- nical controls employed to safeguard them. Some basic diligence requests that the buyer should make, include:
• Provide a copy of any data inventory
principles, NERC-CIP, Privacy Shield, Gramm Leach Bliley, etc.).
• Provide copies of policies and procedures designed to address the requirements of such compliance frameworks.
• Has the seller ever received a complaint, inquiry, or notice of an investigation or com- plaint from a third party (including, FTC, OCR, payment card companies, data protection authorities, or state attorneys general)?
• Is there or has there been any litigation or claim against seller regarding seller’s privacy or security practices?
Companies with mature privacy and secu- rity programs will have boards of directors who are involved in data protection decision-
Vendors are a popular attack vector for hackers. Some of the most publicized cyber- attacks, including the Target attack, involved vendor access to company systems. It is important to understand the extent to which the target company shares sensitive informa- tion with vendors, the extent to which vendor systems are linked to the company’s systems, and the extent to which the company has eval- uated the risks associated with third parties that have access to confidential and/or sensi- tive company information. Finally, reviewing agreements with vendors of the company, and agreements where the company itself is acting as a vendor, is key. Buyers must understand the extent to which vendors will be obligated to indemnify them for breach costs post-closing and whether vendor con- tracts comply with regulatory requirements applicable to the company. Further, Buyers will want to understand the contractual com- mitments in the customer contracts that they assume. Companies should ask:
• How are vendors evaluated?
• Provide copies of any reports showing the results of vendor audits.
• What vendors have direct access to com- pany systems? Which vendors connect their systems to the company’s systems?
• Is any sensitive data stored by cloud ser- vice providers? If so, is that data encrypted? Who holds the encryption keys? Does the cloud provider undergo annual penetration testing and security assessments?
• Provide copies of all agreements with vendors and agreements with customers
• Has any vendor notified the company of a security incident?
If the buyer is acquiring the stock of the seller, understanding the target’s insurance coverage is very important. Some companies still do not have cyber coverage, or they have coverage that does not cover the real risks of their business. For example, retailers that store credit card data may purchase coverage that does not protect them from PCI-DSS pen- alties. Having a qualified insurance coverage attorney review the policies of the target is very important.
We regularly hear that privacy and secu- rity risks keep executives and general coun- sels awake at night. Given that companies view a privacy or security breach as one of the most material risks they face, any business a company looks to acquire must be checked carefully for such risks as an integral part of the acquisition diligence, so that the buyer can manage the risks and appropriately value the deal.
Given that companies view a privacy or security breach as one of the most material risks they face, any business a company looks to acquire must be checked carefully for such risks as an integral part of the acquisition diligence, so that the buyer can manage the risks and appropriately value the deal.
conducted by the target that identifies critical information assets of the company (including PII), where the information resides, and the flows of the information into and out of the organization, and within the organization.
• What are the most concerning threats to the security of information for the orga- nization?
• Provide copies of any internal and exter- nal audit reports of the security of the seller’s systems. If auditors made recommendations to the organization, what is the status of implementing those recommendations?
• Does the company have comprehensive information security policies and procedures that include breach response, data retention, and disaster recovery?
• Have there been prior security incidents? How severe were these incidents? What was the company’s response to the incidents?
In order to evaluate privacy and security risks, buyers need to understand if the compa- ny is subject to a regulatory or self-regulatory framework. If so, the applicable regulations or self-regulatory framework will form the basis for privacy and security efforts. In conducting diligence, buyers should request:
• List the mandatory privacy and secu- rity compliance frameworks applicable to the business (e.g., Payment Card Industry (PCI) data security standards, HIPAA, on- line behavioral advertising self-regulatory
making. Some diligence questions to ask are: • Who within your organization is respon- sible for cybersecurity? Who within your orga-
nization is responsible for privacy?
• Describe board oversight of cybersecu-
rity and data privacy.
• Have directors and executives partici-
pated in cybersecurity and privacy training? • Provide copies of any reports to the board regarding the organization’s cyberse-
curity and privacy programs.
Employees are a critical element of a suc-
cessful data protection defense. First, employ- ees often are the entry-point for external hack- ers when employees fall for scams and open infected attachments in phishing emails from hackers, or distribute W-2 forms to malicious actors pretending to be someone they are not. Second, employees themselves can be the thieves. So, due diligence should include questions like the following:
• How are employees trained and how often? What does the company do to create a culture of privacy and security awareness all year long?
• How do employees report privacy and security incidents?
• Does the company conduct background checks on employees?
• Does the company immediately cut-off employee access to company systems upon termination?
Let us show you why MA3000 is the best docketing and calendaring system in the country.
For law firms of all sizes.
4 Rules-based Scheduling 4 Case email alerts in over 250 courts 4 Outlook integration 4 Calendars on your SmartPhone
For more information contact: MA3000 120 Broadway, 5th Floor, New York, NY 10271 | 212-457-7835 | [email protected]