Thanks to a really awesome friend forwarding an e-mail from Thomson Routers advertising complementary passes, yesterday I attended The 6th Annual Western M&A Forum. There were several panels during the day (and AWESOME FOOD!), but of course the one I found most interesting was “The Evolving Face Of Risk: Navigating Data Security And Identifying Cyber Liabilities As Part Of The M&A Process” Panel.

TL;DR

If you can already tell that this is going be a “TL;DR” (“Too Long, Didn’t Read”) situation for you, here’s the jist of the advice the panelists had for companies:

• Consider disclosing to customers, even when you don’t have to.
• All companies get breached – be ready.
• Make sure your terms of service and privacy policy align with your actual intended uses of customers’ data.
• Be ready when a potential buyer wants to know who has access to your customers’ data.
• Limit access to your customers’ data to as few people as possible.
• Consider getting a separate Cyber Insurance Policy.

The Evolving Face Of Risk:
Navigating Data Security And Identifying Cyber Liabilities As Part Of The M&A Process

This panel featured:
Moderator:
Gregory Wolski, Partner, Fraud Investigation & Dispute Services, Ernst & Young LLP
Panelists:
Mark Egan, Partner , The StrataFusion Group
Lauri Floresca, Senior Vice President & Partner; Co – Chair, Cyber Liability Team, Woodruff – Sawyer and Co.
Christine E. Lyon, Partner, Morrison & Foerster LLP
Tyler G. Newby, Partner, Fenwick and West LLP

200 Days

Within the first few minutes of the panel, Mark Egan put out some very stark numbers for the audience: on average, 200 days pass between when a company is hacked to when a company realizes that it’s been hacked!

Also within the first few minutes, the panelists explained that most clients fall into two categories: companies looking to preemptively protect, and companies looking to conduct damage control. I personally would prefer to work with the first kind of company, which Mr. Egan explained simply as the client who comes to an attorney and says “I don’t know what I don’t know, come help me”.

“Privacy” v. “Data Security”

Christina Lyon clarified to the audience that “privacy” and “data security” really are two different fields. “Privacy” is really compliance with laws and regulations. “Data Security” is really the means of actually protecting the data.

Breaches

It may be worth it for a company to consider disclosing a breach to customers, even if there is no statutory reason to do so.

Every single panelist agreed: breaches are going to happen. In fact, there are two types of companies: those which have been breached, and those which don’t know they’ve been breached. Awesome 🙂

Once a company has learned that they’ve been breached, Greg Woolsky explained that their next step is wanting to determine what they need to disclose. That need is entirely dependent upon the applicable regulations in the area. If, for instance, names and addresses are released, there may be different notification requirements dependent upon the state in which the breach occurred. There might be certain data that, depending upon where the breach occurred, the company may not have to notify the breached parties at all. However, as Christine Lyon mentioned, it may be worth it for a company to consider (with their legal team) disclosing a breach to customers, even if there is no statutory reason to do so.

Due Diligence

Often, during mergers and acquisitions, buyers will ask sellers “Which 3rd parties have access to your data?” and the seller really has no idea.

Taylor Newby reminded companies that, during a merger or acquisition, they’re often going to need to do a full forensic analysis, just like the company has to do when a breach has occurred. And while it can be helpful for companies to regularly check on their breach policies and ensure that their security is in tact, Christine Lyon cautioned companies that those policy reviews/evaluations could be problematic during litigation. Other panel members proposed that if the reviews/evaluations were done at the direction of counsel, then those reviews/evaluations might be protected by privilege. Otherwise, likely not.

Christine Lyon added that, when a buyer is looking to buy a company, when conducting due diligence the buyer should be sure to look into what promises he seller has made to customers about data usage. For instance, if the seller has advertised having “top of the line” security protections on customers’ data, the buyer will be potentially subject to additional liability as a result of the seller’s promise.

The panelists all discussed that often, during mergers and acquisitions, buyers will ask sellers “Which 3rd parties have access to your data?” and the seller really has no idea (or thinks that no one does and due diligence shows that the seller has a cloud provider, an outside Human Resources Department, that the seller keeps credit card information on file, etc.).

Reality Check: Terms of Service and Privacy Policies

If you’re ever going to want to enter into an M&A transaction, make sure your customers know that the new company will have access to customers’ data.

Tyler Newby noted that some sellers will fail to include the paragraph in their Terms of Service or Privacy Policy that says that the company can sell users’ data as part of a merger/acquisition. (Example below):

“If we undertake a business transition, such as a merger, acquisition by another company, sale of all or a portion of our assets, bankruptcy, reorganization or sale of assets, your information may be sold or transferred as part of that transaction.  You will be notified via email of any such change in ownership or control of personal information.” Basis Privacy Policy, last updated Dec. 1, 2014

When sellers failed to include that paragraph, they cannot cheat and just change the policy right before they sell the company, even if there is another clause in the policy saying that the policy can change at any time (consider this especially harsh version of that type of paragraph):

“Occasionally we may, in our discretion, make changes to the Agreements. When we make material changes to the Agreements, we’ll provide you with prominent notice as appropriate under the circumstances, e.g., by displaying a prominent notice within the Service or by sending you an email. In some cases, we will notify you in advance, and your continued use of the Service after the changes have been made will constitute your acceptance of the changes.” Spotify Privacy Policy, last updated Sept. 3, 2015, emphasis added.

Essentially, invoking that clause to magically allow a buyer to purchase user data will cause customers to bring a lawsuit. The panelists did note that alert in customers of the policy change, along with an opt-out option has worked. Christine Lyon mentioned that she’s also seen a more aggressive tactic: opt-in + price adjustment based on each user who actually opts-in (since users are significantly less likely to opt-in than opt-out).

Buyers also should remember that the buyer’s right to use customers’ data is still limited by the limits the seller promised to the customer when the seller originally gathered the data from the customer.

Highest Risk Areas

Admins & temps are your biggest threats.

Mark Egan advocated for a need to know procedure when operating with an entity in China. He also stated that programmers don’t want to password protect their code (I really don’t have any idea whether that’s true or not…). Further, he preached that the biggest issues are:
Who has access to your system, with temps & admins being your greatest threat

With regards to temps, my assumption: is that they are a serious threat to the company because the company is going to know very little about temps (leaving the potential for hackers), and temps can easily slip up without adequate training, so they may cause a breach even unintentionally.

As far as admins, they have God-like abilities in your system. Keep your Gods to a minimum!
My take: essentially, give everyone you possibly can what I like to affectionately call “Kindergarten rights”. Don’t let them install anything, whether they be add-ons, etc. Allow only your hopefully very small set of approved employees handle IT work.

Cyber Insurance

These policies are likely not covered by your current insurance, and are likely worth looking into.

Louri Floresca reminded the audience that standard insurance only covers Cyber in certain circumstances (I think she said something along the lines of the insurance covering physical damages, like a fire or explosion, but I might be wrong about that). What’s important to realize is that standard insurance does not cover damages to users, etc. Damages to users have been separated out into separate Cyber policies, as well as Crime policies.

Fortunately, as Louri Floresca assurred the audience, insurers don’t shy away from companies who have had a breach. In fact, often the case is vice versa; companies who have been breached have likely learned a lot from it. Christine Lyon agreed, but clarified that buyers aren’t scared off so long as the seller took remedial measures.

Crime Policies:
An example of a “crime” covered would be where an employee receives an e-mail that the employee believes is from someone else in the company. The e-mail solicits funds from the employee, and the e-mail looks legitimate, and always appears time sensitive, saying something like “transfer $X ASAP so that <enter transaction here> can go through!”. Such an e-mail would typically be sent on a Friday evening, when there’s no opportunity to double-check with anyone until Monday. This type of transaction would not be covered by Cyber insurance, but would be covered by crime insurance.

Cyber Insurance:
Cyber Insurance is very good at dealing with the aftermath of a breach of users’ data. Even things like the sending out of notifications (letters, etc) to users requires man power and gets very expensive (the postage even), and cyber insurance companies know how to handle the process. The cyber insurance covers things like fines and penalties which are related to the breach, as well as forensics. Policies also include costs for things like new cards (i.e., Target had to replace customers’ cards). New cards can get pricey – the old swipe cards used to cost on average $3 to print. These days, the average cyber breach costs $200,000. Note: cyber policies do not generally cover reputation loss or future lost revenue.

Final Note:

Before I take my leave, just wanted to share that Fenwick & West gave out hands-down the coolest pen. It’s a flashlight, a stylus, and a blue ball point pen, all in one. #BOOM. (It occurs to me now that I should have taken a picture of actual panelists so that the picture for this post wasn’t pens. Oops!)