4 Essential Questions for Data Due Diligence in Tech Mergers and Acquisitions

It’s been said that every company today is a data company—or, at least, every company should be a data company.

While you may think this only refers to enterprise-level organizations and other large businesses with sophisticated operations, even the smallest businesses are gathering and storing customer information such as email address, location, past purchases, communication preferences, feedback, and more.

Data due diligence for target and acquiring companies

Data is a critical consideration for any business on either side of a merger or acquisition. Not only does it provide vital information about the potential value and suitability of the target company, but it can also be valuable in its own right.

For instance, data can help your business:

Improve customer experiences.
Spot trends that allow you to optimize processes and operations.
Find areas of efficiency to reduce costs.

However, the power of data cuts both ways. While it can help tremendously, it carries a tremendous amount of risk as well—because protecting that data is the responsibility of the company that possesses it.

The potential downside of a breach or some other data issue extends well beyond the loss of customer trust. As significant as loss of customer trust is, other severe penalties may be possible depending on the location of the business, the customers, or both.

Protecting that data is the responsibility of the company that possesses it

Data due diligence for any merger or acquisition requires a thorough examination of the target company’s data, along with the practices and policies it uses in collecting, managing, and protecting said data. The acquiring company’s policies must be taken into account as well. If it is a true merger, both companies have an interest in how their data will be managed going forward.

These are 4 essential questions that should be addressed before any deal:

What data is included in the deal—and how can it be used?

It’s not uncommon for companies to treat data as an afterthought when making an acquisition or pursuing a merger. However, data is both an asset and a potential liability. Depending on the situation, the data should be treated with consideration comparable to other assets.

But there are big differences among types of data: Possessing someone’s personal health information (PHI), for example, is a much bigger responsibility than simply having their email address. As a result, one of the fundamental questions for any acquisition is what data, exactly, the target company possesses.

Considerations for the target company:

Even if your company is being acquired, it’s a good idea to think about your data—and your reputation. If your data is moving to a company with less-stringent policies, could the data of your customers be at risk? A breach or misuse of data, even if under the management of the acquiring company, could have consequences for your business.

Consider a data-protection agreement or other measures.

Considerations for the acquiring company:

Your company needs to understand whether the target company’s data can actually be transferred as part of the transaction, what disclosure might be required, and whether any kind of individual consent is required for a transfer.

Any contractual agreements related to data that will survive the sale and be assumed by you must be fully understood. Any transfer must follow any relevant regulations or laws, and a data-protection agreement may be required; typically these are designed to ensure the acquiring company follows the policies and user agreements under which the data was collected and is used and/or managed.

Purchasing a company that is in bankruptcy can add to the complexity as well.

How is this data protected and managed?

There are imperative factors when it comes to data protection and management, such as internal and external policies and licensing.

Considerations for the target company:

Are your data policies clearly defined, and followed across the organization? Do you have strict security standards and robust protections?

It’s important to be forthcoming. On the positive side, strong standards may make your company more attractive, as they can lessen the risk that a breach or other potential misuse has already happened without your knowledge.

The acquiring company will be assuming this risk, and anything you can do to mitigate it is a plus.

Considerations for the acquiring company:

You want to know everything about the target company’s data and processes—user agreements, privacy policies, procedures, training records, licensing, how the organization tracks its data, and so on. Practical questions must be asked as well:

How does the company use its data now? Is it managed through a systemic process followed across the organization, or is data managed by one person or a team?

If the answer is the latter, and processes aren’t clearly defined, you could run into trouble if that person or team leaves.

And what about security? What type of standards are being followed, and are they appropriate?

These considerations aren’t only about mitigating regulatory risk.

If the target company has poor data management or security, it could incur significant expense shoring up systems and protections, or face fines or penalties after the acquisition.

Similarly, if the acquiring company’s policies are less robust than the target company’s, investment may be required to ensure commitments are met and the data can be used.

Even if the acquiring company has more stringent data policies than the target, steps to reconcile the policies and notify affected individuals might be necessary. For instance, if the acquiring company promises not to use certain data, but the target company’s policy allows such use.

What kind of state, federal, or other regulations apply?

Data privacy and security laws are continuing to grow, both in the U.S. and globally. Issues such as breaches or misuse can result in large fines and other penalties. Things that must be considered include the locations of the following:

- - The acquiring and target companies
  - The individuals whose data is being stored
  - The data itself

All these considerations factor into which jurisdiction’s laws will apply to the data in question and the stakes are significant.

For instance, the California Consumer Privacy Act (CCPA) allows for fines of $7,500 per violation. Many other states have similar laws, and they can be convoluted or ambiguous, making it difficult to determine risk and evaluate compliance. If a European Union country is involved, the numbers can be even higher—violations of the General Data Protection Regulation (GDPR) can result in a penalty of 4% of annual worldwide revenue, up to 20 million euros.

The fees alone are also not representative of the additional time and resources either party would have to expend in response to a regulatory inquiry. Under the CCPA and other laws, there’s the possibility of a class-action lawsuit as well. Therefore, it’s not only vital to understand the target company’s practices and policies, but also the laws that will apply to the acquiring company.

What risks might lie ahead?

Data can present a significant level of future risk—risk that one company may be acquiring, and that could spur litigation if the risk is undisclosed or underplayed by the seller.

Understanding data issues and the potential issues before a transaction can not only help companies address them in an agreement but might also allow either party to secure more favorable terms.

For instance, if the target company has been the subject of a phishing or ransomware attack in the past that could result in future claims, or if there are security issues that make the target company more susceptible to such attacks, it could result in a more attractive price for the buyer. On the other hand, a company with rock-solid data policies and management might command a premium, thanks to the lower risk of regulatory issues and potential penalties.

Helping companies answer the ultimate question—to move forward or not

Gaining an understanding of the data security and risks in an acquisition or merger scenario provides the additional benefits of providing insight into either company’s overall operations. After all, a company that cuts corners on something as vital as data management and security might well be cutting corners elsewhere.

If communication and collaboration around data policies is poor, how well do teams align in other areas? And if leaders are simply unaware of the risks that come with poor data management, what other risks might be lurking? Whichever side you’re on, the answers may provide illuminating insight into the other company.

If you are preparing for a merger or acquisition, Han Santos can help both acquiring and target companies evaluate data policies, mitigate risk, and position your company for prosperous deals. Contact us today to learn how we can support your business through the M&A process.

Cookie	Duration	Description
__cfruid	session	Set by Cloudflare. Cookie associated with sites using CloudFlare, used to identify trusted web traffic. Learn more about Cloudflare cookies.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
cf_clearance	session	Set by Cloudflare. Used to verify user is not a bot. Learn more about Cloudflare cookies.
hubspotutk	1 year	Set by HubSpot. This cookie keeps track of a visitor’s identity. It is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
__hssc	30 minutes	Set by HubSpot. This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
__hssrc	session	Set by HubSpot. Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
__hstc	13 months	Set by HubSpot. The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
_ga	2 years	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.
_ga_RJQRHRDJNC	2 years	Set by Google. Used to persist session state. Google’s policies can be viewed here.
_gat_gtag	1 minute	Set by Google. Used to analyze visitor browsing habits, flow, source and other information. Google’s policies can be viewed here.
_gid	24 hours	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.

4 Essential Questions for Data Due Diligence in Tech Mergers and Acquisitions

Data due diligence for target and acquiring companies

What data is included in the deal—and how can it be used?

Considerations for the target company:

Considerations for the acquiring company:

How is this data protected and managed?

Considerations for the target company:

Considerations for the acquiring company:

What kind of state, federal, or other regulations apply?

What risks might lie ahead?

Helping companies answer the ultimate question—to move forward or not

Featured

Menu