A purchase or investment in a company raises key privacy and data security issues, which can effect both valuation and potential liabilities. We assist companies, venture capital firms and other investors, along with their M&A attorneys, in conducting key due diligence and integration compliance tasks, including to:

  • Assess whether consumer data may be transferred under seller’s privacy policy and the legal risk of the transfer of information from one entity to another, advise on any restrictions or necessary steps to be taken in connection with the transfer, and help clients mitigate any risk;
  • Draft privacy and data security portion of due diligence questionnaire;
  • Investigate potential vulnerabilities and prior liabilities, including any previous data security breaches;
  • Draft privacy and data security clauses, including representations and warranties and appropriate indemnification, for Asset Purchase and similar agreements;
  • Analyze existing data held by the target company (e.g., consumer and employee data) and the seller’s current state of legal compliance, including in connection with applicable laws (e.g., Telephone Consumer Protection Act (TCPA), Children’s Online Privacy Protection Act of 1998 (COPPA), CAN-SPAM Act, and the Video Privacy Protection Act (VPPA));
  • Advise clients on mergers and acquisitions in specific business sectors in which privacy is heavily regulated, such as the health care industry (including HIPAA, HITECH, and state laws regulating medical data), the financial industry (including GLB Act and agency regulations, FFIEC guidance, Bank Secrecy Act, PATRIOT Act), and consumer reporting industry (including Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA));
  • Review target company cybersecurity and data privacy programs;
  • Assess target company’s key vendor contracts with regard to privacy, data security and integration issues; and
  • Assist in all aspects of data integration and post-investment or sale compliance.