Key data protection and cybersecurity considerations in the mergers and acquisitions context through the lens of regulatory and judicial enforcement

Abstract

With mergers and acquisitions being an integral part of the commercial landscape, the vast amounts of personal data implicit in such transactions cannot be overstated. It has become increasingly apparent, particularly given the advent and evolution of data privacy laws across the world, that it is crucial to incorporate key data protection and cybersecurity assessments into the due diligence process to identify and mitigate potential data protection and cybersecurity risks. Where companies fail to do so, the implications are often severe and extend to both exposure to enforcement risk and reputational damage. This paper will examine the status of the current mergers and acquisitions market and why it is necessary for data protection and cybersecurity considerations to be at the forefront of such transactions; thereafter, the risks implicit in neglecting to incorporate the necessary mechanisms and compliance checks into the due diligence process will be assessed. The focus of this paper will then turn to considering relevant regulatory and judicial enforcement actions to assess the precedent that exists for the view that failing to consider data protection and cybersecurity matters ultimately poses a significant commercial and compliance risk to both the acquiring company and the target company. Finally, this paper will conclude with a review of various strategies available to companies to mitigate such commercial and compliance risk from the perspective of safeguarding against undue post-acquisition liability.