We found a breach during due diligence. Now what do we do? | M&A Conference at Wharton San Francisco

May
2018

This session at the M&A Conference at Wharton San Francisco explored both the methods and parties to the assessment of the breach; looked at duties to report to law enforcement and securities regulators; considered the potential impact on schedules for financing and closing; debated valuation adjustments and changes in the forms of consideration, and discussed methods for addressing post-close liabilities. 

Christen Morand, Partner, Fraud Investigation & Dispute Services at EY, asked the panel what a strong data breach incident plan should look like.

Tim Ryan, Principal, Fraud Investigation & Dispute Services at EY, said “it’s about process; how are incidents getting escalated and people informed.”

Jon Adams, Senior Privacy Counsel at LinkedIn Corporation, added that it is important that any plan has been tested and, preferably, organization-specific, not just a purchased off-the-shelf plan.

Brian Weimer, Partner and Telecom Team Leader at Sheppard Mullin in Washington DC, and the other panelists also discussed the balancing act involved in data breach disclosures from the seller to the buyer.

Important factors include the seller making sure that it has a good handle on what actually happened and why; the ethics and contractual responsibilities of disclosure; whether law enforcement is involved in an investigation; and any responsibility of disclosure to regulators.

“You must have mechanisms in place to deal with the incident…before going to regulators,” Wiemer said, adding that the overriding principle is one of preserving “credibility and transparency.”

When faced with a serious seller disclosure, Ryan suggested that the buyer should go back to basics, asking: Why are we buying this company? and What is the true extent of the incident?

In his experience, the data breach issues are usually more complex and go back longer than initially understood or disclosed.

Overall, the panel felt that in most cases the resolution of a data breach involves refining of indemnification language and, perhaps, establishing a special escrow to cover unknown liabilities going forward; however, purchase price adjustments are unlikely.

Possible deal breakers, according to Adams: Involvement of a state actor; where most of entity’s internal systems were penetrated; or when the perpetrator extracted core intellectual property that was the acquisition’s objective.

All panelists also emphasized the importance of engaging professional public relations council to help limit the news cycle as much as possible and establish call centers when consumers are involved.

Video: 
Data Breach Material Breach Cybersecurity Cyber Risks Buyer Diligence Due Diligence
By Ms. Christen Morand

Christen Morand is a Partner and Certified Public Accountant in Ernst & Young’s Forensic & Integrity Services practice and is based in Chicago. She provides alternative dispute resolution services and litigation support services on a variety of matters including post-transaction disputes, purchase price disputes, working capital adjustments, analysis and resolution of earn-out provisions and expert testimony. She is a frequent speaker on accounting M&A topics, mitigating M&A disputes, and analysis of M&A contractual language.
View all articles by Ms. Christen Morand
By Jon Adams

Jon Adams is Senior Privacy Counsel at LinkedIn. As part of LinkedIn's dedicated data protection team, his role is to help build out consumer privacy tools, draft and implement privacy and security policies, negotiate data-driven transactions, and advise on privacy and data protection in product development.
View all articles by Jon Adams
By Mr. Tim Ryan

Tim Ryan is a Principal at EY in the Fraud Investigation and Dispute Services practice. He serves as the US Cyber Investigations Practice Leader. 
View all articles by Mr. Tim Ryan