Roberta D. Anderson, Partner, K&L Gates, Pittsburgh. Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J.

Transcription

1 Presenting a live 90 minute webinar with interactive Q&A Data Privacy and Cybersecurity Due Diligence in M&A Deals Identifying Vulnerabilities, Drafting Data Related Provisions in M&A Agreements, Post Acquisition Data Integration Considerations THURSDAY, OCTOBER 9, pm Eastern 12pm Central 11am Mountain 10am Pacific Td Today s faculty features: Roberta D. Anderson, Partner, K&L Gates, Pittsburgh Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J. Gerard M. Stegmaier, Partner, Goodwin Procter, Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.

2 THE NUTS AND BOLTS OF ACQUISITIONS A BACKGROUNDER AND SOME QUESTIONS FOR PRIVACY PROS Due Diligence: The process of asking questions and assessing and quantifying risk in order to allocate it intentionally Due diligence provides the buyer with an opportunity to confirm any valuation of the Target and its assets and liabilities Due diligence also provides an opportunity to more closely assess the proposed synergy between the Buyer and the Target. The acquisition agreement will ultimately allocate risk among the parties given that perfect knowledge cannot exist. Three Principal Risk Areas Liability o FTC or Regulatory Actions (health, financial, children, international) o Shareholder Suits/D&O Liability o Class Actions Reputation Integration Managing Risk Identify Risk Shift Risk Mitigate Risk Accept Risk Common Acquisition Structures Asset Acquisitions Stock Acquisitions Mergers Asset Acquisitions Common Features Buyer purchases some or all assets of the Target Neither ownership nor existence of Target is affected (Target shareholders continue to own their stock) Stock Acquisitions Common Features Buyer purchases stock of the Target from the Target s shareholders All of the assets and liabilities of the Target remain with the Target (which is owned by Buyer post-closing) Because liabilities are acquired as well, due diligence investigations and contractual protections should be more comprehensive BUT fewer third party consents will be likely. Merger One company is merged with and into another which is the Survivor All assets and liabilities of the merged company succeed to, and are held by, the Survivor Three common types: o Direct mergers o Forward triangular mergers o Reverse triangular merger Triangular mergers and help manage risks associated with acquired liabilities Direct Merger Features Target merges directly with and into the Buyer and one party is designated the Survivor Stock held by the non-survivor s shareholders is converted into merger consideration All of the assets and liabilities of the non-survivor become assets and liabilities of the Survivor Forward Triangular Merger Involves merger of the Target with and into a subsidiary of the Buyer, with such subsidiary being the Survivor. Stock held by Target s shareholders is converted into merger consideration. Survivor remains a subsidiary of the Buyer. Subsidiary will hold all of its own assets and liabilities AND those of the Target. Reverse Triangular Merger 1

3 THE NUTS AND BOLTS OF ACQUISITIONS Merger of a subsidiary of the Buyer with and into the Target. The Target is the Survivor. Stock held by the Target s shareholders is converted into merger consideration. The Stock of the Buyer s subsidiary is converted into stock of the Target. Target becomes a subsidiary of Buyer and will hold all of the assets and liabilities of the Buyer s subsidiary. Third-Party Consents Some transactions, such as asset acquisitions, may require third-party consents. Failure to obtain consents, or breach of obligations, could impair asset values. Fiduciary Duties of Directors Directors owe fiduciary duties to the corporation and shareholders and sometimes creditors. When reviewing acquisition transactions, courts often review a decision to proceed applying the business judgment rule which is a presumption that the directors acted on an informed basis, in good faith, and in the honest belief that the action taken was in the best interests of the company. The business judgment rule will generally protect directors so long as they acted with due care and loyalty and in good faith. Fiduciary Duties: High Level Implications Among other things, collectively, fiduciary duties require the board to: Treat shareholders fairly Protect the shareholders investment Manage the corporation prudently for the benefit of all shareholders Cause the Seller to make the best possible representations and warranties Obligate the Seller to indemnify the acquirer for third party claims (work with deal team) Preserve meaningful remedies Common Negotiation Issues and Considerations Definition of knowledge and implications Materiality Definition of law Definition of personal information Remedies when we learn something what does it mean for the transaction? Contractual Risk Allocation 2

4 THE NUTS AND BOLTS OF ACQUISITIONS Eight Questions for Privacy & Data Security Pros in Transactions: Thinking Beyond Day-to-Day Responsibilities What is the relationship between the diligence information sought and the transaction (both now and in the future)? Do I know what the deal is about and what my clients care about (or should care about)? Am I being a problem solver rather than a problem spotter or administrator? Is privacy material in this deal? How? If not quantitatively material might it be qualitatively (e.g. knowing violations of law)? Do I know why this matters? What effect do qualifiers such as knowledge or MAE have on diligence? On, the seller s representations and therefore risk allocations? Should identified issues or risks be included on disclosure schedules? What tools are available to manage privacy risks to help the parties complete a transaction? Escrows? What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned? Common Due Diligence Topics for Privacy & Data Security Pros in Transactions Health Information Financial Information / PCI-DSS Information on Children Employee Information Customer Information & Commercial Communications Company Privacy Statements Information Security & Data Breaches Foreign Information / European Union & Safe Harbor Contracts, Audits, & Obligations Gerard M. Stegmaier is a partner in the Washington, D.C. office of Goodwin Procter LLP where he leads the firm s D.C. privacy and data protection group. He practices technology law with special emphasis in the areas of e-commerce, privacy, intellectual property and the First Amendment. His practice encompasses transactional, regulatory and litigation matters for emerging enterprises as well as Fortune 100 companies. He regularly acts as outside global coordinating counsel for many leading enterprises for privacy and information governance. Mr. Stegmaier also serves as an adjunct professor at George Mason University School of Law where he created and has taught one of the first courses on information privacy law for over ten years. He has represented many of the Internet's pioneers on important questions of first impression. He serves on the Advisory Board of Internet Law & Regulation, a Pike & Fischer and has been regularly recognized as a leading international practitioner in Who s Who Legal: Technology Media & Communications. Mr. Stegmaier is a magna cum laude graduate of George Mason University School of Law, where he was as an editor of the law review Goodwin Procter LLP. All rights reserved. This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP, Goodwin Procter (UK) LLP or their attorneys. Prior results do not guarantee similar outcome. Goodwin Procter LLP is a limited liability partnership which operates in the United States and has a principal law office located at 53 State Street, Boston, MA Goodwin Procter (UK) LLP is a separate limited liability partnership registered in England and Wales with registered number OC Its registered office is at Tower 42, 25 Old Broad Street, London EC2N 1HQ. A list of the names of the members of Goodwin Procter (UK) LLP is available for inspection at the registered office. Goodwin Procter (UK) LLP is authorized and regulated by the Solicitors Regulation Authority. 3

5 THE NUTS AND BOLTS OF ACQUISITIONS IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this informational piece (including any attachments) is not intended or written to be used, and may not be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. 4

6 Cyber Due Diligence: Pre-Transaction Assessment Can Uncover Costly Risks CYBER SECURITY USA

7 The company looks great on paper it has an innovative product, a great sales team and a lean approach to expenses. Whether the business model is centered around customer data, intellectual property or proprietary information, a key question often overlooked by investors is: Has management really recognized the issues and risks posed by insecure data protection? Even good companies can be unprepared How can you ensure that an investment target isn t one keystroke away from a major cyber incident or data breach? How can you be sure that an attacker isn t already lurking in their network? If a threat is identified, does the organization know how to respond to mitigate damage so brand, reputation and investment value are retained? CYBER DUE DILIGENCE conducted prior to investment can identify actual or potential cyber security lapses, areas that may be at risk, quantify remediation costs and help restructure an investment should substandard cyber security systems data or latent breaches be discovered. Likewise, a target can strengthen its attractiveness to investors by conducting its own cyber due diligence, enabling it to mitigate risk through identifying and minimizing any found cyber weakness. Kroll s experts know that cyber security risks are here to stay and have been helping investors identify, evaluate and quantify them. For more than 40 years, Kroll has advised private equity firms, hedge funds, investment banks and venture capital investors on reputational due diligence matters. Our cyber experts provide the same high level of care and attention in conducting your cyber due diligence, enabling us to: Uncover the cyber vulnerabilities you may be buying unwittingly Know if you are buying a company with an undisclosed data breach Reveal breach-breeding weaknesses in the target company s culture Kroll s Cyber Due Diligence Assessment Kroll s Cyber Due Diligence provides clients with a level of assurance regarding the state of their enterprise systems. Using its customizable modules, described below, to assess a firm s Cyber strengths and weakness, Kroll s thorough gap analysis provides actionable information for management to sharpen their practices and procedures ENDPOINT THREAT MONITORING AND ANALYSIS SECURITY CONTROLS REVIEW WITH IT SECURITY INCIDENT RESPONSE TABLE-TOP EXERCISE What We Do Module 1: Endpoint Threat Monitoring and Analysis Kroll can quickly install a sophisticated toolset that will rapidly detect and respond to threats in the subject environment. This enables us to watch every piece of software on every machine in real time. We can help you know what is happening in the network right now. Kroll s cyber security experts will work with your team to identify appropriate steps to contain and respond to any incident we detect and to implement countermeasures that help thwart future attacks. Module 2: Security Controls Risk Assessment Kroll s Security Controls Review evaluates existing policies and procedures to determine if the right standards and framework are in place to respond How mature is the target organization s cyber risk management program? Are they monitoring for threats? Would they be able to detect an incident? How quickly can they respond and recover from an incident?

8 to a Cyber Security incident. Our comprehensive assessment can determine if the right controls are in place to protect your confidential assets, and how well you can detect, respond to, and mitigate threats. A review can be standards-based (ISO, NIST, PCI-DSS, HIPAA/HITECH, GLBA, etc.), or against Cyber Security Best Practices. Module 3: Incident Response Tabletop Exercise A tabletop exercise can help identify any gaps or deficiencies prior to experiencing an incident, and ensures that responders know what to do in the event of an incident. Incident Response planning is critical to effectively detect and manage security incidents or data breaches. An Incident Response plan is a good first step, but it is not enough. The organization needs to effectively execute that plan so that reputational issues and associated costs, including notification and legal expenses, don t quickly spiral out of control. Security Controls Risk Assessment Report We ll provide a report documenting the strengths and weaknesses of Cyber Security policies and procedures, and provide our expert recommendation. The management team can use this report to add or modify policies and procedures. Incident Response Table-top Exercise Report Following the tabletop exercise, we ll create a report identifying what was done well and what wasn t and provide actionable items for improvement. The management team can use this report to improve procedures and clarify roles and responsibilities. With these Kroll reports in hand, management and investors can move forward with a thorough understanding of their cyber security environment. What You Get End Point Threat Monitoring Analysis Report We ll provide a report that details any suspicious activity or areas of concern, and our recommendations for remediation. The IT department can use this report to address vulnerabilities and improve monitoring. Our Endpoint Threat Monitoring tool can be left behind and training provided so that detailed monitoring can continue.

9 About Kroll Kroll is the leading global provider of risk solutions. For over 40 years, Kroll has helped clients make confident risk management decisions about people, assets, operations, and security through a wide range of investigations, due diligence and compliance, cyber security, physical and operational security, and data and information management services. Headquartered in New York with more than 55 offices across 26 countries, Kroll has a multidisciplinary team of nearly 2,300 employees and serves a global clientele of law firms, financial institutions, corporations, non-profit institutions, government agencies, and individuals. These materials have been prepared for general information purposes only and do not constitute legal or other professional advice. Always consult with your own professional and legal advisors concerning your individual situation and any specific questions you may have. CONTACT For more information, call or visit us online: kroll.com SLS 0023 ITDB US_CYBER DUE DILIGENCE_SEPT Kroll. All Rights Reserved. Certain Kroll companies provide investigative services. See for state licensing information.