Data Privacy and Cybersecurity Due Diligence in M&A Deals

Similar documents
Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Roberta D. Anderson, Partner, K&L Gates, Pittsburgh. Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J.

Insurance Due Diligence in M&A Deals: Evaluating Coverage and Gaps, Mitigating Risks and Potential Liabilities

How To Listen To A Conference On A Computer Or Cell Phone

for Landlords and Tenants Negotiating Insurance, Indemnity and Mutual Waiver of Subrogation Provisions

Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP

Payment and Performance Surety Bonds in Construction Projects: Perspectives of Owners, Contractors and Sureties

CYBER 3.0. CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers:

ERISA Retirement Plans: Fiduciary Compliance and Risk Management for Investment Fund Selection and Fee Disclosures

Overcoming Ethical Challenges for Multi-Firm Lawyers and Their Firms: Fiduciary Duty, Conflict, Fee-Splitting and More

Builder's Risk Insurance for Construction Projects: Legal Issues

Joe A. Ramirez Catherine Crane

Structuring Covenants in Leveraged Loans and High Yield Bonds for Borrowers and Lenders

Captive Insurance Companies in Estate Planning: A Profit Maximization and Risk Reduction Tool

Negotiating EHR Agreements: Complying with HIPAA, Stark and AKS, Overcoming Privacy and Security Risks

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Commercial Leases: Risk Mitigation Strategies for Landlords and Tenants

Allocating Defense Costs Among Multiple Insurers and Between Covered and Uncovered Claims

Performance Bonds and CGL Insurance In Construction Projects: Navigating the Interplay Between Insurance and Surety

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Negotiating EBITDA and Financial Covenants in Middle Market Loan Agreements

Data Breach Insurance

Builder's Risk and CGL Insurance for Construction Projects: Mitigating Developer and Contractor Risks

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

Negotiating Contractual Indemnity in M&A Deals: Transactional and Litigation Considerations

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

GRC/Cyber Insurance. February 18, Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf

M&A Purchase Price Adjustment Clauses

Commercial Real Estate Loans: Structuring Covenants, Events of Default Provisions and MAC Clauses

Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

ESI Discovery in Federal Criminal Cases: Leveraging the New JETWG Recommendations

Sales Tax Audits in the Era of Digital Documentation Preparing for a Computer-Based Review Involving Electronic Invoices, Bills of Lading, Etc.

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Ensuring HIPAA Compliance When Transmitting PHI via Patient Portals, and Texting

Solar Leases: Legal Considerations for Property Owners

Export Controls and Cloud Computing: Legal Risks

Data Breach and Senior Living Communities May 29, 2015

Structuring Rooftop Lease Agreements: Legal and Business Considerations

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

INSURANCE COVERAGE FOR CYBER RISKS AND REALITIES September 24, 2013

ISO? ISO? ISO? LTD ISO?

Cyber Insurance Presentation

Cyber Liability Insurance: It May Surprise You

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

2012 Winston & Strawn LLP

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

NZI LIABILITY CYBER. Are you protected?

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

Cyberinsurance: Insuring for Data Breach Risk

CyberSecurity for Law Firms

Negotiating and Navigating the Fraud Exception in Private Company Acquisitions

Are You Covered? Understanding Vendor Endorsements and Harmonizing Risk Transfer Arrangements. Kevin B. Dreher & Jennifer D. Katz Reed Smith LLP

Privacy Rights Clearing House

Data Privacy, Security, and Risk Management in the Cloud

Medical Expert Depositions in Workers' Comp Cases

Managing Cyber Risk through Insurance

Mitigating and managing cyber risk: ten issues to consider

Drafting Software Agreement Warranty, Limitation of Liability and Indemnification Provisions

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Estate Planning Using LLCs and Limited Partnerships Achieving Estate Tax Savings Through Valuation Discounts, Protecting Against Creditor Claims

Intellectual Property in M&A

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Cybersecurity Risk Transfer

Cyber/ Network Security. FINEX Global

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Beyond Data Breach: Cyber Trends and Exposures

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

Cyber Threats: Exposures and Breach Costs

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber and data Policy wording

Negotiating Software as a Service Contracts

Insurance in the M&A Industry

Cyber-insurance: Understanding Your Risks

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Managing Cyber & Privacy Risks

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

Coverage is subject to a Deductible

CYBER RISK SECURITY, NETWORK & PRIVACY

Policy Considerations for Covering Special Exposures. Claire Lee Reiss Program Director National League of Cities Risk Information Sharing Consortium

Cyber-Crime Protection

Marital Deduction Revocable Trusts: Funding Formulas to Minimize Tax and Maximize Spousal Benefits

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Managing Sales Tax Data: Streamlining Internal Controls to Maximize Compliance Efficiency

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Negotiating Representations, Warranties and Indemnification Clauses in Technology Agreements

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

M&A in 2015: Successor Liability Under the FCPA. Norton Rose Fulbright US LLP Thursday, February 26, 2015

Settling Wage/Hour Claims: Weighing Settlement Options, Negotiating Damages, and Ensuring Court Approval

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

CYBER SECURITY SPECIALREPORT

Cyber and CGL Insurance Coverage for Data Breach Claims

Transcription:

Presenting a live 90-minute webinar with interactive Q&A Data Privacy and Cybersecurity Due Diligence in M&A Deals Identifying Vulnerabilities, Drafting Data-Related Provisions in M&A Agreements, Post-Acquisition Data Integration Considerations THURSDAY, OCTOBER 9, 2014 1pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Roberta D. Anderson, Partner, K&L Gates, Pittsburgh Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J. Gerard M. Stegmaier, Partner, Goodwin Procter, Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-888-450-9970 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the SEND button beside the box If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

Privacy & Data Security in M&A Transactions Gerard M. Stegmaier Partner 2013 Goodwin Procter LLP

6

7

Fiduciary Duties of Directors Goodwin Procter LLP 8

Class Action Lawsuits Goodwin Procter LLP 9

Employee Privacy Goodwin Procter LLP 10

Due Diligence The process of asking questions and assessing and quantifying risk in order to allocate it intentionally. Goodwin Procter LLP 11

Principal Risk Areas Liability Reputation Integration Goodwin Procter LLP 12

Managing Risk Identify Risk Shift Risk Mitigate Risk Accept Risk Goodwin Procter LLP 13 13

Asset Acquisitions: Common Features Buyer purchases some or all assets of the Target Neither ownership nor existence of Target is affected (i.e., Target shareholders continue to own their stock) Goodwin Procter LLP 14

Stock Acquisitions: Common Features Buyer purchases stock of the Target from the Target s shareholders All of the assets and liabilities of the Target remain with the Target (which is owned by Buyer post-closing) Because liabilities are acquired as well, due diligence and contractual protections should be more comprehensive, BUT fewer third party consents will be likely Goodwin Procter LLP 15

Merger One company is merged with and into another, which is the Survivor All assets and liabilities of the merged company succeed to, and are held by, the Survivor Goodwin Procter LLP 16

Common Merger Types Direct merger Forward triangular merger Reverse triangular merger Goodwin Procter LLP 17

Common Negotiation Considerations Knowledge Materiality Laws Personal Information Remedies Goodwin Procter LLP 18

8 Questions for Privacy Pros in Transactions What is the relationship between the diligence information sought and the transaction (both now and in the future)? Do I know what the deal is about and what my clients care about (or should care about)? Am I being a problem solver rather than a problem spotter or administrator? Is privacy material in this deal? How? Do I know why this matters? Goodwin Procter LLP 19

8 Questions for Privacy Pros in Transactions What effect do qualifiers such as knowledge or MAE have on diligence? On the seller s representations and risk allocations? Should identified issues or risks be included on disclosure schedules? What tools are available to manage privacy risks to help the parties complete a transaction? Escrows? What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned? Goodwin Procter LLP 20

GERARD M. STEGMAIER, ESQ., PARTNER Contact Information: 901 New York Avenue, NW Washington, DC 20001 202.346.4202 gstegmaier@goodwinprocter.com @1sand0sLawyer Goodwin Procter LLP 21

Data Privacy and Cyber Security Due Diligence in M&A Deals Alan Brill, CISSP, CFE, CIPP/US, FAAFS October 9, 2014 22 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

1 The Problem: Why has Cyber Become So Important? A Quick Introduction 23 Data Privacy and Data Cybersecurity Privacy and Cybersecurity Due Diligence in Due M&A Diligence Deals in Alan M&A Briill Deals Alan Briill

When you or your client wants to Expand into a new business area Increase market share Neutralize competition Improve technology and systems Acquire a new customer base or BI data WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN? 24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

You Want to Know (BEFORE, not After.) September, 2013 February, 2014 25 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

You Want to Know (BEFORE, not After.) August, 2014 September, 2014 26 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

What s the Cyber Risk in an M&A Transaction Theft of intellectual property and trade secrets? Loss of sensitive business information and strategies? Loss of customer / employee data and damages to reputation and employee / consumer confidence? Litigation and compliance risks? Remedial expenditures? Loss of shareholder value? (Not counting compromise of data on the deal itself!) 27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

2 Kroll s Experience and Advice 28 Data Privacy and Data Cybersecurity Privacy and Cybersecurity Due Diligence in Due M&A Diligence Deals in Alan M&A Briill Deals Alan Briill

Kroll s Approach to the M&A Cyber Challenge At all stages of the deal process, there is a continuum of cyber-risk management need. Phase 1: Target risk evaluation Identify key InfoSec risk facing business Set up team to review data and processes Phase 2: Deal and response diligence Deal diligence on key players and assets Technical response review of assurances Phase 3: Pre closing network diligence Endpoint Threat Monitoring and analysis Security controls review Phase 4: Post purchase implementation Incident response planning incident Table top exercise (TTX) 29 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 1. Target Evaluation Identify the InfoSec risks facing the target Data risks Regulatory risk Develop the data security team involvement Identification of integration issues and constraints Define roles with transaction team Implement secure communications approach Identify outside expertise needs 30 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 2: Pre-Signature Development of diligence approach Kroll diligence workup on key players and corporate assets Assistance to review technical InfoSec reporting on pre-signing actions: Covenants, representations, and warranties Licenses, vendors, business associates Indemnification, limits, and basket Divestment triggers Avoidance of knowledge qualifiers Use of Material Adverse Security Effect 31 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing Endpoint Threat Monitoring and Analysis Used to understand how the enterprise controls unknown software inside its environment o Not just looking for known malware Review all binaries and processes that exhibit behavior similar to malware: location, signature, network connections, persistence Review all running binaries and processes Corroborate patching processes and find significant vulnerabilities o A two week process 32 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing Security Controls Review Determine whether the target is actually implementing key measures to protect against persistent targeted attacks Review the governance and structure of the target s InfoSec response 33 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 4: Post-Closing Integration TTX Review information response plan ID and brief changes Interview key stakeholders Develop scenarios Deliver TTX with old and new teams 34 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

In Summary It is a brave new world, and cyber risks present an emerging risk to value and liability in mergers, acquisitions and investment transactions You will never invest in a house without an appropriate inspection Information security involvement as part of the deal team is key Technical solutions designed to identify and report on InfoSec risks in a relevant way, and that provides value through each phase of the transaction, is of significant value in due diligence 35 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Alan Brill, CISSP, CFE, CIPP/US, FAAFS Senior Managing Director Kroll Cyber Security & Investigations abrill@kroll.com T +1-319-8026 36 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Data Privacy and Cybersecurity Due Diligence in M&A Deals The Importance of Insurance Coverage Roberta D. Anderson roberta.anderson@klgates.com @RobertaEsq Copyright 2013 by K&L Gates LLP. All rights reserved. October 9, 2014

AGENDA The Importance Of Timing What To Look For In An Insurance Audit Potential Coverage Under Legacy Policies Limitations Of Legacy Insurance Policies Cutting Edge Cyber Insurance M&A Insurance Provisions A Word About Vendor Contracts 38

THE IMPORTANCE OF TIMING 39 Copyright 2013 by K&L Gates LLP. All rights reserved.

THE IMPORTANCE OF TIMING Advanced Attacks Go Undiscovered For A Median 229 Days A Merger/Acquisition May Close Before The Attack Is Discovered Resulting In Substantial Post-Closing Liability 40

WHAT TO LOOK FOR IN AN INSURANCE AUDIT 41 Copyright 2013 by K&L Gates LLP. All rights reserved.

POTENTIAL COVERAGE UNDER LEGACY POLICIES 42 Copyright 2013 by K&L Gates LLP. All rights reserved.

POTENTIAL COVERAGE UNDER LEGACY POLICIES Directors and Officers (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime Property? Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy) Commercial General Liability (CGL)? 43

POTENTIAL COVERAGE UNDER LEGACY POLICIES Coverage B provides coverage for damages because of personal and advertising injury Personal and Advertising Injury is defined in part as injury arising out of [o]ral or written publication, in any manner, of material that violates a person s right of privacy What is a Person s Right of Privacy? What is a Publication? 44

LIMITATIONS OF LEGACY INSURANCE POLICIES 45 Copyright 2013 by K&L Gates LLP. All rights reserved.

LIMITATIONS OF LEGACY INSURANCE POLICIES ISO states that when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. 46

LIMITATIONS OF LEGACY INSURANCE POLICIES 47

LIMITATIONS OF LEGACY INSURANCE POLICIES cv cv 48

CUTTING EDGE CYBER INSURANCE 49 Copyright 2013 by K&L Gates LLP. All rights reserved.

back klgates.com 50

CUTTING EDGE CYBER INSURANCE Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data breaches, transmission of malicious code, denial of third-party access to the insured s network, and other network security threats Regulatory Liability Provides coverage to deal with regulators and liability arising out of administrative or regulatory investigations, proceedings, fines and penalties Crisis Management Media Liability Provides coverage for forensics experts to determine the cause of the breach, notify individuals whose PII may have been compromised, call centers, ID theft monitoring, PR and other crisis management activities Provides coverage for liability (defense and indemnity) for claims alleging invasion of privacy, libel, slander, defamation, infringement of IP rights (not patent), and other web-based acts (e.g., improper deep-linking) 51

CUTTING EDGE CYBER INSURANCE Network Interruption And Extra Expense (and CBI) Coverage lost business income and extra expense caused by malicious code, DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks (e.g., a website goes down and orders cannot be taken). Information Asset Coverage Extortion Coverage for damage to or theft of the insured s own systems and hardware, and may cover the cost of restoring or recreating stolen or corrupted data. Coverage for losses resulting from extortion (payments of an extortionist s demand to prevent network loss or implementation of a threat). Emerging Market For First-Party Property Damage Emerging Market For Third-Party Bodily Injury and Property Damage Coverage 52

CUTTING EDGE CYBER INSURANCE Defense And Indemnity For Claims Regulatory Defense, Fines And Penalties Crisis Management 53

54

55

BEWARE THE FINE PRINT 56

M&A INSURANCE PROVISIONS 57 Copyright 2013 by K&L Gates LLP. All rights reserved.

M&A INSURANCE PROVISIONS 58

M&A INSURANCE PROVISIONS 59

M&A INSURANCE PROVISIONS ***** 60

A WORD ABOUT VENDOR CONTRACTS 61 Copyright 2013 by K&L Gates LLP. All rights reserved.

A WORD ABOUT VENDOR CONTRACTS Be specific Who is responsible for securing stored data? Data in motion? Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security Controls http://www.sans.org/critical-security-controls Who has access and to which parts to various parts of the organizations network? What are the required cybersecurity standards? Dovetail Vendor Contracts With Insurance Contracts 62

Linkedin: robertaandersonesq Twitter: @RobertaEsq Insurance Thought Leadership 63

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information