Presenting a live 90-minute webinar with interactive Q&A Data Privacy and Cybersecurity Due Diligence in M&A Deals Identifying Vulnerabilities, Drafting Data-Related Provisions in M&A Agreements, Post-Acquisition Data Integration Considerations THURSDAY, OCTOBER 9, 2014 1pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Roberta D. Anderson, Partner, K&L Gates, Pittsburgh Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J. Gerard M. Stegmaier, Partner, Goodwin Procter, Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-888-450-9970 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the SEND button beside the box If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.
Privacy & Data Security in M&A Transactions Gerard M. Stegmaier Partner 2013 Goodwin Procter LLP
6
7
Fiduciary Duties of Directors Goodwin Procter LLP 8
Class Action Lawsuits Goodwin Procter LLP 9
Employee Privacy Goodwin Procter LLP 10
Due Diligence The process of asking questions and assessing and quantifying risk in order to allocate it intentionally. Goodwin Procter LLP 11
Principal Risk Areas Liability Reputation Integration Goodwin Procter LLP 12
Managing Risk Identify Risk Shift Risk Mitigate Risk Accept Risk Goodwin Procter LLP 13 13
Asset Acquisitions: Common Features Buyer purchases some or all assets of the Target Neither ownership nor existence of Target is affected (i.e., Target shareholders continue to own their stock) Goodwin Procter LLP 14
Stock Acquisitions: Common Features Buyer purchases stock of the Target from the Target s shareholders All of the assets and liabilities of the Target remain with the Target (which is owned by Buyer post-closing) Because liabilities are acquired as well, due diligence and contractual protections should be more comprehensive, BUT fewer third party consents will be likely Goodwin Procter LLP 15
Merger One company is merged with and into another, which is the Survivor All assets and liabilities of the merged company succeed to, and are held by, the Survivor Goodwin Procter LLP 16
Common Merger Types Direct merger Forward triangular merger Reverse triangular merger Goodwin Procter LLP 17
Common Negotiation Considerations Knowledge Materiality Laws Personal Information Remedies Goodwin Procter LLP 18
8 Questions for Privacy Pros in Transactions What is the relationship between the diligence information sought and the transaction (both now and in the future)? Do I know what the deal is about and what my clients care about (or should care about)? Am I being a problem solver rather than a problem spotter or administrator? Is privacy material in this deal? How? Do I know why this matters? Goodwin Procter LLP 19
8 Questions for Privacy Pros in Transactions What effect do qualifiers such as knowledge or MAE have on diligence? On the seller s representations and risk allocations? Should identified issues or risks be included on disclosure schedules? What tools are available to manage privacy risks to help the parties complete a transaction? Escrows? What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned? Goodwin Procter LLP 20
GERARD M. STEGMAIER, ESQ., PARTNER Contact Information: 901 New York Avenue, NW Washington, DC 20001 202.346.4202 gstegmaier@goodwinprocter.com @1sand0sLawyer Goodwin Procter LLP 21
Data Privacy and Cyber Security Due Diligence in M&A Deals Alan Brill, CISSP, CFE, CIPP/US, FAAFS October 9, 2014 22 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
1 The Problem: Why has Cyber Become So Important? A Quick Introduction 23 Data Privacy and Data Cybersecurity Privacy and Cybersecurity Due Diligence in Due M&A Diligence Deals in Alan M&A Briill Deals Alan Briill
When you or your client wants to Expand into a new business area Increase market share Neutralize competition Improve technology and systems Acquire a new customer base or BI data WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN? 24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
You Want to Know (BEFORE, not After.) September, 2013 February, 2014 25 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
You Want to Know (BEFORE, not After.) August, 2014 September, 2014 26 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
What s the Cyber Risk in an M&A Transaction Theft of intellectual property and trade secrets? Loss of sensitive business information and strategies? Loss of customer / employee data and damages to reputation and employee / consumer confidence? Litigation and compliance risks? Remedial expenditures? Loss of shareholder value? (Not counting compromise of data on the deal itself!) 27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
2 Kroll s Experience and Advice 28 Data Privacy and Data Cybersecurity Privacy and Cybersecurity Due Diligence in Due M&A Diligence Deals in Alan M&A Briill Deals Alan Briill
Kroll s Approach to the M&A Cyber Challenge At all stages of the deal process, there is a continuum of cyber-risk management need. Phase 1: Target risk evaluation Identify key InfoSec risk facing business Set up team to review data and processes Phase 2: Deal and response diligence Deal diligence on key players and assets Technical response review of assurances Phase 3: Pre closing network diligence Endpoint Threat Monitoring and analysis Security controls review Phase 4: Post purchase implementation Incident response planning incident Table top exercise (TTX) 29 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 1. Target Evaluation Identify the InfoSec risks facing the target Data risks Regulatory risk Develop the data security team involvement Identification of integration issues and constraints Define roles with transaction team Implement secure communications approach Identify outside expertise needs 30 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 2: Pre-Signature Development of diligence approach Kroll diligence workup on key players and corporate assets Assistance to review technical InfoSec reporting on pre-signing actions: Covenants, representations, and warranties Licenses, vendors, business associates Indemnification, limits, and basket Divestment triggers Avoidance of knowledge qualifiers Use of Material Adverse Security Effect 31 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 3: Pre-Closing Endpoint Threat Monitoring and Analysis Used to understand how the enterprise controls unknown software inside its environment o Not just looking for known malware Review all binaries and processes that exhibit behavior similar to malware: location, signature, network connections, persistence Review all running binaries and processes Corroborate patching processes and find significant vulnerabilities o A two week process 32 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 3: Pre-Closing Security Controls Review Determine whether the target is actually implementing key measures to protect against persistent targeted attacks Review the governance and structure of the target s InfoSec response 33 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Phase 4: Post-Closing Integration TTX Review information response plan ID and brief changes Interview key stakeholders Develop scenarios Deliver TTX with old and new teams 34 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
In Summary It is a brave new world, and cyber risks present an emerging risk to value and liability in mergers, acquisitions and investment transactions You will never invest in a house without an appropriate inspection Information security involvement as part of the deal team is key Technical solutions designed to identify and report on InfoSec risks in a relevant way, and that provides value through each phase of the transaction, is of significant value in due diligence 35 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Alan Brill, CISSP, CFE, CIPP/US, FAAFS Senior Managing Director Kroll Cyber Security & Investigations abrill@kroll.com T +1-319-8026 36 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill
Data Privacy and Cybersecurity Due Diligence in M&A Deals The Importance of Insurance Coverage Roberta D. Anderson roberta.anderson@klgates.com @RobertaEsq Copyright 2013 by K&L Gates LLP. All rights reserved. October 9, 2014
AGENDA The Importance Of Timing What To Look For In An Insurance Audit Potential Coverage Under Legacy Policies Limitations Of Legacy Insurance Policies Cutting Edge Cyber Insurance M&A Insurance Provisions A Word About Vendor Contracts 38
THE IMPORTANCE OF TIMING 39 Copyright 2013 by K&L Gates LLP. All rights reserved.
THE IMPORTANCE OF TIMING Advanced Attacks Go Undiscovered For A Median 229 Days A Merger/Acquisition May Close Before The Attack Is Discovered Resulting In Substantial Post-Closing Liability 40
WHAT TO LOOK FOR IN AN INSURANCE AUDIT 41 Copyright 2013 by K&L Gates LLP. All rights reserved.
POTENTIAL COVERAGE UNDER LEGACY POLICIES 42 Copyright 2013 by K&L Gates LLP. All rights reserved.
POTENTIAL COVERAGE UNDER LEGACY POLICIES Directors and Officers (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime Property? Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy) Commercial General Liability (CGL)? 43
POTENTIAL COVERAGE UNDER LEGACY POLICIES Coverage B provides coverage for damages because of personal and advertising injury Personal and Advertising Injury is defined in part as injury arising out of [o]ral or written publication, in any manner, of material that violates a person s right of privacy What is a Person s Right of Privacy? What is a Publication? 44
LIMITATIONS OF LEGACY INSURANCE POLICIES 45 Copyright 2013 by K&L Gates LLP. All rights reserved.
LIMITATIONS OF LEGACY INSURANCE POLICIES ISO states that when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. 46
LIMITATIONS OF LEGACY INSURANCE POLICIES 47
LIMITATIONS OF LEGACY INSURANCE POLICIES cv cv 48
CUTTING EDGE CYBER INSURANCE 49 Copyright 2013 by K&L Gates LLP. All rights reserved.
back klgates.com 50
CUTTING EDGE CYBER INSURANCE Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data breaches, transmission of malicious code, denial of third-party access to the insured s network, and other network security threats Regulatory Liability Provides coverage to deal with regulators and liability arising out of administrative or regulatory investigations, proceedings, fines and penalties Crisis Management Media Liability Provides coverage for forensics experts to determine the cause of the breach, notify individuals whose PII may have been compromised, call centers, ID theft monitoring, PR and other crisis management activities Provides coverage for liability (defense and indemnity) for claims alleging invasion of privacy, libel, slander, defamation, infringement of IP rights (not patent), and other web-based acts (e.g., improper deep-linking) 51
CUTTING EDGE CYBER INSURANCE Network Interruption And Extra Expense (and CBI) Coverage lost business income and extra expense caused by malicious code, DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks (e.g., a website goes down and orders cannot be taken). Information Asset Coverage Extortion Coverage for damage to or theft of the insured s own systems and hardware, and may cover the cost of restoring or recreating stolen or corrupted data. Coverage for losses resulting from extortion (payments of an extortionist s demand to prevent network loss or implementation of a threat). Emerging Market For First-Party Property Damage Emerging Market For Third-Party Bodily Injury and Property Damage Coverage 52
CUTTING EDGE CYBER INSURANCE Defense And Indemnity For Claims Regulatory Defense, Fines And Penalties Crisis Management 53
54
55
BEWARE THE FINE PRINT 56
M&A INSURANCE PROVISIONS 57 Copyright 2013 by K&L Gates LLP. All rights reserved.
M&A INSURANCE PROVISIONS 58
M&A INSURANCE PROVISIONS 59
M&A INSURANCE PROVISIONS ***** 60
A WORD ABOUT VENDOR CONTRACTS 61 Copyright 2013 by K&L Gates LLP. All rights reserved.
A WORD ABOUT VENDOR CONTRACTS Be specific Who is responsible for securing stored data? Data in motion? Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security Controls http://www.sans.org/critical-security-controls Who has access and to which parts to various parts of the organizations network? What are the required cybersecurity standards? Dovetail Vendor Contracts With Insurance Contracts 62
Linkedin: robertaandersonesq Twitter: @RobertaEsq Insurance Thought Leadership 63