The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Data Privacy and Cybersecurity

Due Diligence in M&A Deals Identifying Vulnerabilities, Drafting Data-Related Provisions in

M&A Agreements, Post-Acquisition Data Integration Considerations

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

TUESDAY, SEPTEMBER 22, 2015

Roberta D. Anderson, Partner, K&L Gates, Pittsburgh

Alan Brill, Senior Managing Director, Kroll Cyber Security & Investigations, Secaucus, N.J.

Gerard M. Stegmaier, Partner, Goodwin Procter, Washington, D.C.

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-888-450-9970 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

©2013 Goodwin Procter LLP

Privacy & Data Security

in

M&A Transactions

Gerard M. Stegmaier

Partner

6

7

Goodwin Procter LLP

Fiduciary Duties of Directors

8

Goodwin Procter LLP

Class Action Lawsuits

9

Goodwin Procter LLP

Employee Privacy

10

Goodwin Procter LLP

Due Diligence

The process of asking questions and assessing and

quantifying risk in order to allocate it intentionally.

11

Goodwin Procter LLP

Principal Risk Areas

• Liability

• Reputation

• Integration

12

Goodwin Procter LLP

Managing Risk

• Identify Risk

• Shift Risk

• Mitigate Risk

• Accept Risk

13 13

Goodwin Procter LLP

Asset Acquisitions: Common Features

• Buyer purchases some or all assets of the

Target

• Neither ownership nor existence of Target is

affected (i.e., Target shareholders continue to

own their stock)

14

Goodwin Procter LLP

Stock Acquisitions: Common Features

• Buyer purchases stock of the Target from the

Target’s shareholders

• All of the assets and liabilities of the Target

remain with the Target (which is owned by Buyer

post-closing)

• Because liabilities are acquired as well, due

diligence and contractual protections should be

more comprehensive, BUT fewer third party

consents will be likely

15

Goodwin Procter LLP

Merger

• One company is merged with and into

another, which is the Survivor

• All assets and liabilities of the merged

company succeed to, and are held by, the

Survivor

16

Goodwin Procter LLP

Common Merger Types

• Direct merger

• Forward

triangular

merger

• Reverse

triangular

merger 17

Goodwin Procter LLP

Common Negotiation Considerations

• Knowledge

• Materiality

• Laws

• Personal Information

• Remedies

18

Goodwin Procter LLP

8 Questions for Privacy Pros in

Transactions

• What is the relationship between the diligence information sought and the transaction (both now and in the future)?

• Do I know what the deal is about and what my clients care about (or should care about)?

• Am I being a problem “solver” rather than a problem “spotter” or “administrator”?

• Is “privacy” material in this deal? How? Do I know why this matters?

19

Goodwin Procter LLP

8 Questions for Privacy Pros in

Transactions

• What effect do qualifiers such as “knowledge” or “MAE” have on diligence? On the seller’s representations and risk allocations?

• Should identified issues or risks be included on disclosure schedules?

• What tools are available to manage privacy risks to help the parties complete a transaction? Escrows?

• What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned?

20

Goodwin Procter LLP

GERARD M. STEGMAIER, ESQ. , PARTNER

Contact Information:

901 New York Avenue, NW

Washington, DC 20001

202.346.4202

gstegmaier@goodwinprocter.com

@1sand0sLawyer

21

22 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Data Privacy and Cyber Security

Due Diligence in M&A Deals

Alan Brill, CISSP, CFE, CIPP/US, FAAFS

September 22, 2015

23 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

The Problem: Why has “Cyber”

Become So Important?

A Quick Introduction…

1

24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

When you or your client wants to……

Expand into a new business area

Increase market share

Neutralize competition

Improve technology and systems

Acquire a new customer base or BI data

WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN?

25 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

You Want to Know (BEFORE, not After….)

September, 2013 February, 2014

26 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

You Want to Know (BEFORE, not After….)

August, 2014 September, 2014

27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

What’s the Cyber Risk in an M&A Transaction

Theft of intellectual property and trade secrets?

Loss of sensitive business information and

strategies?

Loss of customer / employee data and damages to

reputation and employee / consumer confidence?

Litigation and compliance risks?

Remedial expenditures?

Loss of shareholder value?

(Not counting compromise of data on the deal

itself!)

28 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Kroll’s Experience and Advice 2

29 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Kroll’s Approach to the M&A Cyber Challenge

At all stages of the deal process, there is a continuum of cyber-risk management need.

Phase 1: Target risk evaluation

− Identify key InfoSec risk facing business

− Set up team to review data and processes

Phase 2: Deal and response diligence

− Deal diligence on key players and assets

− Technical response review of assurances

• Phase 3: Pre closing network diligence

− Endpoint Threat Monitoring and analysis

− Security controls review

• Phase 4: Post purchase implementation

− Incident response planning incident

− Table top exercise (TTX)

30 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 1. Target Evaluation

Identify the InfoSec risks facing the target

Data risks

Regulatory risk

Develop the data security team involvement

Identification of integration issues and

constraints

Define roles with transaction team

Implement secure communications approach

Identify outside expertise needs

31 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 2: Pre-Signature

Development of diligence approach

Kroll diligence workup on key players

and corporate assets

Assistance to review technical InfoSec

reporting on pre-signing actions:

Covenants, representations, and warranties

Licenses, vendors, business associates

Indemnification, limits, and basket

Divestment triggers

Avoidance of “knowledge” qualifiers

Use of “Material Adverse Security Effect”

32 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing

• Endpoint Threat Monitoring and Analysis

−Used to understand how the enterprise controls

unknown software inside its environment

o Not just looking for known malware

−Review all binaries and processes that exhibit

behavior similar to malware: location, signature,

network connections, persistence

−Review all running binaries and processes

−Corroborate patching processes and find

significant vulnerabilities

o A two week process……

33 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing

• Security Controls Review

−Determine whether the target

is actually implementing key

measures to protect against

persistent targeted attacks

−Review the governance and

structure of the target’s

InfoSec response

34 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 4: Post-Closing

Integration TTX

Review information response plan

ID and brief changes

Interview key stakeholders

Develop scenarios

Deliver TTX with old and new teams

35 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

In Summary…

It is a brave new world, and cyber risks present an

emerging risk to value and liability in mergers,

acquisitions and investment transactions

You will never invest in a house without an

appropriate inspection

Information security involvement as part of the

deal team is key

Technical solutions designed to identify and report

on InfoSec risks in a relevant way, and that

provides value through each phase of the

transaction, is of significant value in due diligence

36 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Alan Brill, CISSP, CFE,

CIPP/US, FAAFS

Senior Managing Director

Kroll Cyber Security &

Investigations

abrill@kroll.com

T +1-319-8026

© Copyright 2013 by K&L Gates LLP. All rights reserved.

Roberta D. Anderson

roberta.anderson@klgates.com

@RobertaEsq

September 22, 2015

Data Privacy and Cybersecurity Due Diligence in M&A Deals—

The Importance of Insurance Coverage

AGENDA

The Importance Of Timing

What To Look For In An Insurance Audit

Potential Coverage Under “Legacy” Policies

Limitations Of “Legacy” Insurance Policies

Cutting Edge “Cyber” Insurance

M&A Insurance Provisions

A Word About Vendor Contracts

38

© Copyright 2013 by K&L Gates LLP. All rights reserved.

THE IMPORTANCE OF TIMING

39

THE IMPORTANCE OF TIMING

Advanced Attacks Go Undiscovered For A Median 229 Days

A Merger/Acquisition May Close Before The Attack Is Discovered

Resulting In Substantial Post-Closing Liability

40

© Copyright 2013 by K&L Gates LLP. All rights reserved.

WHAT TO LOOK FOR IN AN INSURANCE AUDIT

41

© Copyright 2013 by K&L Gates LLP. All rights reserved.

POTENTIAL COVERAGE UNDER “LEGACY” POLICIES

42

Directors’ and Officers’ (D&O)

Errors and Omissions (E&O)/Professional Liability

Employment Practices Liability (EPL)

Fiduciary Liability

Crime

Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d

821 (6th Cir. 2012) (DSW covered for expenses for customer

communications, public relations, lawsuits, regulatory defense costs, and

fines imposed by Visa and Mastercard under the computer fraud rider of its

blanket crime policy)

Property?

Commercial General Liability (CGL)?

43

POTENTIAL COVERAGE UNDER “LEGACY” POLICIES

Coverage B provides coverage for damages because of “personal and

advertising injury”

“Personal and Advertising Injury” is defined in part as injury

arising out of “[o]ral or written publication,

in any manner, of material that violates a person’s

right of privacy”

What is a “Person’s Right of Privacy”?

What is a “Publication”?

44

POTENTIAL COVERAGE UNDER “LEGACY” POLICIES

© Copyright 2013 by K&L Gates LLP. All rights reserved.

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

45

ISO states that “when this endorsement is

attached, it will result in a reduction of

coverage due to the deletion of an

exception with respect to damages

because of bodily injury arising out of loss

of, loss of use of, damage to, corruption of,

inability to access, or inability to manipulate

electronic data.”

46

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

47

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

cv

cv

48

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

© Copyright 2013 by K&L Gates LLP. All rights reserved.

CUTTING EDGE “CYBER” INSURANCE

49

klgates.com back 50

Privacy And Network Security

Provides coverage for liability (defense and indemnity) arising out of data

breaches, transmission of malicious code, denial of third-party access to the

insured’s network, and other network security threats

Regulatory Liability

Provides coverage to deal with regulators and liability arising out of

administrative or regulatory investigations, proceedings, fines and penalties

Crisis Management

Provides coverage for forensics experts to determine the cause of the breach,

notify individuals whose PII may have been compromised, call centers, ID theft

monitoring, PR and other crisis management activities

Media Liability

Provides coverage for liability (defense and indemnity) for claims alleging

invasion of privacy, libel, slander, defamation, infringement of IP rights (not

patent), and other web-based acts (e.g., improper deep-linking)

CUTTING EDGE “CYBER” INSURANCE

51

Network Interruption And Extra Expense (and CBI)

Coverage lost business income and extra expense caused by malicious code,

DDoS attacks, unauthorized access to, or theft of, information, and other

security threats to networks (e.g., a website goes down and orders cannot be

taken).

Information Asset Coverage

Coverage for damage to or theft of the insured’s own systems and hardware,

and may cover the cost of restoring or recreating stolen or corrupted data.

Extortion

Coverage for losses resulting from extortion (payments of an extortionist’s

demand to prevent network loss or implementation of a threat).

52

Emerging Market For First-Party Property Damage

Emerging Market For Third-Party Bodily Injury and Property Damage Coverage

CUTTING EDGE “CYBER” INSURANCE

53

Defense And Indemnity For

Claims

Regulatory Defense, Fines And Penalties

Crisis Management

CUTTING EDGE “CYBER” INSURANCE

54

55

BEWARE THE

FINE

PRINT

56

© Copyright 2013 by K&L Gates LLP. All rights reserved.

M&A INSURANCE PROVISIONS

57

58

M&A INSURANCE PROVISIONS

59

M&A INSURANCE PROVISIONS

60

*****

M&A INSURANCE PROVISIONS

© Copyright 2013 by K&L Gates LLP. All rights reserved.

A WORD ABOUT VENDOR CONTRACTS

61

A WORD ABOUT VENDOR CONTRACTS

■ Be specific

■ Who is responsible for securing stored data? Data in motion?

■ Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security

Controls http://www.sans.org/critical-security-controls

■ Who has access – and to which parts –to various parts of the organizations

network?

■ What are the required cybersecurity standards?

■ Dovetail Vendor Contracts With Insurance Contracts

62

63

Linkedin: robertaandersonesq

Twitter: @RobertaEsq

Insurance Thought Leadership