Data Privacy and Cybersecurity Due Diligence in M&A Deals Identifying Vulnerabilities, Drafting Data-Related Provisions in M&A Agreements, Post-Acquisition Data Integration Considerations

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

THURSDAY, OCTOBER 9, 2014

Presenting a live 90-minute webinar with interactive Q&A

Roberta D. Anderson, Partner, K&L Gates, Pittsburgh

Alan Brill, Senior Managing Director, Kroll, Secaucus, N.J.

Gerard M. Stegmaier, Partner, Goodwin Procter, Washington, D.C.

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-888-450-9970 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).

You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner.

If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

©2013 Goodwin Procter LLP

Privacy & Data Security in

M&A Transactions

Gerard M. Stegmaier

Partner

6

7

Goodwin Procter LLP

Fiduciary Duties of Directors

8

Goodwin Procter LLP

Class Action Lawsuits

9

Goodwin Procter LLP

Employee Privacy

10

Goodwin Procter LLP

Due Diligence

The process of asking questions and assessing and quantifying risk in order to allocate it intentionally.

11

Goodwin Procter LLP

Principal Risk Areas

• Liability

• Reputation

• Integration

12

Goodwin Procter LLP

Managing Risk

• Identify Risk

• Shift Risk

• Mitigate Risk

• Accept Risk

13 13

Goodwin Procter LLP

Asset Acquisitions: Common Features

• Buyer purchases some or all assets of the Target

• Neither ownership nor existence of Target is affected (i.e., Target shareholders continue to own their stock)

14

Goodwin Procter LLP

Stock Acquisitions: Common Features

• Buyer purchases stock of the Target from the Target’s shareholders

• All of the assets and liabilities of the Target remain with the Target (which is owned by Buyer post-closing)

• Because liabilities are acquired as well, due diligence and contractual protections should be more comprehensive, BUT fewer third party consents will be likely

15

Goodwin Procter LLP

Merger

• One company is merged with and into another, which is the Survivor

• All assets and liabilities of the merged company succeed to, and are held by, the Survivor

16

Goodwin Procter LLP

Common Merger Types

• Direct merger

• Forward triangular merger

• Reverse triangular merger

17

Goodwin Procter LLP

Common Negotiation Considerations

• Knowledge

• Materiality

• Laws

• Personal Information

• Remedies

18

Goodwin Procter LLP

8 Questions for Privacy Pros in Transactions

• What is the relationship between the diligence information sought and the transaction (both now and in the future)?

• Do I know what the deal is about and what my clients care about (or should care about)?

• Am I being a problem “solver” rather than a problem “spotter” or “administrator”?

• Is “privacy” material in this deal? How? Do I know why this matters?

19

Goodwin Procter LLP

8 Questions for Privacy Pros in Transactions

• What effect do qualifiers such as “knowledge” or “MAE” have on diligence? On the seller’s representations and risk allocations?

• Should identified issues or risks be included on disclosure schedules?

• What tools are available to manage privacy risks to help the parties complete a transaction? Escrows?

• What information may be most helpful to facilitate integration after the transaction closes and who will inherit whatever is learned?

20

Goodwin Procter LLP

GERARD M. STEGMAIER, ESQ. , PARTNER

Contact Information:

901 New York Avenue, NW Washington, DC 20001 202.346.4202

gstegmaier@goodwinprocter.com

@1sand0sLawyer

21

22 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Data Privacy and Cyber Security Due Diligence in M&A Deals

Alan Brill, CISSP, CFE, CIPP/US, FAAFS October 9, 2014

23 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

The Problem: Why has “Cyber” Become So Important?

A Quick Introduction…

1

24 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

When you or your client wants to……

Expand into a new business area Increase market share Neutralize competition Improve technology and systems Acquire a new customer base or BI data

WHAT CYBER RISKS ARE YOU BUYING OR INVESTING IN?

25 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

You Want to Know (BEFORE, not After….)

September, 2013 February, 2014

26 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

You Want to Know (BEFORE, not After….)

August, 2014 September, 2014

27 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

What’s the Cyber Risk in an M&A Transaction

Theft of intellectual property and trade secrets? Loss of sensitive business information and

strategies? Loss of customer / employee data and damages to

reputation and employee / consumer confidence? Litigation and compliance risks? Remedial expenditures? Loss of shareholder value? (Not counting compromise of data on the deal

itself!)

28 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Kroll’s Experience and Advice 2

29 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Kroll’s Approach to the M&A Cyber Challenge At all stages of the deal process, there is a continuum of cyber-risk management need.

Phase 1: Target risk evaluation − Identify key InfoSec risk facing business − Set up team to review data and processes

Phase 2: Deal and response diligence − Deal diligence on key players and assets − Technical response review of assurances

• Phase 3: Pre closing network diligence − Endpoint Threat Monitoring and analysis − Security controls review

• Phase 4: Post purchase implementation − Incident response planning incident − Table top exercise (TTX)

30 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 1. Target Evaluation

Identify the InfoSec risks facing the target Data risks Regulatory risk

Develop the data security team involvement

Identification of integration issues and constraints

Define roles with transaction team

Implement secure communications approach

Identify outside expertise needs

31 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 2: Pre-Signature

Development of diligence approach

Kroll diligence workup on key players and corporate assets

Assistance to review technical InfoSec reporting on pre-signing actions: Covenants, representations, and warranties Licenses, vendors, business associates Indemnification, limits, and basket Divestment triggers Avoidance of “knowledge” qualifiers Use of “Material Adverse Security Effect”

32 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing

• Endpoint Threat Monitoring and Analysis −Used to understand how the enterprise controls

unknown software inside its environment o Not just looking for known malware

−Review all binaries and processes that exhibit behavior similar to malware: location, signature, network connections, persistence

−Review all running binaries and processes −Corroborate patching processes and find

significant vulnerabilities o A two week process……

33 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 3: Pre-Closing

• Security Controls Review −Determine whether the target is actually implementing key measures to protect against persistent targeted attacks −Review the governance and structure of the target’s InfoSec response

34 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Phase 4: Post-Closing

Integration TTX Review information response plan ID and brief changes Interview key stakeholders Develop scenarios Deliver TTX with old and new teams

35 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

In Summary…

It is a brave new world, and cyber risks present an emerging risk to value and liability in mergers, acquisitions and investment transactions

You will never invest in a house without an appropriate inspection

Information security involvement as part of the deal team is key

Technical solutions designed to identify and report on InfoSec risks in a relevant way, and that provides value through each phase of the transaction, is of significant value in due diligence

36 Data Privacy and Cybersecurity Due Diligence in M&A Deals Alan Briill

Alan Brill, CISSP, CFE, CIPP/US, FAAFS Senior Managing Director Kroll Cyber Security & Investigations abrill@kroll.com T +1-319-8026

© Copyright 2013 by K&L Gates LLP. All rights reserved.

Roberta D. Anderson roberta.anderson@klgates.com @RobertaEsq October 9, 2014

Data Privacy and Cybersecurity Due Diligence in M&A Deals—

The Importance of Insurance Coverage

AGENDA The Importance Of Timing What To Look For In An Insurance Audit

Potential Coverage Under “Legacy” Policies Limitations Of “Legacy” Insurance Policies Cutting Edge “Cyber” Insurance

M&A Insurance Provisions A Word About Vendor Contracts

38

© Copyright 2013 by K&L Gates LLP. All rights reserved.

THE IMPORTANCE OF TIMING

39

THE IMPORTANCE OF TIMING Advanced Attacks Go Undiscovered For A Median 229 Days A Merger/Acquisition May Close Before The Attack Is Discovered Resulting In Substantial Post-Closing Liability

40

© Copyright 2013 by K&L Gates LLP. All rights reserved.

WHAT TO LOOK FOR IN AN INSURANCE AUDIT

41

© Copyright 2013 by K&L Gates LLP. All rights reserved.

POTENTIAL COVERAGE UNDER “LEGACY” POLICIES

42

Directors’ and Officers’ (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime

Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)

Property? Commercial General Liability (CGL)?

43

POTENTIAL COVERAGE UNDER “LEGACY” POLICIES

Coverage B provides coverage for damages because of “personal and advertising injury”

“Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”

What is a “Person’s Right of Privacy”? What is a “Publication”?

44

POTENTIAL COVERAGE UNDER “LEGACY” POLICIES

© Copyright 2013 by K&L Gates LLP. All rights reserved.

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

45

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

46

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

47

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

cv

cv

48

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

© Copyright 2013 by K&L Gates LLP. All rights reserved.

CUTTING EDGE “CYBER” INSURANCE

49

klgates.com back 50

Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data

breaches, transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats

Regulatory Liability Provides coverage to deal with regulators and liability arising out of

administrative or regulatory investigations, proceedings, fines and penalties Crisis Management

Provides coverage for forensics experts to determine the cause of the breach, notify individuals whose PII may have been compromised, call centers, ID theft monitoring, PR and other crisis management activities

Media Liability Provides coverage for liability (defense and indemnity) for claims alleging

invasion of privacy, libel, slander, defamation, infringement of IP rights (not patent), and other web-based acts (e.g., improper deep-linking)

CUTTING EDGE “CYBER” INSURANCE

51

Network Interruption And Extra Expense (and CBI) Coverage lost business income and extra expense caused by malicious code,

DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks (e.g., a website goes down and orders cannot be taken).

Information Asset Coverage Coverage for damage to or theft of the insured’s own systems and hardware,

and may cover the cost of restoring or recreating stolen or corrupted data. Extortion

Coverage for losses resulting from extortion (payments of an extortionist’s demand to prevent network loss or implementation of a threat).

52

Emerging Market For First-Party Property Damage

Emerging Market For Third-Party Bodily Injury and Property Damage Coverage

CUTTING EDGE “CYBER” INSURANCE

53

Defense And Indemnity For

Claims

Regulatory Defense, Fines And Penalties

Crisis Management

CUTTING EDGE “CYBER” INSURANCE

54

55

BEWARE THE

FINE

PRINT

56

© Copyright 2013 by K&L Gates LLP. All rights reserved.

M&A INSURANCE PROVISIONS

57

58

M&A INSURANCE PROVISIONS

59

M&A INSURANCE PROVISIONS

60

*****

M&A INSURANCE PROVISIONS

© Copyright 2013 by K&L Gates LLP. All rights reserved.

A WORD ABOUT VENDOR CONTRACTS

61

A WORD ABOUT VENDOR CONTRACTS ■ Be specific

■ Who is responsible for securing stored data? Data in motion?

■ Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security Controls http://www.sans.org/critical-security-controls

■ Who has access – and to which parts –to various parts of the organizations network?

■ What are the required cybersecurity standards?

■ Dovetail Vendor Contracts With Insurance Contracts

62

63

Linkedin: robertaandersonesq

Twitter: @RobertaEsq

Insurance Thought Leadership