0
Data Security and Privacy Due DiligenceData Security and Privacy Must Play a Part in M&A Due Diligence

Data Security and Privacy Must Play a Part in M&A Due Diligence

In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).

These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.

Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.

Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.

This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.

 

Understand Data Privacy and Cybersecurity Obligations

The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.

Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:

  • Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model.  Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
  • Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
    Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
  • Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.

Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).

 

Strategies to Maximize Price and Avoid Concerns During Diligence

Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).

Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.

Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).

Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.

Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents.  As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.

Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.

Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel.  Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company.  Octillo retains privacy attorneys and security professionals with a deep understanding of the technology in the law.

For more information on this topic, contact Octillo attorney Chirag H. Patel.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

0
Cybersecurity AwarenessCybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

Cybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

October is Cybersecurity Awareness Month – a month-long event with the goal of raising awareness of good cybersecurity practices.

As a law firm focused only on technology, data security, and privacy, Octillo is dedicated to helping organizations create robust cybersecurity programs that help prevent or lessen the impact of potential cyber attacks. This starts with helping organizations, and their employees understand the important role they play in protecting their systems and safeguarding data.

In recognition of this important educational opportunity, we have compiled some of our top cybersecurity tips to help your organization improve your cyber hygiene. Do your part, #BeCyberSmart!

1. Use Multi-Factor Identification  

Add multi-factor authentication to your accounts. These tools require you to grant access to your accounts every time someone tries to log in.   

 

2. Update your Systems  

Updates may be a pain, but they are important. Updates often include patches for recently identified security issues. Neglecting updates may leave you vulnerable to threat actors exploiting these vulnerabilities.  

 

3. Emphasize Employee Education  

Human error is one of the most commonly cited causes of cyber incidents. Conduct regular cybersecurity trainings, including tabletop exercises testing your incident response plan, to help employees understand their role in incident response and prevention.  

 

4. Use Strong Passwords  

Choose unique passphrases as an alternative to passwords (ie. Myd0g1sth3b3st! vs. Fido123). Use a different password for each account. To help keep your credentials straight, consider using a password manager.   

 

5. Examine Emails Carefully  

Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Pay attention to email and website addresses and independently verify links and attachments before clicking. Know where/how to report any suspect emails because you may not be the only one who received it.  Sharing is caring! 

 

6. Avoid Public or Unsecure Wi-Fi Networks  

Do not connect to a public or unsecure Wi-Fi network, such as at a coffee shop or hotel. Any sensitive information transmitted over these unsecure connections can be accessed by other users on the network. When a secure network is not available, opt to use your mobile hotspot.  

 

7. Create Email Forwarding Alerts  

Set up alerts when forwarding rules are added to your e-mail account and routinely check email forwarding rules. If threat actors gain access to an email account, they may create account rules to hide their activity.      

 

8. Do Not Use Personal Devices to Access Sensitive Data  

Personal devices, such as your phone or personal computer, are often not as secure as devices in the workplace. Downloading or accessing sensitive information on those devices could lead to the information being compromised. Unless your Security Officer says otherwise, never access sensitive information from personal devices.    

 

9. Keep Track of your Backups  

Make sure to have backups of important backups in place and these backups are stored separate from your normal environment. Check the integrity of your backups regularly. 

 

10. Find A Data Security Team  

Creating data security policies, procedures, and plans be daunting. Partnering with a team that understands the legal and threat landscape surrounding data security is a great first step towards improving your cyber preparedness. 

 

 

*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Cybersecurity Map of United StatesCISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

CISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

On July 19th, the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigations (FBI) released a joint cybersecurity advisory pertaining to Chinese state-sponsored threat actors. The advisory warns of potential malicious activity targeting “U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations.”  

In response to this increased threat, CISA suggests organizations, particularly managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions, take the following steps: 

Patch your systems as soon as you can after the release of operating system and application patches.  Updates are often quickly reverse-engineered by threat actors to determine the vulnerability that is being fixed and whether it can be weaponized. 

Employ monitoring and detection technologies give you a 360-degree view of what is happening on your network.  Be sure you can see lateral movement, which may show indicators of compromise, inside-out traffic to malicious hosts, which may indicate command and control communication, and outside-in communication, which could reflect attempts at compromise from external sources.   

Implement strong preventative measures to mitigate or help prevent compromise from occurring.  These include active anti-virus and multi-factor authentication. 

Read the full cybersecurity advisory issued by CISA here. While this alert focuses on businesses that would be potential targets for nation-state threat actors, the advice above is applicable to any business. Following these best practices does not guarantee the prevention of a security incident but can make it substantially more difficult for threat actors to gain a foothold in an organization’s network and systems and can reduce detection time. 

If you suspect any malicious activity in your systems, or would like to speak to an incident response attorney to help improve your organization’s security, Octillo attorneys can be reached 24/7 via our Data Breach Hotline: 844.502.9363 or IR@octillolaw.com.  

*Attorney advertising: prior results do not guarantee future outcomes. 

AIAccountability and the Use of Artificial Intelligence

Accountability and the Use of Artificial Intelligence

As artificial intelligence (“AI”) and automated decision-making systems make their way into every corner of society – from businesses and schools to government agencies – concerns about using the technology responsibly and accountability are on the rise. 

The United States has always been on the forefront of technological innovations and our government policies have helped us remain there.  To that end, on February 11, 2019, President Trump issued an Executive Order on Maintaining American Leadership in Artificial Intelligence (No. 13,859).  See Exec. Order No. 13,859, 3 C.F.R. 3967.  As part of this Executive Order, the “American AI Initiative” was launched with five guiding principles:

  1. Driving technological breakthroughs; 
  2. Driving the development of appropriate technical standards; 
  3. Training workers with the skills to develop and apply AI technologies; 
  4. Protecting American values, including civil liberties and privacy, and fostering public trust and confidence in AI technologies; and
  5.  Protecting U.S. technological advantages in AI, while promoting an international environment that supports innovation. Id. at § 1. 

Finally, the Executive Order tasked the National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce with creating a plan for the development of technical standards to support reliable, robust, and trustworthy AI systems.  Id. at § 6(d). To that end, the NIST released its Plan for Federal Engagement in Developing Technical Standards in August 2019.  See Nat’l Inst. of Standards & Tech., U.S. Leadership in AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tools (2019). 

While excitement over the use of AI was brewing in the executive branch, the legislative branch was concerned with its accountability as on April 10, 2019, the Algorithmic Accountability Act (“AAA”) was introduced into Congress.  See Algorithmic Accountability Act of 2019, S. 1108, H.R. 2231, 116th Cong. (2019).  The AAA covered business that: 

  1. Made more than $50,000,000 per year;
  2. Held data for greater than 1,000,000 customers; or
  3. Acted as a data broker to buy and sell personal information.  Id. at § 2(5). 

The AAA would have required business to conduct “impact assessments” on their “high-risk” automated decision systems in order to evaluate the impacts of the system’s design process and training data on “accuracy, fairness, bias, discrimination, privacy, and security”.  Id. at §§ 2(2) and 3(b).  These impact assessments would have required to be performed “in consultation with external third parties, including independent auditors and independent technology experts”.  Id. at § 3(b)(1)(C).  Following an impact assessment the AAA would have required that business reasonably address the result of the impact assessment in a timely manner.  Id. at § 3(b)(1)(D).  

It wasn’t just the federal government who is concerned about the use of AI in business as on May 20, 2019, the New Jersey Algorithmic Accountability Act (“NJ AAA”) was introduced into the New Jersey General Assembly.  The NJ AAA was very similar to the AAA in that it would have required businesses in the state to conduct impact assessments on “high risk” automated decisions. See New Jersey Algorithmic Accountability Act, A.B. 5430, 218th Leg., 2019 Reg. Sess. (N.J. 2019).  These “Automated decision system impact assessments” would have required an evaluation of the systems development “including the design and training data of the  automated  decision  system,  for  impacts  on accuracy,  fairness,  bias,  discrimination,  privacy,  and  security” as well as a cost-benefit analysis of the AI in light of its purpose.  Id. at § 2.  The NJ AAA would have also required businesses work with independent third parties, record any bias or threat to the security of consumers’ personally identifiable information discovered through the impact assessments, and provide any other information that is required by the New Jersey Director of the Division of Consumer Affairs in the New Jersey Department of Law and Public Safety.  Id

While the aforementioned legislation has appeared to have stalled, we nevertheless anticipate that both federal and state legislators will once again take up the task of both encouraging and regulating the use of AI in business as the COVID-19 pandemic subsides.  Our team at Octillo contains attorneys who are focused on technology, data security, and privacy and have the experience to advise your business on the best practices for the adoption of AI and automated decision-making systems. 

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter

CozyBear BreachOngoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Ongoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Octillo’s Incident Response Team is monitoring an evolving hacking campaign that is leveraging a popular managed service provider named SolarWinds.

What happened?

Beginning over the weekend, multiple organizations around the globe, including United States government agencies, have been targeted by a hacking campaign reportedly carried out by a Russian organization known as CozyBear, APT29, or UNC2452.  While cybersecurity officials are currently scrambling to implement countermeasures, initial signs suggest this campaign has been running for months. 

Who has been affected?

FireEye, an American cybersecurity firm that was one of the organizations accessed, has led much of the analysis on this sophisticated cyber attack.  Other victims so far include government agencies, consulting, technology, telecom, and oil and gas companies across North America, Asia, Europe, and the Middle East.

How was this attack carried out?

The attackers used a trojanized SolarWinds Orion business software update to distribute a backdoor called SUNBURST.  Once this Trojan has infiltrated a server, the attackers are able to remotely control the devices on which this update has been installed.  They can use this access to move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources.  By confirming itself as an authorized user, the attackers may be able to maintain this access even if the SolarWinds backdoor is removed, creating a slew of additional issues that may present themselves in the future.

The SUNBURST malware is stealthily designed to make it very difficult to determine whether a computer has been affected.  After the backdoor has accessed a device, it waits quietly for a period of 12 to 14 days before taking any action.  Once activated, the attacker sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment.  This allows the attacker to blend into the environment, avoid suspicion, and evade detection.  The attackers also use primarily IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.

What to do now

Octillo recommends that organizations using SolarWinds as a provider implement several preventative steps to safeguard their organization including of the following measures:

  • Review current incident response protocols and processes.
  • Carefully craft internal and external messaging and FAQs with an experienced data breach attorney.
  • Make sure employees know who to contact if they have reason to believe there is suspicious activity.

Octillo has extensive experience dealing with headline-making data incidents similar to the CozyBear attack.  Our team can assist you with implementing urgent preventative actions to avoid falling pray to this attack.  If your systems have been accessed, we can work to minimize your legal exposure and regulatory vulnerabilities and manage response efforts and communications with any relevant stakeholders.

If an attack is detected and additional resources are needed, Octillo can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

The Big Take Away

Attackers continue to target service providers.  This incident is one more piece of evidence that service providers are highly desirable and valuable businesses to compromise because they can provide an attacker with access to many, many clients.  Attackers are looking for the hub of the wheel, so they can expand into all the spokes and carry out many simultaneous breaches.

This reality makes vendor management programs, including vendor security audits and initial security questionnaires of service providers more essential than ever.  Octillo’s clients benefit from our counsel on vetting vendors and service providers in order to mitigate risk of falling victim to a cyber attack because of a vendor compromise.

A Holiday Reminder on Malicious Activity

Phishing campaigns, email compromise, and ransomware activities are extremely common around the holiday season. As a reminder, be sure your organization is being diligent in your efforts against these types of attacks even if you have not been affected by this particular incident.

*Attorney advertising. Prior Results do not guarantee future outcomes.

Subscribe to our Newsletter.

1 2 3 6