Privacy Breaches in M&A Deals: the Importance of Data Security Diligence

  • April 20, 2023
  • Mitch Koczerginski, Chris Garrah, Adriana Rudensky and Robbie Grant, McMillan LLP

In 2006, British mathematician Clive Humby famously declared “data is the new oil.” Indeed, data is becoming increasingly important in a growing number of industries. That is why, when deciding whether to proceed with an M&A transaction, it is imperative to assess the privacy and data security controls of the target company.

As we have written about in the past, numerous privacy issues can negatively impact an M&A transaction. A company’s failure to comply with CASL[i] can potentially lead to serious fines. A company’s mismanagement of consent can render large amounts of personal information virtually useless. With overhauls to Canada’s privacy regime (including serious penalties) both in progress and on the way, bringing a company’s privacy management program up to standard is only becoming more costly.

However, there may be no privacy issue more significant to a transaction than the threat of a data breach. Data breaches can result in regulatory notification and disclosure obligations, class actions, harms to reputation, and regulatory penalties. Even where personal information is not concerned, data breaches can expose intellectual property or other confidential information, or disrupt a company’s operations.

In this bulletin, we focus on the importance of data security diligence, tips for the diligence process, and mitigation strategies for companies that have identified risks and wish to proceed with the deal. We also discuss the need to assess and quickly remediate any flaws in a target company’s data security posture following a transaction.