Governance & Risk Management , HIPAA/HITECH , IT Risk Management
Mergers & Acquisitions: Privacy and Security Considerations
Privacy Attorney Iliana Peters on Preventing Deal BustersHow do data privacy and security matters affect organizations that are contemplating a merger or acquisition? Attorney Iliana Peters offers insights into the various cybersecurity, data breach and compliance issues that can potentially doom a business deal.
For instance, an organization that is being targeted for acquisition might have additional hurdles to overcome if it is found to have unresolved data privacy, cybersecurity or regulatory compliance issues, she says in an interview with Information Security Media Group.
A buyer might ask the company to be acquired to place a "significant amount of money ... into escrow to address any potential investigatory or compliance concerns with regard to action both under state and federal law," Peters says.
For example, if the organization being acquired has an ongoing investigation with the Department of Health and Human Services' Office for Civil Rights or a state attorney general - or an ongoing lawsuit related to a data breach - "the buyer may want additional money to be put in escrow to address any outcomes of the litigation or regulatory investigation," she explains.
"And that can really put a hitch into the negotiations ... especially if the seller is not prepared to give assurances of compliance in regards to the underlying obligations under state or federal law."
Due Diligence
With these considerations in mind, both the selling and buying entity need to take certain critical steps, she advises.
"Generally, what we try to do with the seller is encourage them to get their data privacy and security house in order - and that is to outline what the buyer is going to be looking for in any particular transaction in regards to data privacy and security," she says.
As for the buyer, as part of their due diligence, "it's really important to be cognizant of these [state and federal] rules. A lot of sellers don't focus as much as they should on the liability that can be created with noncompliance. ..."
In the interview (see audio link below photo), Peters also discusses:
- The impact of data breaches that are discovered after the sale of one entity to another (see Yahoo Takes $350 Million Hit in Verizon Deal);
- Privacy and security considerations before signing a business deal with a vendor that will be handling protected health information;
- Other privacy and security tips for organizations that are considering a merger, acquisition or other significant business deal.
Peters is a Polsinelli law firm shareholder and an attorney in its national healthcare operations practice. Before joining Polsinelli last year, Peters spent more than a decade at HHS' OCR, including as the acting deputy director of health information privacy and as the senior adviser for HIPAA compliance and enforcement. She played a key role shaping OCR's enforcement agenda, as well as working with covered entities and business associates to address privacy and security issues. Before joining the OCR team in Washington, Peters worked as an investigator in OCR's Dallas regional office.