Last week we posted about a digital footprint, which applies to individuals and businesses. However, this week we wanted to take the digital footprint a bit further. How can a digital profile impact a business – specifically in the realm of mergers and acquisitions. Due diligence plays a big role in assessing the impact of a business’s digital profile. Due diligence starts by asking the right questions. We will present a few here to get you started, but the most valuable asset during a transaction is a subject matter expert(s) who understands both IT and legal data security and privacy principles.
As it was mentioned last week, the concept of a digital footprint is an older concept, but many businesses are just now beginning to understand the impact and risk associated with its profile. First, the following short list includes a few considerations for a digital profile of a business:
A thorough review of policies and procedures will likely reveal the business’s current understanding of applicable laws and regulations and the corresponding impact. Additionally, you should gain insight into the training practices, readiness and responsiveness to security and privacy events, and any considerations the business has towards insurance.
Most businesses don’t want to talk through prior breaches or disclose liability history. However, you can use the information to find gaps in understanding, application, and internal adoption of the business’s policies and procedures. If the current policies and procedures were not successful in a prior breach, internal issues, like leadership, could pose problems to the transaction.
The business’s data uses can reveal the highest risk elements to a transaction. Simple questions really – (1) How much data is collected and from where & who? (2) How & Where is the data stored? (3) How is the data shared or sold? and (4) 3rd parties are involved. Tell me more.
Here, we go back to the digital footprint a bit. Social medial and digital marketing initiatives provide good and bad exposure for a business. However, you might consider the extending the analysis to key and/or random employee profiles and unclaimed, auto-generated profiles (recruiting sites).
The gross revenue of the business will determine applicability of some of the laws and regulations. For instance, the new California privacy law taking effect in 2020 applies to businesses with gross revenues greater than $25 million. The new California law requires more than just gross revenues, but it is a factor in considering application of the law. Thus, you will likely want to consider financial information within the context of due diligence concerning data security and privacy.
This list starts you moving down the right track; however, you must answer who will be bear the risk. Two words lead to success or failure – due diligence. Due diligence is the gray that distinguishes a good deal from a tragic one.
If you need help assessing digital profile risk as part of a business transaction, call us today to schedule a consultation.
The Grenier Law Firm believes that education is an important part of top-quality legal services. The excerpts and posts on this site are for educational purposes only. We want to keep educational materials available here for you. However, you must understand that providing these excerpts and posts should not be construed as legal advice or creating an attorney-client relationship between you as the reader and our authors. Because these excerpts and posts are intended as informational, you should always seek out the appropriate legal advice before acting or not acting based on what you read here.