A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Similar documents
Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

NYDFS Cybersecurity Regulations

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Protecting your data. EY s approach to data privacy and information security

HPE DATA PRIVACY AND SECURITY

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Cyber Risks in the Boardroom Conference

Cybersecurity The Evolving Landscape

General Data Protection Regulation (GDPR)

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

Version 1/2018. GDPR Processor Security Controls

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

Data Protection and GDPR

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Cybersecurity Considerations for GDPR

CEM Benchmarking Privacy Policy

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Accelerate GDPR compliance with the Microsoft Cloud

Data Protection Policy

GDPR Compliance. Clauses

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

GENERAL DATA PROTECTION REGULATION (GDPR)

DATA PROCESSING AGREEMENT

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

BIOEVENTS PRIVACY POLICY

ADIENT VENDOR SECURITY STANDARD

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Cybersecurity and Nonprofit

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Google Cloud & the General Data Protection Regulation (GDPR)

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Integrating HIPAA into Your Managed Care Compliance Program

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Privacy Notice for Business Partners

General Data Protection Regulation

Cybersecurity in Higher Ed

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Jefferies EMEA Privacy Notice

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

OUR PRIVACY POLICY. 1. Our Privacy Principles. 2. Information that We Collect from You. Last Updated: May 25, 2018

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

GDPR: An Opportunity to Transform Your Security Operations

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Cybersecurity Auditing in an Unsecure World

SECURITY & PRIVACY DOCUMENTATION

Online Ad-hoc Privacy Notice

GDPR: A GUIDE TO READINESS

1 Privacy Statement INDEX

Magento GDPR Frequently Asked Questions

PTLGateway Data Breach Policy

Data Breach Preparation and Response. April 21, 2017

Security Policies and Procedures Principles and Practices

Best Practices in Securing a Multicloud World

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

PS Mailing Services Ltd Data Protection Policy May 2018

DATA PROTECTION POLICY THE HOLST GROUP

Checklist: Credit Union Information Security and Privacy Policies

Emsi Privacy Shield Policy

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Information for entity management. April 2018

SURGICAL REVIEW CORPORATION Privacy Policy

Subject: Kier Group plc Data Protection Policy

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

The Common Controls Framework BY ADOBE

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Privacy Shield Policy

Ohio Supercomputer Center

Data Processing Agreement

Employee Security Awareness Training Program

Eco Web Hosting Security and Data Processing Agreement

Data Processing Clauses

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

PRIVACY NOTICE STORM RECRUITMENT UNIT 11, 2 ND FLOOR CHARLESLAND CENTRE, GREYSTONES, CO. WICKLOW 1. INTRODUCTION

A Practical Look into GDPR for IT

GDPR: A QUICK OVERVIEW

The GDPR Are you ready?

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

The Impact of Cybersecurity, Data Privacy and Social Media

Guide to Cyber Security Compliance with GDPR

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Protecting your next investment: The importance of cybersecurity due diligence

Transcription:

May 2018 TMT INSIGHTS From the Debevoise Technology, Media & Telecommunications Practice A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions Companies in the technology, media and telecommunications ( TMT ) sectors typically are online-dependent and collect a great detail of valuable information from and about their customers. For these and other reasons, TMT companies are among the most attractive targets for all sorts of cyber breaches, including denial of service attacks, viruses, ransomware and other forms of malware. When considering the acquisition of a business in the TMT sector, diligence requires paying close attention to these cybersecurity, data protection and privacy issues. Acquirers should explore four key areas, using tools including document review, interviews with the target s personnel, and questionnaires: When and to what extent the target collects, stores, processes and transfers personal information The target s information security resources, practices and procedures The target s data security and privacy compliance history Where applicable, particular sector-specific requirements Collection, Storage, Processing and Transfer of Personal Information A checklist of issues should include the following: The categories of personal data collected. Virtually every business has employee-related data. TMT companies that are retail-oriented or consumer-facing are also likely to collect and store vast amounts of personal information from website visitors and customers. Whether any data is subject to specialized regimes. If, for example, the target collects or stores card data or health information, it may be subject to the Payment Card Industry Data Security Standard or the Health Insurance Portability and Accountability Act, respectively.

TMT Insights May 2018 2 From whom is data collected. Data collected from persons outside the United States may be subject to national or transnational laws. The European Union s General Data Protection Regulation ( GDPR ), which goes into effect on May 25, has been the subject of significant publicity. Focusing on compliance with EU data protection law, including the GDPR, may be a given but many countries outside the EU also regulate the collection and use of data from their citizens. Where data is stored. Knowing where the target stores its data on premises or in data centers, in the U.S. or elsewhere and whether it maintains a data inventory is important in understanding the target s compliance with data protection laws (including those relating to data localization) and assessing potential vulnerabilities. Use of third-party software and service providers. Third-party systems can be both potential points of vulnerability and vectors for attacks on the target itself. If the target uses third parties to collect or store significant amounts of data, it is important to understand how it vets and selects those vendors and ensures their continuing compliance with data security best practices and applicable law. Downstream data practices. If the target is itself a service provider that stores or processes data on behalf of other organizations, diligence should include those entities own data collection practices and compliance with law and best practices, as well as the target s contractual obligations to those entities. Transfer of personal data. The European Union s 1995 Data Protection Directive regulates the transfer to the U.S. of personal data about EU residents. This regime is not materially changed by the GDPR. If the target does collect information from EU residents and transfer that data outside the EEA, diligence should include ensuring that it does so for authorized purposes and in accordance with appropriate legal mechanisms, such as model contractual clauses, binding corporate rules or (for transfers to the U.S.), the Privacy Shield. Information Security Resources, Practices and Procedures Data Security Resources. Understand the target s data security function, including the experience, resources and reporting lines of its leaders, who may include a chief information security officer and/or chief privacy officer, and their role and reporting responsibilities in the organization. If the target has adequate personnel, that will go a long way towards getting comfortable with its level of data security awareness and preparedness. If the target is being carved out of a larger organization and the data security functions and resources are at the seller level, a potential acquirer should review the target s internal resources and reach agreement with the seller as to which, if any, of the responsible personnel will transfer as part of an acquisition. Training. Periodic training of personnel on data security and privacy issues is critical to minimizing the risk of breaches caused by careless or intentional acts of employees or contractors.

TMT Insights May 2018 3 Written information security plan. Both law and best practice may require the development, maintenance and periodic review of a written information security plan. Certification of information security practices or conformity with an industry-standard framework (e.g., the Cybersecurity Framework of the National Institute of Standards and Technology), can signal the target s commitment toward data security. Data loss protection. Measures a target takes to prevent data loss may address the risk of potential exfiltration by a departing employee of valuable or commercially sensitive data. Audits and other data security assessments. Obtain and review any periodic data security assessments or audits of the target. The extent of the target s periodic testing of network and application vulnerabilities can assist in assessing the risk of an attack being successful. Evaluate material weaknesses, the cost of remediating them and who is responsible for remediation. Business continuity and disaster recovery plans. If these plans are in written form, they should be reviewed to understand when and how the target backs up data and how the target would continue operations under various adverse scenarios affecting data security. Data Security and Privacy Compliance History Data security breaches. Examine data security breaches occurring during a reasonable look-back period (such as the past two or three years) that had or could have had a material effect on the target s businesses. Understand the circumstances, nature and extent of each breach and review any forensic analysis and incident reports. If personal data was accessed and disclosed, review the notifications made to affected persons and government authorities. Assess the consequences of the breach (i.e., leakage, actual use of disclosed information by bad actors), any litigation and regulatory inquiries and the steps taken to remediate security gaps that may have facilitated or contributed to the breach. Complaints. Examine any meaningful (and material amounts of) complaints made regarding the target s privacy practices during the look-back period, as well as any governmental inquiries into the target s data security or privacy practices. Privacy policies. Consumer-facing TMT businesses that collect information on their websites should have comprehensive and accurate privacy policies. Inasmuch as privacy policies frequently change over time, review whether the target s actual practices regarding the collection and use of personal data conformed with its stated policies in effect at the time.

TMT Insights May 2018 4 Sector-Specific Issues Specific types of TMT businesses may warrant additional diligence: Telecommunications Data Security Practices. U.S. telecommunications companies are subject to regulation by the FCC. Under the Communications Act of 1934, the FCC requires carriers to maintain just and reasonable data security practices, which includes their taking every reasonable precaution to protect customer data; the failure to maintain appropriate security practices can be considered be an unjust and unreasonable practice. Customer Proprietary Network Information. The Communications Act also restricts carriers use and disclosure of customer proprietary network information. The FCC has adopted regulations that obligate those companies to provide notice to consumers regarding uses of their data and report breaches both to the FCC and affected consumers. Failure to comply with the FCC s regulations can result in significant civil penalties. Software Access to Codebase. Targets may employ a range of software on a variety of platforms, from on-premises installations to software-as-a-service (SaaS). Assess the data security measures that a SaaS or other software vendor takes to restrict access to its codebase and development platforms. Diligence should encompass review of the vendor s relationship with third-party developers or others who may have access to those platforms, ensuring that they are required to adhere to appropriately stringent data security obligations. Security Updates. Targets that are software dependent should regularly update software to address known or potential security vulnerabilities. An outside audit of the codebase may identify such vulnerabilities, including the use of older software or the failure to update the software with security patches. Contributors Jeffrey P. Cunard Partner Washington, D.C. jpcunard@debevoise.com +1 202 383 8043 Michael A. Diz madiz@debevoise.com +1 212 909 6926 Jim Pastore jjpastore@debevoise.com +1 212 909 6793 Jonathan E. Levitsky jelevitsky@debevoise.com +1 212 909 6423 Michael Schaper mschaper@debevoise.com +1 212 909 6737

TMT Insights May 2018 5 About Our Practice Debevoise s far-reaching TMT practice is a top choice for clients seeking trusted advisors for complex deals or high-stakes cases. Highly ranked in a variety of categories in the technology, media and telecommunications space, Debevoise has what Chambers Global describes as a TMT practice that is full-service and creative, and has a global presence. For more information please visit our Technology, Media and Telecommunications practice page.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback