This Cleary blog provides guidance on how to address the risks associated with a seller’s pre-closing privacy-related liabilities. Here’s an excerpt discussing why a buyer shouldn’t simply rely a “compliance with law” rep to address privacy matters:
Practitioners often rely on a general “compliance with laws” representation to address privacy-related risks; however, such a representation does not always provide sufficient protection for a purchaser against privacy and data security risks. The “compliance with laws” representation is often heavily qualified and covers a limited period of time (e.g., the target’s operation during the year prior to the transaction), which may not be appropriate for privacy matters. The representation also fails to cover certain issues of concern in the privacy context.
Specific privacy-related rep are a better approach. In addition to compliance with privacy laws, these reps can address contractual obligations & other data security measures – such as industry-standard security measures, disaster recovery, and backup equipment and facilities – that are not required by law or contract. They can also be used to address a range of other issues, including threatened enforcement actions & unauthorized data access, as well as to compel disclosure of the seller’s privacy policies & practices.
– John Jenkins