July 6, 2018

Due Diligence: Cyber & Data Privacy Checklist for TMT Deals

Tech, media & telecom companies typically harvest vast amounts of online customer data. This Debevoise memo provides guidance on developing a cybersecurity & data privacy due diligence checklist for deals involving targets in these sectors. Here’s the intro:

Companies in the technology, media and telecommunications (“TMT”) sectors typically are online-dependent and collect a great detail of valuable information from and about their customers. For these and other reasons, TMT companies are among the most attractive targets for all sorts of cyber breaches, including denial of service attacks, viruses, ransomware and other forms of malware. When considering the acquisition of a business in the TMT sector, diligence requires paying close attention to these cybersecurity, data protection and privacy issues.

Acquirers should explore four key areas, using tools including document review, interviews with the target’s personnel, and questionnaires:
– When and to what extent the target collects, stores, processes and transfers personal information
– The target’s information security resources, practices and procedures
– The target’s data security and privacy compliance history
– Where applicable, particular sector-specific requirements

The memo provides guidance about the specific diligence issues that should be addressed in each of these key areas.

John Jenkins