1. Home
  2. Deal Stage
  3. Business Development
  4. Teaching Active M&A Dogs New Privacy and Cybersecurity Tricks: 5 New Approaches for Serial Acquirers

Teaching Active M&A Dogs New Privacy and Cybersecurity Tricks: 5 New Approaches for Serial Acquirers

Troutman Pepper share tips to optimize cybersecurity due diligence

James Koenig, Brent T. Hoard and Peter T. Wakiyama
Teaching Active M&A Dogs New Privacy and Cybersecurity Tricks: 5 New Approaches for Serial Acquirers

Over the last few years, M&A deal flow has hit record highs, ebbed and risen again as strategic technology acquisitions have given way to selective private equity transactions.

As traditional technology funding becomes more difficult to find and debt financing comes back in style, serial acquirers are trying new approaches to better assess the value of personal data and understand privacy and cybersecurity diligence, risk and post-close integration efforts.

This section of the report is sponsored by Troutman Pepper and originally appeared in the Winter 2023 issue of Middle Market DealMaker. Read the full story in the archive.

Here are five innovative approaches to save time and money on diligence, quickly rate privacy and cybersecurity risk, and develop road maps and playbooks to provide a more effective platform for sharing data, enabling analytics and maximizing data value across portfolio companies.

1. Key Pre-Term Sheet Data Points to Assess Value. While many serial acquirers use a playbook for managing diligence, some are extending the scope of the traditional playbook to assess data issues earlier (ideally pre-term sheet or very early in diligence).

Questions to ask include: Are there restrictions on sharing and/or sales of personal information in the context of a merger or acquisition transaction? Will there be any material differences in use cases post-close? May the target use personal information for current and new product improvements and/or analytics?

The pre-term sheet questions are designed to evaluate key privacy policy terms to confirm the existence of rights that create value (e.g., transfer, sharing, secondary uses, de-identification, etc.).

2. Privacy Diligence Framework to Assess Inherent Risk. Thorough diligence is often conducted before delivering meaningful feedback on privacy and cybersecurity risk. Some serial acquirers are using an inherent risk framework to immediately gauge privacy risk and scope the depth of privacy and cyber diligence (e.g., one version of our framework includes six areas of inherent risk that can be gauged without significant diligence).

Based on this inherent risk framework, the serial acquirer decides whether to conduct limited, targeted or no privacy/cybersecurity diligence.

3. Using AI to Review DPAs. To reduce costs and accelerate diligence, many serial acquirers use artificial intelligence to review common, recurring structured agreements. One new application of AI is for reviewing data protection agreements (DPAs). By loading numerous DPA templates and indicating preferred templates, models and provisions, AI can provide quick, high-level reviews for problematic provisions, such as data use/rights limitations, limitation of liability and indemnification, and prioritize DPAs for in-depth review.

4. New or Updated M&A Playbook. Many M&A issues are recurring and involve post-close integration. For efficiency, we have worked with clients to develop a playbook that includes over 30 common issues across five key areas (e.g., privacy program compliance) and remediation approaches adopted by the client. The playbook includes template policies and procedures and other solutions that can be deployed as a closing condition or in post-closing integration.

5. Intra-Portfolio Information Sharing. Historically, serial acquirers have purchased a business based on how the target fits into their existing businesses or portfolio. Now, innovative acquirers are increasingly evaluating how a target’s data aligns with analytics, marketing and benchmarking across the businesses/portfolio. Maximized compliant sharing (and use) is accomplished through review of contractual rights, pre- or post-close privacy policy modifications and internal access controls to allow or restrict intra-portfolio sharing. Even in cases where acquisition targets may not have secured extensive data rights, a serial acquirer can still develop a valuable enterprise-wide database over time.


In their roles as partners at Troutman Pepper, James Koenig co-chairs the firm’s Privacy + Cyber Practice Group, representing global clients in multiple industries; Brent T. Hoard works with clients to protect and maximize the value of their data; and Peter T. Wakiyama advises clients in all areas of intellectual property and data privacy/security.