Data privacy and security increasingly matter in company valuations. Investors and acquisition teams are backing away from target companies that cannot show they comply with data protection laws, or citing that weakness to impose harsher or longer buyout or investment terms.
“We’re starting to see much closer attention to data protection and data security when an M&A [merger and acquisition] process starts off,” says Cynthia LaRose, chair of the Privacy and Data Security Practice at Boston-based law firm Mintz Levin. “Companies are realising this is an additional element of risk.”
She says this is in part a result of state laws in the US requiring companies to report data breaches, which can be damaging to a company’s reputation and revenue, and spur costly class-action lawsuits.
In addition, non-compliance with data protection laws, particularly in the EU, can mean target companies will lose a significant part of their claimed user base and customer data once they do comply, making them less attractive.
Though rare even just 18 months ago, due diligence between parties to an acquisition or an investment now routinely includes a questionnaire on privacy and data-management policies and processes, and seeks audits and proof of compliance with laws, stretching back three to five years, LaRose says.
“Now the investors are looking at this, kicking the tyres and saying, ‘are we being sold a pig in a poke here?’,” she says. “It means companies really need to think about this. We’ve had several deals now where the sale has been significantly slowed down because the seller wasn’t ready with this information, or where the founders ended up with less money.”
In addition, the company founders’ “earn-outs” – the period over which they are paid their agreed buy-out amount and remain tied to the company – can be extended by many months, with more onerous additional terms and conditions, as purchasers wait to make sure no problems emerge from past data policies and management.
In some cases, buyers have been advised not to proceed with an acquisition or investment, says La Rose. She was involved with one deal that would normally have taken two months to close, but instead dragged out to eight months.
Tech sector startups can be the worst at compliance, she notes.
“We’re still seeing that, with respect to startups and especially the startups with really great interest from investors, especially unicorns [startups valued at over $1 billion]. So many of these are busy building the next big thing that they aren’t thinking about this. It’s still surprising to me that there’s this lack of recognition from tech companies that this is a value proposition for them.”
A common concern is a popular app or service without an adequate means of managing data such as credit card details safely on the back end, she says.
The difference between EU and US data protection law is also a complexity that many companies on both sides of the Atlantic fail to consider, she adds. “We’re starting to see a lot of different issues emerging when US companies are looking at EU-based acquisitions,” she says. US companies “can suddenly realise they have data-transfer issues” as the data of EU citizens has to be handled with greater protections.
"Or there can be companies wondering how do we deal with Irish customers, given the difference in cookie law [for websites] where customers have to opt in in Europe but opt out in the US."
An acquiring company would have to go back and ask all potential users if it could keep them on its database, with the likelihood that many of those users would not reply or would say no. Those concerns affected the ultimate valuation of the company, she said.
“It’s still all about the eyeballs and the users, so it does affect valuations and earn-outs. We’ve seen earn-outs stretch from a year to two years, which would never have happened five years ago.”
Data-protection consultant Daragh O'Brien of Castlebridge Associates in Dublin, who works regularly with M&A clients, says these issues are definitely affecting Irish startups and influencing investment and buyout decisions here. "If your key asset is your customer database, then that is going to be the key to your valuation."
Potential problems can arise when an acquiring company wants to merge member or customer lists. If data weren’t correctly acquired and maintained by the target company, the acquiring company may not be able to do this, he says.
In one case that he was involved with, “data protection and data quality were one of the reasons a deal fell through”.
He also cites the case of a client company that is getting strong interest from venture capital investors, while similar competitors are finding it harder to get attention. The difference that has appealed to investors is the company’s careful attention to data compliance, he says. “VCs want to know they’re getting their money back. They want a clean exit,” he says. “[Data compliance] is an issue. It’s not up at the top of the list for many Irish companies, but it should be.”
He advises acquiring companies to have a conversation with their newly gained customers “so you have clear communications early on, where you can refresh the permissions” from customers to hold their data.
Having regular, direct communications in this way “is an opportunity organisations are missing” because companies can form a longer-term beneficial relationship and ensure their databases are up to date, he says.
LaRose says US companies tend to be more data-security than data-privacy focused, because security is the main thrust of existing US law. She feels however that US companies remain worryingly unaware of the potential for problems if – as many expect – the European Court of Justice decides later this year to declare the Safe Harbour data management arrangements between the US and EU to be inadequate.
Safe Harbour has arisen within the context of the case law graduate Max Schrems has taken against the Irish Data Protection Commissioner regarding the handling of his Facebook data. The case was heard by the European Court of Justice earlier this year.
“There’s so much uncertainty right now,” she says. Though she believes some alternative to Safe Harbour will be agreed – “internet commerce is just too important an industry now” – companies globally need to realise such laws and agreements are critical to business.
She also feels US companies will welcome the pending new EU Data Protection Regulation, even though it will demand US companies adhere to a higher level of data protection that required in the US, because it should bring a consistency of regulation across the whole EU region. “It will be a help, because it will be a single point of compliance.”