Last year saw an increase in the frequency of data breaches and this trend is unlikely to disappear in 2018. We previously reported on the importance of cybersecurity in the M&A due diligence process. Conducting due diligence of a target’s cybersecurity procedures has become even more crucial in light of Canada’s new notification requirements. These requirements, regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA), are based on amendments made to PIPEDA in 2015 as well as a regulation proposed in 2017 called Breach of Security Safeguards Regulations (Regulations). The Regulations will impose new notice requirements in the event of a ‘breach of security safeguards’ and are expected to come into force later this year.

The new security breach notification requirement is three-pronged. It requires:

  1. a report to the Office of the Privacy Commissioner of Canada;
  2. a notice to affected individuals; and
  3. a notice to other organizations (where such notification may reduce the risk of harm).

Organizations will also be required to retain records of every breach of security safeguards involving personal information for a period of 24 months after the day on which the organization discovers the occurrence of such breach.

Cybersecurity due diligence

In light of the new requirements, the following are some critical questions to ask when conducting due diligence in an M&A deal:

  1. Nature and risk profile of the data: Does the target company clearly articulate what IT systems, data sets and business processes are most valuable and vulnerable, and explain how they are protected?
  2. Cybersecurity controls and crisis management plans: What administrative, technical and physical information security controls safeguard the target’s most critical data sets?
  3. Senior management: How cyber-savvy is the senior management? How well do they understand the importance of data security?
  4. Third-party exposure: Do vendors or other partners hold or have access to any of target’s sensitive data? If so, does the target have a vendor risk management program in place?
  5. Cyber insurance: What are the details of target’s cyber insurance policy, such as exclusions, deductibles, coverage periods and limitations?
  6. Testing security protocols: In what manner and how frequently are the target’s security protocols tested?

Cybersecurity playbook

Data breaches can occur as a result of an external hack or even because of an error made internally by an employee. Companies are recommended to maintain an internal playbook to assist with crisis management in case of a data breach. Such a playbook would not only assist an acquirer in conducting due diligence but would also ensure a simpler integration of cybersecurity issues into the M&A due diligence process.

The author would like to thank Shreya Tekriwal, Articling Student, for her assistance in preparing this legal update.

Stay informed on M&A developments and subscribe to our blog today.