Why Startups Can No Longer Afford To Ignore Privacy:(Part 2 of 4)
This is the second of a four part blog series examining the issues that startups face with meeting their privacy requirements. The first blog post was a reprint of an article I published along with Frank Vargas of Rimon Law in the New York Law Journal discussing the subject. In that article, we pointed out that investors and buyers of startups are now requiring specific representations related to privacy and security in stock purchase agreements that the companies they invest in must agree to. Alternatively, companies are required to provide cyber-insurance to protect investors. In this second blog, I will cover investor and buyer expectations for privacy in more detail, including where those expectations come from and how to address them. In part three of the series, I will cover timing issues for startups and when they need to start thinking about privacy. Finally, in part four, I will cover some concrete steps that startups should take right away to assess their privacy risk.
Investor Expectations
Until recently, because of the absence of uniform privacy regulations, many investors and acquirers paid scant attention to privacy. However, the confluence of growing data breaches, ransomware attacks, and high-profile data misuse fines by the FTC and European Union, particularly among technology companies as well as new state level privacy regulations, have caused the venture capital and M&A communities to respond.
For example, the National Venture Capital Association (NVCA), in its standard stock purchase agreement now has a rather stringent representation regarding data:
“In connection with its collection, storage, use and/or disclosure of any information that constitutes “personal information,” “personal data” or “personally identifiable information” as defined in applicable laws (collectively “Personal Information”) by or on behalf of the Company, the Company is and has been[, to the Company’s knowledge,] in compliance with (i) all applicable laws (including, without limitation, laws relating to privacy, data security, telephone and text message communications, and marketing by email or other channels) in all relevant jurisdictions, (ii) the Company’s privacy policies [and public written statements regarding the Company’s privacy or data security practices, and (iii) the requirements of any contract codes of conduct or industry standards[, including, without limitation, the Payment Card Industry Data Security Standard], by which the Company is bound. The Company maintains and has maintained reasonable physical, technical, and administrative security measures and policies designed to protect all Personal Information owned, stored, used, maintained or controlled by or on behalf of the Company from and against unlawful, accidental or unauthorized access, destruction, loss, use, modification and/or disclosure. [To the extent the Company maintains or transmits protected health information, as defined under 45 C.F.R. § 160.103, the Company is in compliance with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, including all rules and regulations promulgated thereunder.] The Company is and has been[, to the Company’s knowledge,] in compliance in all material respects with all laws relating to data loss, theft and breach of security notification obligations. [To the Company’s knowledge, there has been no occurrence of (x) unlawful, accidental or unauthorized destruction, loss, use, modification or disclosure of or access to Personal Information owned, stored, used, maintained or controlled by or on behalf of the Company such that Privacy Requirements require or required the Company to notify government authorities, affected individuals or other parties of such occurrence or (y) unauthorized access to or disclosure of the Company’s confidential information or trade secrets [that reasonably would be expected to result in a Material Adverse Effect.]” (Available at https://nvca.org/model-legal-documents/).
Further since this has not been updated since 2020 it will not be surprising if this section is updated further in the next version.
Acquirer Expectations
In addition, in the last few years, the growth of data breaches and penalties associated therewith have led counsel for acquirers to probe deeply not only in their due diligence but also in their requested representations from the target company being acquired. For example, the following is an example of a representation requested by an experienced acquirer/buyer who does a lot of acquisitions:
“ Privacy and Data Security.
(i) The Seller has a privacy policy regarding the collection, use, and disclosure of Personal Information in its possession, custody, or control, or otherwise held or processed on its behalf and is and in the past 10 years has been in compliance with such privacy policy. True and complete copies of all privacy policies that have been used by the Seller in the past 10 years have been provided to Buyer. The Seller has in the past 10 years posted a privacy policy in a clear and conspicuous location on all websites and any mobile applications owned or operated by the Seller. As used herein, “Personal Information” includes, but is not limited to, any information that could potentially identify an individual, including name, address, social security number, birth information and similar information, as well as personal health information, protected health information and personally identifiable information as defined by any applicable Laws.
(ii) The Seller has complied at all times with all applicable Laws regarding the collection, use, storage, retention, transfer and/or disposal of Personal Information.
(iii) The Seller is in compliance with the terms of all contracts to which the Seller is a party relating to data privacy, security, and/or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, retention, transfer or disposal of Personal Information).
(iv) No Person (including any Governmental Entity) has commenced any Action relating to the Seller’s information privacy or data security practices, including with respect to the collection, use, transfer, storage, retention or disposal of Personal Information maintained by or on behalf of the Seller, or, to the Knowledge of the Seller, threatened any such Action, or made any complaint, investigation or inquiry relating to such practices. To the Knowledge of the Seller, there are no facts or circumstances that could reasonably be expected to give rise to any such Action described in the immediately preceding sentence.
(v) The execution, delivery and performance of this Asset Purchase Agreement and the consummation of the Transaction, including any transfer of Personal Information resulting from such transactions, will not violate any applicable Law, the privacy policy of the Seller as it currently exists or as it existed at any time during which any Personal Information was collected or obtained by or on behalf of Seller or other privacy and data security requirements imposed on Seller or any party acting on its behalf under any contracts. Upon the Closing Date, Buyer will continue to have the right to use such Personal Information on identical terms and conditions as the Seller enjoyed immediately prior to the Closing Date.
(vi) The Seller has established and implemented policies, programs and procedures that are commercially reasonable, including administrative, technical and physical safeguards, to protect the confidentiality, integrity and security of Personal Information in its possession, custody or control against unauthorized access, use, modification, disclosure or other misuse. The policies, programs and procedures described in this subsection address and apply to remote working arrangements.
(vii) Seller has not experienced any loss, damage or unauthorized access, disclosure, use or breach of security of any Personal Information in the Seller’s possession, custody or control, or otherwise held or processed on its behalf. "
Further, acquirers/buyer’s are now requiring covenants as part of the purchase agreement covenants that seller’s one alternative to making such a representation would be to obtain cyber-insurance. Unfortunately, cyber-insurance is also becoming more expensive and more difficult to obtain as the insurance industry responds to the increased frequency, cost, and risk of data privacy and security incidents. A recent Fitch Rating found that cyber-insurance renewal premium rates have been growing consistently quarter on quarter since 2019, with growth of over 30% in Q4 of 2021 alone. (See, Jake Holland, ”Cyber Insurance Policies Grow Pricey Amid Rising Hacks, Lawsuits”, Privacy & Data Security Law, Bloomberg Law, May 31, 2022, 2:31 AM)
Small companies often also have the mistaken belief that their general liability insurance will cover data breaches and other data privacy violations. This is often not the case. For example, wrongfully collecting or handling biometric data, which is subject to a separate set of laws, is often not covered by standard cyber-insurance policies. Worse yet, many small companies will find that they are not eligible for such insurance because they do not already have the appropriate policies and practices in place.
The Bottom Line
Startup companies will be required to sign some form of the above representations at or before their Series B financing, or at the time of their acquisition. Unfortunately, at that time it will be too late to start the process to fully meet the representations because privacy and security programs will already need to be in place and breaches must already have been prevented. Startups need to plan ahead and start implementing privacy programs well before a financing or acquisition. A privacy policy is a good start, but alone, will not address the requirements. Privacy policies assert that the company is protecting its customers’ information and has programs in place internally to ensure continued security and data protection. These assertions must also be true.
Cyber-insurance is a good option to consider. It doesn’t replace the need for the above actions, but it can dramatically improve the investment or acquisition process. In the case of acquisitions, having already secured cyber-insurance could mean that less of the acquisition money is held in escrow against the risk of a privacy or security incident. The best time to get cyber-insurance (as with all insurance) is before you need it. However, cyber-insurance companies also require that clients show that they have implemented privacy programs prior to insuring.
With or without cyber-insurance, startups need to define and implement privacy and security programs from the very early stages and they need to document and follow them. In the next part of the series, I will discuss the timing for starting these programs in more detail.