Skip to main content

Data Privacy Day - Tip #4 - Transactional Best Practices for Lawyers

Written by Michael Arnold and Jennifer Rubin

Even though lawyers working on both sides of an M&A transaction during the due diligence phase might immerse themselves in a “confidentiality bubble”, they still must be careful not to disclose or access confidential employee information in the course of that transaction. Attorneys evaluating potential transactions might be tempted to access information regarding target employees, such as personnel files, compensation information, and information concerning performance evaluation and other historical employment information. Transactional attorneys are often surprised to learn that dissemination of some of this information, even among those subject to a confidentiality agreement, may violate an employee’s privacy rights and even violate the law.

Some states preclude employers from disclosing employee personnel information or from revealing information regarding employee compensation altogether while other states require a waiver from the employee as a condition to dissemination to any third parties. Federal and many states laws make it illegal for companies to disclose employee medical records without authorization, and this is particularly a concern where those records include personal health information and may implicate newly-expanded HIPAA regulations. Personnel files of employees that are Massachusetts residents will contain "personal information" that can only be transmitted in compliance with the Massachusetts regulations. In the cross-border M&A context, "personal data" of employees can only be transferred to the U.S. (or to U.S. persons) in compliance with applicable data protection laws in their country of residence/employment -- and in most cases can only be with the employee's consent. Even documents in a digital "data room" that can be accessed from the U.S. may fall afoul of data protection laws in other countries.

Companies must ensure that they have the proper mechanisms in place to minimize the exposure of personnel information during a contemplated transaction, including having a good understanding as to what legally may and may not be provided to potential acquirers, and securing any necessary waivers from employees prior to turning that information over in the due diligence process.

And finally, storage and disposal of due diligence files containing personal information or protected health information must be handled in accordance with applicable state and federal laws. If you don't keep it, you can't lose it!

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.