Privacy and Data Security Risk Evaluation Strategies for Private Equity Investors Post COVID-19
In the current environment, there exists historic levels of “dry powder” in the private equity industry. We have previously provided thoughts regarding challenges and opportunities facing the private equity industry generally. In this post we will be focusing on strategies that buyers can use to evaluate the privacy and data security risks endemic to an investment opportunity. On the flip side, sellers can take advantage of these strategies to effectively reduce risk pre-transaction, or to describe and explain their risk mitigation practices and procedures in a way that will reduce transaction costs, including costs that might otherwise be devoted to additional risk shifting elements.
1. COVID-19 Has Spurred Transformation to “Value at a Distance” Business Models Expanding Privacy Increasing Data Security Risk Surface
Due to COVID-19, companies all over the world have had to reevaluate their business models, and focus on how they can continue to deliver value post pandemic. The need for business model adaptation will certainly not be uniform – certain companies may already have a business model that requires little face to face interaction with clients, users and customers. For example, companies in the information technology services space and entertainment content delivery services might fall into this category, as they may already be able to provide goods and services to consumers at a distance (“value at a distance”). Each company that presently has a value at a distance business model is already dependent on sophisticated data flows, in many cases across multiple jurisdictions that involve regulatory risk, endemic to the ways that the entity collects, stores, uses and transfers data.
Many other entities have, and will continue to find new and innovative ways to expand or pivot their value creation channels to continue to drive revenue post pandemic. Examples of entities that fit this category would include companies that pre-pandemic focused on providing goods or services in close proximity to the consumer, such as restaurants, physical retail locations, gyms and others. We are already seeing the transition to value at a distance business models with these entity types. Grocery and retail locations are developing processes and controls to enable ecommerce and ship their products, often working with third party vendors to do so. Gyms and other personal services oriented businesses may be offering virtual coaching sessions through video conferencing. By expanding or transitioning their business models to offer value at a distance, these companies will be forced to create new data flows. For example, companies that want to ship products may now be collecting personally identifiable information that was not collected previously, providing that information to third party vendors that the company has not used before, and increasing or expanding the mechanisms that customers can use to make payments. By transitioning to a value at a distance business model, these entities will become far more data heavy, increasing their privacy and data security risks to the level of existing value at a distance entities.
2. Analyzing and Understanding Privacy and Data Security Risks For “Value at a Distance” Business Models
To analyze and understand privacy and data security risks for value at a distance business models, we can perform a three part analysis to understand the privacy and data security risks these companies face.
a. First, identify the data flows that enable the business model as it exists today.
Every business will have multiple flows of data that enable the business to function, ranging from employee information gathered by the company for HR and payroll purposes, marketing information gathered on potential customers, to customer information gathered to allow for the provision of services. Understanding the types of information gathered, applicable jurisdictions, and the processes and controls used will be essential.
b. Second, identify any data flows created by a recent pivot to a value at a distance business model.
Buyers should consider the ways that the company may have recently pivoted or expanded its business model to provide value at a distance. Has the company recently started a delivery program? If so, the company will now be collecting additional information to support this functionality, likely including a delivery address and contact information. Were third party vendors and software products used to support this change? Have appropriate agreements been put in place with these data transfers? Are new methods of payment, including payment via the company’s website being supported now when no such functionality was previously offered?
c. Analyze legacy data flows, while paying particular attention to pivots to the business model to enable value at a distance that may have created flows for which there is no robust privacy and data security compliance process.
For example, let’s consider a company that previously operated a chain of restaurants. Before COVID-19, the restaurant did not deliver, and had a very limited online presence, as it depended on foot traffic to drive sales. Post COVID-19, the entity decides to pivot to a value at a distance model, offering food delivery through its own website, as well as integrating with third party services.
Understand Existing Compliance Framework for Legacy Flows
Certain data flows will have existed before the pivot to delivery, including personnel files containing personal information of employees, such as appropriate information collected for payroll and employment verification purposes. Given that this data flow has persisted for some time, we might hope that the entity had an appropriate policy in place restricting the use of the collected information for appropriate purposes only, that employees where provided an appropriate privacy disclosure where required, and that appropriate cybersecurity protections were put in place.
For example, even without new data flows, we know that the entity may have additional team members working remotely post COVID-19, increasing cybersecurity risks due to new information technology mechanism and collaboration processes that have formed. The Cybersecurity and Infrastructure Security Agency ("CISA") and the FTC have provided guidance in this area.
Identify Risks Created By New Data Flows
New data flows, created in haste to support a new business model, may not have been considered from a privacy and data security standpoint. For example, in our restaurant chain example, it is possible that the company has expanded its website to now take delivery orders, but has not revised its privacy policy to account for this, and that it is transferring personal information to third party delivery services without appropriate contract language outlining the rights and responsibilities of the parties with respect to the data, and that it may have added additional functionality such as online payment options without regard for compliance issues such as the Payment Card Industry Data Security Standard (PCI-DSS).
Buyers would be well served by examining the privacy and data security implications of these pivots carefully. Sophisticated sellers have an opportunity to perform their own analysis pre-sale and come prepared to explain the privacy and data security compliance processes that have been implemented. If you have any questions as to how this this could affect your situation, please contact the team at Mintz.