Data Privacy and Cyber-security Gaps are Increasingly Threatening Companies’ Financial Success and Reputation
Data Privacy and Cyber-security Gaps are Increasingly Threatening Companies’ Financial Success and Reputation
In today’s world, there may be no more nascent ESG risk to private equity firms and portfolio companies alike than data privacy and cyber-security. Companies large and small have seen brand detriment, litigation, regulatory action, and valuation loss – all from the failure to protect sensitive information. More than ever before, pre-acquisition due diligence should include a review of data privacy and cyber-security.
Background
In this context, Malk Partners refers to data privacy and cyber-security as the protection of data that, if exposed, could pose regulatory, competitive, legal, and reputational risks to the company. Such data might include: consumer financial information, employee personal identification information, intellectual property and trade secrets, and medical information. Beyond the financial impact to the company, a data breach can have a serious impact on the company’s customers, highlighted by the Target and Ashley Madison cases below.
Rise in high profile and costly data breaches
Perhaps the ‘canary-in-the-coal-mine’ of corporate data breaches, Target’s December 2013 breach of 40 million consumer credit card numbers was the result of malware on its Point of Sale (POS) network. Hitting in the peak of the holiday season, Target’s announcement resulted in “meaningfully weaker” U.S. sales that accompanied a lack of consumer confidence.
Though Target was the first “mega-breach”, it would not be long before eBay, JPMorgan, Home Depot, Sony, Anthem, and many others suffered from breaches of protected information. While these companies certainly experienced the largest breaches of the last two years, a number of middle market companies saw the same, including Wyndham Hotels, whose breach from 2008-2010 resulted in over $10 million of consumer fraud loss.
In a Buyouts Insider report earlier this year, The Riverside Company, an upper-middle market buyout firm, reported that two of its portfolio companies experienced breaches over the past several years. “Both these portfolio companies were less than $20 million in revenue so it was pretty amazing they would get targeted,” said Ron Sansom, a Managing Partner at Riverside. The breaches highlighted to Riverside how data privacy and cyber-security concerns have emerged for middle-market companies.
Most recently, the infidelity dating site Ashley Madison became the leading news topic as hackers, operating on a moral impetus, threatened to and eventually released the personal information of more than 35 million registrants. The failure to protect that information has resulted in the departure of the CEO, a $578 million class action lawsuit, and likely more financial consequences to come.
Federal courts, coping with the enforcement of this emerging issue, have subsequently increased the potential impact of such a breach. Earlier this month, a Minnesota District Court Judge ruled that banks could join together in a class-action lawsuit against Target related to the 2013 breach.
FTC enforcement of data privacy
The Federal Trade Commission (FTC) regulates the protection of consumer privacy; as such, the FTC is frequently the regulatory body involved in data breaches and leaks.
While the mega-breaches of the past several years are the most widely reported negative outcome in data privacy and cyber-security, companies are seeing the impact of negligence in this area even when their systems are not breached. Since 2002, the FTC has brought regulatory action against more than 50 companies for engaging in “unfair or deceptive practices that put consumers’ personal data at unreasonable risk.” That does not include an additional 40 cases concerning general privacy and more than 20 cases regarding children’s privacy.
Among those cases in 2014 – Yelp settled FTC charges for $450,000 that it failed to prohibit users under age 13 from registering, which violates the Children’s Online Privacy Protection Act. Additionally, Snapchat settled charges for misrepresenting the promises that the messages in its app “disappear.” These cases, and the corresponding regulatory punishment, demonstrate the potential damages a company may face, even in the absence of a breach.
Fund-level concerns
While the case can be made time and again that data privacy and cyber-security are key concerns for portfolio companies, funds themselves are not excluded from caution. Private equity firms are a unique target for hackers as they hold a significant amount of information relating to the fund, their companies, and their LPs and can be an entry point into the portfolio companies, themselves. The SEC, in April of this year, released a “guidance update” for funds and advisers on the need to protect confidential and sensitive information. The guidance, based on sweep examinations and a cyber-security roundtable, highlighted several areas for firms to consider: (1) conducting periodic cyber-security risk assessments, (2) developing a strategy to prevent and respond to cyber-security threats, and (3) implementing the strategy.
So what?
With the increased prevalence and impact of data breaches, leading firms are taking steps to ensure they are properly managing their risk, both at the fund and portfolio company levels. Simple steps such as engaging a third party to assess and test policies and systems may reveal that a firm is taking on a level of risk it may not accept.
Furthermore, there is rarely a potential acquisition that should not have a data privacy and cyber-security review conducted in pre-acquisition due diligence. Today, a firm simply cannot afford to have a mega-breach or class action lawsuit.
*Note, this article originally appeared in Malk Partners’s newsletter: ESG in Private Equity Quarterly, published September 29th, 2015. To sign up for Malk Partners’s quarterly newsletter, visit our contact page.*