Last year saw an increase in the frequency of data breaches and this trend is unlikely to disappear in 2018. We previously reported on the importance of cybersecurity in the M&A due diligence process. Conducting due diligence of a target's cybersecurity procedures has become even more crucial in light of Canada's new notification requirements. These requirements, regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA), are based on amendments made to PIPEDA in 2015 as well as a regulation proposed in 2017 called Breach of Security Safeguards Regulations (Regulations). The Regulations will impose new notice requirements in the event of a 'breach of security safeguards' and are expected to come into force later this year.

The new security breach notification requirement is three-pronged. It requires:

  1. a report to the Office of the Privacy Commissioner of Canada;
  2. a notice to affected individuals; and
  3. a notice to other organizations (where such notification may reduce the risk of harm).

Organizations will also be required to retain records of every breach of security safeguards involving personal information for a period of 24 months after the day on which the organization discovers the occurrence of such breach.

Cybersecurity due diligence

In light of the new requirements, the following are

In light of the new requirements, the following are some critical questions to ask when conducting due diligence in an M&A deal:

  1. Nature and risk profile of the data: Does the target company clearly articulate what IT systems, data sets and business processes are most valuable and vulnerable, and explain how they are protected?
  2. Cybersecurity controls and crisis management plans: What administrative, technical and physical information security controls safeguard the target's most critical data sets?
  3. Senior management: How cyber-savvy is the senior management? How well do they understand the importance of data security?
  4. Third-party exposure: Do vendors or other partners hold or have access to any of target's sensitive data? If so, does the target have a vendor risk management program in place?
  5. Cyber insurance: What are the details of target's cyber insurance policy, such as exclusions, deductibles, coverage periods and limitations?
  6. Testing security protocols: In what manner and how frequently are the target's security protocols tested?

Cybersecurity playbook

Data breaches can occur as a result of an external hack or even because of an error made internally by an employee. Companies are recommended to maintain an internal playbook to assist with crisis management in case of a data breach. Such a playbook would not only assist an acquirer in conducting due diligence but would also ensure a simpler integration of cybersecurity issues into the M&A due diligence process.

The author would like to thank Shreya Tekriwal, Articling Student, for her assistance in preparing this legal update.

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.