Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Sell your company, not your cybersecurity risks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Cybersecurity sounds intimidating, and rightly so. U.S. buyers and sellers are subject to a patchwork of legal and regulatory requirements due to a lack of national legislation. While the enactment of new and/or updated comprehensive data privacy laws in California, Colorado, Connecticut, Utah and Virginia in 2023 offers some hope for greater uniformity in the future, buyers and sellers need to start at the basics. Specifically, the parties need to understand how a data breach is defined and what seller-collected data is at risk.  

The first step in understanding what data a seller collects boils down to a handful of questions. These are:

  • What data is collected?
  • How is data stored and secured?
  • With whom is the data shared?

These questions sound rudimentary, but they define the basic scope for what everyone should be concerned about.  

Consequently, these questions should be asked early in due diligence (or before soliciting an offer if companies plan to solicit a purchaser) as the answers are fundamental in understanding the risks involved for all parties.  

Sellers with sensitive data, such as cardholder data, social security numbers and confidential information of clients and vendors will face a higher degree of scrutiny. Sellers should expect — and buyers should ask— pointed questions about what safeguards are in place such as how data is encrypted, who manages firewalls and how penetration tests are conducted. Buyers should also ask who data is shared with and what assurances a seller has that shared data is being treated appropriately.  

While the above inquiries are agnostic on what law applies, buyers and sellers also need to consider how they will define a data breach for representations and warranties. As noted above, different states take different approaches to data security. Those differences extend to the definitions of data breaches.  As an example, Ohio requires both unauthorized access and acquisition of data, but other states only require unauthorized access to data.

Buyers and sellers likely will differ on the appropriate definition of a data breach. More sophisticated buyers would be well-advised to understand what the governing law of the definitive agreements views as a “data breach” and consider substituting a broader definition.  

While cybersecurity can sound daunting, starting at the basics can make all the difference.  

Michael W. Schauer is partner at SSSB. Contact him at [email protected] Maggie Jones is associate attorney at SSSB. Contact her at [email protected]


Click Here For The Original Source.

National Cyber Security