These days, Canadians trying to grow a business need to keep their eye on more than profits and losses.
The way a company handles its data can not only cost customers and reputation, but if handled poorly, it can sink a potential deal or financing.
Whether the business comprises six or 60,000 people, it is critical that owners, management and boards of directors ensure they understand their company’s data-collection, storage and security practices, senior corporate lawyers agree.
The challenge is there are no common guidelines to adhere to.
“When it comes to financial statements everyone knows there are standard rules that have to be followed,” says Deborah Weinstein of LaBarge Weinstein LLP. “The way you record revenue, the way you record inventory, is based on GAAP.
“There is no handbook for all of the technology-related matters that have to be followed but you still have to make sure you have the right privacy terms, the right signups, the right anti-spam measures and indemnifications. It’s not like it was 20 years ago. It’s really, really important regardless of the size of the company.”
Weinstein, an M&A lawyer, has advised start-up clients who later sold their companies to giants such as Cisco, Ericsson, Microsoft, RIM, PMC-Sierra and Alcatel-Lucent. She says waiting until you’re thinking of selling the company to start paying attention to data-management practices is “very foolhardy,” no matter what industry you’re operating in.
“You don’t learn this stuff in business school but as your company builds, it’s very important to be mindful of it. If you don’t have counsel advising you, talk to people at other companies, talk to associations in your industry – whatever you can do – to make sure you start educating yourself so you understand the things that can bite you.”
A data breach may top that list.
Ashley Madison, known as an online site for adulterous hook-ups, is now much better known for having its 33 million accounts hacked and users’ names published.
“People need to pay a lot of attention to this,” says Shahir Guindi, managing partner at Osler, Hoskin & Harcourt LLP in Montréal.
Potential buyers certainly do. Companies planning to merge or put themselves up for sale should expect their data-management practices to be put under a microscope, he says.
“For sure investors are diligencing that aspect of things more than ever before. We’re much more aware of it now whether it be privacy compliance, data protection, cybersecurity — we’re looking at those issues with greater severity than we would have a few years ago.
“We’ve started to bring specialists in these fields to comment on agreements to be sure we’ve been appropriately covered off on the risks that apply. What are the practices that need to be considered, what are the laws? Have we mitigated risks? Is there a particular compliance issue we should be aware of, a way to mitigate? Should we be building an escrow or specific indemnity around some failure around data protection or privacy or cyber-security? These are the types of questions we ask. So there’s greater vigilance.”
Guindi, who focuses on M&A, corporate finance and private equity, says a financing will raise exactly the same issues, with buyers also going beyond the balance sheet to look into data management issues.
“If we were advising on a financing and the company had a history of data breaches or a history of privacy leaks or a history of complaints from their customers, that would reflect badly on management. And who’s going to finance or buy a company whose management isn’t on top of these issues — especially in 2016? Nobody wants to take on that kind of liability going forward.”
He says it’s becoming increasingly common to ask that the buyer’s data-protection team sit down with the seller’s data-protection team for direct conversations about how things are set up.
What they find can “definitely” drive down the valuation, says François Amyot, an M&A partner in the business law group at McCarthy Tétrault LLP.
“When a buyer looks at a business, they’re usually looking at integrating it so they have to assess whether they’ll be able to bring its data into their own system.
“Clearly when they look at a business that has a deficient IT system or issues in managing its data, that will trigger some questions. If the answer after further investigation is that there’s a major investment required to update the system and make it operational going forward, that could lead to major costs. It would definitely affect valuation, so it’s something that’s on everybody’s due-diligence checklist.”
The concerns go beyond security, says Amyot. Buyers also want to make sure the data-management system is properly accessible, that they can trace documents if they later find themselves in an e-discovery situation. They also want to make sure the potential target is managing its personal-information and anti-spam consents in accordance with all the latest requirements.
Anti-spam is another big potential deal killer. Data can be radioactive if the business is not conforming to all the changes introduced in Canada’s new anti-spam law in 2014. Viewed as one of the toughest in the world, the regime covers the communications of businesses of all sizes. Companies that contact anyone who has not given their express consent to receiving commercial messages face penalties of up to $10 million.
“These things are all part of the representations and warranties that an acquirer will make sure they understand before going ahead with a deal,” says Amyot. “So you really need to stay up to date and invest in your systems to make sure that you’re in compliance with anti-spam regulations and things like that. These are flagged when a potential buyer walks into a transaction.
“If you, as a seller, have a bunch of surprises popping up that you weren’t aware of, it doesn’t look too good on you and it may affect not just the valuation but also the trust that the seller has that this business is under control and has properly managed all the risks.”
Amyot believes data management – and the cost of getting it wrong – is important enough to warrant getting specific legal advice.
“It can be a bit of an investment to make sure that you’re okay as far as your data-management systems and your compliance with these new regulations, but it’s certainly an area you need to pay attention to.”
Even with all the good will in the world, it may not be possible to avoid data-related problems.
That’s why businesses should make sure they have security-breach systems and protocols in place as well, says Chris Hewat, a partner at Blake, Cassels & Graydon LLP.
“You need incident-management processes so that if there is a denial-of-service attack or another breach, your people are trained to respond,” says Hewat. “It’s not enough to just buy the security software.”
A security breach is among the most serious risks an organization faces because it can wipe out both customer and investor confidence in a mater of moments, says Hewat, an M&A and securities lawyer who also advises on governance.
That means discussions about data management should not be confined to the IT department personnel, he says. It should also be discussed around the board table.
“Boards are responsible for the oversight of their companies. That elevates it to a key board issue. Just as boards are involved in the oversight of financial risk, cybersecurity is one of the high-focus areas for boards right now.”
With so much at stake, Hewat says an increasing number of boards are commissioning third-party technology audits of their company’s data practices.
And their customers are demanding to see the reports they commission.
“Increasingly, significant customers are demanding to see the results so they know that if they incorporate a vendor’s technology they’re not going to risk jeopardizing their own system, leading to a loss of confidence in their own company. So exactly the same types of protections applied to accounting matters are being applied to cybersecurity matters.”
Sometimes even potential customers are insisting on seeing a third-party audit before signing a supply deal, especially in cases where what they’re buying is incorporated into their own systems.
Guindi at Oslers says the bottom line for businesses of all sizes is that it’s “never too early” to start thinking aggressively about data management. His best advice? Don’t do the least you can get away with.
“Never assume that complying with your home jurisdiction, best practices and standards is enough because as you expand into other counties or other sectors, you can’t assume that’s going to be sufficient. Health has different standards than finance, which has different standards than entertainment.
“It’s not one of those things that is the lowest common denominator. You actually have to go to the highest standard that applies to you and even that highest standard isn’t higher than what you need in all aspects of your business, you can’t afford to be short there. You’ve got to go to the highest standard and apply that across all geographies and fields.”