In an age in which digital information is one of a company’s most valuable assets, a growing share of due diligence time and effort is being devoted to compliance with laws and regulations governing the privacy and security of such assets. All businesses with a website may be said to have reach into, and presence in, every state—therefore due diligence into information management compliance of a U.S. target company requires cognizance of the laws of at least 52 separate jurisdictions comprising the 50 states, the District of Columbia, and Puerto Rico. This article discusses the need to expand due diligence into privacy laws beyond U.S. federal privacy laws to cover the breadth of U.S. state and territorial jurisdictions.
Federal Preemption Does Not Apply
Privacy law exemplifies the complexity of due diligence into acquisitions of U.S. companies. There is no all-encompassing national privacy or cybersecurity law in the United States, but federal legislation or regulations impose safeguards in the protection of digital information, particularly in the areas of financial services (including publicly traded companies), healthcare, and education. Additionally, M&A attorneys should be aware that 47 states have statutes governing notification of breach of personal financial or healthcare information. There is no standardization among these provisions—some states permit those aggrieved by the failure to receive breach notifications to sue in state court, while others only allow for complaints to state agencies which, in turn, can investigate and assess civil monetary penalties.
State laws that are stricter than federal legislation or regulations in the protection of federally regulated data (e.g., personally identifiable health information, subscriber or accountholder data and certain information on students created by educational institutions) are not preempted by federal law. In addition, certain state laws impose requirements not found in federal laws, such as requiring documented information management policies and adoption of protocols for notification of data breaches. Therefore, an acquirer must be cognizant of both the federal statutes pertinent to the industry of the target company and the applicable requirements of the states in which the target does or may transact business. If the target company conducts business over the Internet, it may be deemed to transact business in all 50 states and, therefore,
Foreign Acquisitions of U.S. Companies: State Cybersecurity
and Privacy Laws Expand the Scope of Due Diligence
by a Geometric Factor
by George H. Wang and Kenneth N. Rashbaum, Barton LLP