Privacy and data security issues have become the subject of critical focus in corporate mergers, acquisitions, divestitures and related transactions. In 2016 and 2017, several large transactions, especially those involving telecommunications, entertainment and technology companies, have been impacted by either concerns about the collection and use of personal information or significant information security breaches. The FTC has sharpened its focus on the use of personal information as a factor in evaluating the competitive effects of a given corporate transaction, and the SEC is now closely scrutinizing privacy and data security representations made to investors in public filings connected to transactions. More broadly, privacy and data security problems that are not timely discovered before entering into an M&A transaction can become significant liabilities post-closing and also lead to litigation. Continue Reading Securing a Successful Transaction through Focused Privacy and Data Security Due Diligence
Personal information about consumers is the lifeblood of many organizations. Because of the potential value of the information, companies are increasingly focused on privacy and data security issues that arise in the context of mergers, acquisitions, divestitures and related transactions. In many corporate transactions, data is a critical asset that should be addressed as a key deal point. Unfortunately, too often personal data is transferred without consideration of the issues that otherwise might change the pricing of a deal – or kill it altogether. In a recent article published by Corporate Counsel, Hunton & Williams partner Lisa J. Sotto and associate Ryan P. Logan discuss the privacy and data security-related legal issues that arise in corporate transactions, and provide a how-to guide on addressing those issues during the various stages of a transaction.
Download a copy of the article.
On January 17, 2013, the U.S. Department of Health and Human Services issued a final omnibus rule modifying prior regulations enacted pursuant to the Health Insurance Portability and Accountability Act of 1996. Among the key changes that will come into effect this September is the addition of a provision that dramatically increases the number of organizations directly subject to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. In an article published in the March/April issue of Storage & Destruction Business Magazine, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, and Ryan P. Logan and Melinda L. McLellan, senior associates on the firm’s Privacy and Data Security team, discuss how the newly-adopted HIPAA Rules will impact business associates and outline steps that records and information management companies should take to prepare for the upcoming changes.
The wait is over. On January 17, 2013, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released its long-anticipated megarule (“Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. These amendments implement and expand on the requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic Information Nondiscrimination Act of 2008. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. Coming into compliance will require significant effort and attention by covered entities and business associates alike. Below we highlight some of the more significant aspects of the Omnibus Rule and provide critical compliance tips.
Richard Thomas (RT): Lisa, congratulations on the publication of the new treatise. I’m sure the Privacy team has been waiting for its release. Could you give us some background on what prompted you and the team to write the Privacy and Data Security Law Deskbook?
Lisa Sotto (LS): Thanks, Richard. Privacy and information security are topics that have received significant attention during the last few years. Organizations that manage personal information are under the microscope and are struggling to keep up with the many new and evolving legal requirements around the world. In addition, there is a real uptick in enforcement actions for privacy and data security incidents. As the former Information Commissioner of the UK, I’m sure you would agree that privacy is an issue on which nearly every global company must focus. In 2009 alone, companies spent an average of $6.6 million to rebuild their brand image and retain customers after being involved in some type of data breach the previous year.
On July 20, 2010, Hunton & Williams announced the release of the first edition treatise Privacy and Data Security Law Deskbook (Aspen Publishers) by lead author Lisa J. Sotto, managing partner of the firm’s New York office and head of the firm’s global Privacy and Information Management practice. The deskbook provides a detailed overview (with thousands of specific citations for the legal practitioner) of those areas of information privacy and data security law that have the greatest impact on and are most relevant to U.S. businesses operating in the global arena. In addition, the treatise contains a collection of sample documents, charts, checklists and other compliance-enabling tools.