The Diligence Process for Privacy and Data Security

An acquirer who is looking into a company’s data security should first stop at the target’s website homepage, where the absence of a privacy policy can be a telltale sign of weakness in or absence of a company’s privacy program. A good policy will include what personally identifiable information or personal data (PII) the company collects and processes, how it uses and processes that PII, and who it shares the PII with, among other disclosures. International and state regulations also should be considered if the company is within the jurisdiction of the California Online Privacy Protection Act or the 2020 California Consumer Privacy Act (CCPA) or does business in the European Union or European Economic Area (EU), where companies must comply with the General Data Protection Regulation (GDPR). Another strong indicator of healthy privacy and data security program is the identification of a designated individual responsible for the target company’s data compliance, a history of conducting a penetration test or vulnerability scan, and whether it has obtained one or more third-party certifications demonstrating the existence of an industry-standard data security program. Other important factors to consider relate to data mapping, privacy program documentation, vendor management, a history of security incidents and breaches, and existing cyber insurance.

Read more

Post By Ken Shafton (2,363 Posts)