Due Diligence on any Assets in an M&A is difficult enough to conduct. But when you’re talking about Big Data, who knows what breaches, what information, need to be considered?
It has become axiomatic to say we live in an age of omnipresent Big Data where, for instance, while you watch television, or more likely your computer, it is watching you back. As you stream an episode of The Office via Netflix for instance, Netflix tracks and stores your viewing habits and tastes. It then processes that information through a proprietary algorithm and provides you with further entertainment recommendations.
Computers know us better than we know ourselves, as economist Seth Stephens-Davidowitz writes in Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are (2017: Harper Collins). Apparently, Netflix figured out early on that what viewers said they wanted to watch was not always the same as what they did watch.
Big Data, of course, goes well beyond Netflix to encompass transactions conducted by credit card via the Internet and the Internet-of-things. These Big Data assets are increasingly valued by companies. Lawyers tasked with helping their corporate clients purchase, merge or partner with companies that hold Big Data are stepping up to the challenge of dealing with them profitably. This involves negotiating multi-party licensing and complying with various regulatory requirements. Before all that, there may be a landmine of information of uncertain provenance; how is that to be factored into the transaction?
When Amazon acquired Whole Foods in August 2017 for US$13.7 billion, was it interested in more than its upscale groceries? Amazon knew from its core online ordering business which Whole Foods products were most popular (deli turkey and coconut water, it turns out). There was more that interested Amazon, suggests Richard Austin.
“I think they were really interested in the data that Whole Foods would have about its customers,” says the Toronto Information Technology partner at Deeth Williams Wall in Toronto. “So you’ve got a large set of data with people who are in a good enough financial position that they can shop at Whole Foods. If you are Amazon, you now have this massive data set that is information you can use to do all the things that Amazon does as it grows and expands its businesses.”
Data, however, is so much trickier an asset in a merger or acquisition than dried seaweed snacks, cautions Austin, who specializes in technology mergers, privacy and cyber security. And yet, transactional lawyers should think about data as they would other assets in a transaction. What is its value? What are its risks? How are these to be calculated?
Austin suggests that Amazon had to ask itself, would they be able to use Whole Foods’ data in new ways? For example: could Amazon use personal information on shoppers in its Marketing initiatives, or would that violate Privacy laws? This would depend on the ways in which the information was collected, and the types of consents that were given. Beyond these questions, there is another one: How reliable is the data? “Those are really hard questions,” says Austin. And then there are the security concerns.
Wired writer Andy Greenberg explains the recently announced discoveries, by various research teams, of “Meltdown” and “Spectre” computer attacks: In January, security researchers revealed that there was a bug in Intel chips, which “allows low-privilege processes to access memory in the computer’s kernel, the machine’s most privileged inner sanctum. Theoretical attacks that exploit that bug, based on quirks in features Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone.
“And on multi-user machines, like the servers run by Google Cloud Services or Amazon Web Services, they could even allow hackers to break out of one user’s process, and instead snoop on other processes running on the same shared server.”
Greenberg continues: “A large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw.
“’These hardware bugs allow programs to steal data which [is] currently processed on the computer,’ reads a description of the attacks on a website the researchers created. ‘While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.’”
Furthermore, “Although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine. And while the researchers say that Meltdown is limited to Intel chips, they say that they’ve verified Spectre attacks on AMD and ARM processors, as well.” (For more on this topic, see www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/).
If lawyers are trying to reassure their clients that there are no reports of damage yet from Spectre and Meltdown, they are best to look at scenarios in which data assets have been stolen.
In an internal continual legal education seminar that Bennett Jones LLP lawyer Martin Kratz presented on Due Diligence Best Practices for Big Data, he provided his assessment of what went wrong at Ashley Madison, the website that avowedly enables extramarital affairs.
In 2015, hackers, calling themselves “The Impact Team,” reportedly stole the user data of as many as 37 million site visitors. As the Wikipedia entry describes, “The hackers warned the website’s parent company, Avid Life Media, to take down Ashley Madison and another site or they post online the names and emails of millions of Ashley Madison members. Avid Life refused, and the hackers made good with their threat.”
And wrapping up the story, as Reuters reported, “the owner of the Ashley Madison adultery website said on Friday it will pay US$11.2 million to settle U.S. litigation brought on behalf of roughly 37 million users whose personal details were exposed in a July 2015 data breach.”
Kratz, who leads the firm’s Anti-Spam practice and co-leads its E-commerce practice, says the scandal exposed just how shabby the company’s cyber security protocols were. “Ashley Madison should remind people that there is a liability from being exposed to a breach, and that potential liability should be part of the considerations being assessed in Due Diligence in any M&A transaction.”
Had an acquirer been interested in Ashley Madison, would it have taken any the necessary steps to determine the level of vulnerability in the company’s data? It is difficult to do, as the Equifax security breach would suggest.
As reported in The Globe and Mail on Sept. 7, 2017, “Equifax announced a cybersecurity breach that it says affected about 143 million American consumers.” On Sept. 19th, “Equifax said about 100,000 Canadian consumers were affected. It said the information that may have been breached includes names, addresses, social insurance numbers and, in limited cases, credit card numbers.” Adding insult to injury, Equifax “said it learned of the incident on July 29 and that an investigation showed the files were accessed from mid-May through July, 2017. The moral of the story, which M&A lawyers do well to bear in mind, is that companies do not always announce their data breaches, at least not in a timely manner.
As Nicole Perlrothoct reported in The New York Times in Oct. 2017, disclosing information about data breaches can impact on an M&A deal: “Verizon Communications, which acquired Yahoo this year, said on Tuesday that a previously disclosed attack that had occurred in 2013 affected all three billion of Yahoo’s user accounts. Last year, Yahoo said the 2013 attack on its network had affected one billion accounts. Three months before that, the company also disclosed a separate attack, which had occurred in 2014, that had affected 500 million accounts.
“Digital thieves made off with names, birth dates, phone numbers and passwords of users that were encrypted with security that was easy to crack.
The intruders also obtained the security questions and backup email addresses used to reset lost passwords.”
And the impact on the deal itself? Writes Perlrothoct: “Yahoo sold itself to Verizon for $4.48 billion in June. But the deal was nearly derailed by the disclosure of the breaches and $350 million was cut from Verizon’s original offer.”
Kratz explains that when you doing “an M&A deal with a company where you are acquiring data assets, you have to be concerned about what liability there is around any existing breaches that predate the closing date of the transaction. You have to think about what Representations and Warranties have been provided.”
Not all companies have a full understanding of the security of their data or the business importance of that security in the event of a merger. Heather Barnhouse, an Edmonton-based member of Dentons Canada LLP’s Technology and Corporate Commercial Groups, says it can sometimes be difficult for clients to explain the actual underlying business relationship they have with their data.
“Sometimes the client sort of intuitively knows it, but they haven’t really done a Due Diligence or [sorted through] that entangled web.” This can especially be the case if the seller never really utilized the full range of the data and therefore did may not have recognized its full value.
On the Transaction
George Takach, of McCarthy Tétrault LLP, points out: “Quite literally, every company has the potential to be collecting and using all sorts of data,” and on that basis, according to Takach, there are six areas of legal concern that apply to virtually all M&A transactions:
1. Protection of Databases – Facts on their own are not protected. The selection and arrangement of facts, however, can be protected as copyrights.
2. Title to the asset – no mandatory registry; so purchaser must “title search” through authors; there is potential leakage through contractors who haven’t assigned their copyright in writing.
3. Joint Ownership – not common, but can be done where two parties both want to have solid tenure in the copyright.
4. Licensing – more typical model is one party owns the database, the other is granted a license.
5. Representations and Warranties – as with other intangible assets of the seller, including software, there are concerns such as good and marketable title; no infringement of third party IP rights; compliance with CASL, Privacy law, and other law (e.g. Export control).
6. Personal Information – if dataset contains personal information, then as the Buyer, you also have to get comfortable that PIPEDA and other relevant privacy/data protection laws have been complied with by the Seller.
To the first concern, “Facts are facts,” explains Takach. “And the fact that it’s nine degrees Celsius in Toronto today is a fact. No one can copyright that. “But a compendium of three hundred years of data points about Toronto weather with respect to climate change and its impact on the economy? Now that same fact as a bundle within a bigger data set, achieves a very different economic value.”
Data is a chameleon, says Takach. It can be a company’s “secret sauce,” making that collection of facts worth millions. “It’s one of the fascinating things about intangible assets. They take their value from their content and context.”
Determining if a data asset has copyright – and whether that copyright claim is valid - is a complicated matter. It depends on where the data is coming from, and, to a large extent, what human intervention was involved in the collection and assemblage of that data, explains Kratz. “Just because there’s a machine recording data through some sensors, does not mean there is copyright. Because you need human beings as authors to have copyright.”
Kratz notes, that in April 2017, the Alberta Court of Appeal clarified the circumstances in which the production, compilation and processing of raw data can constitute copyright in Geophysical Service Incorporated v Encana Corporation, 2016 ABQB 229.
Geographical Service (GIS) is a company that gathers offshore seismic data in the Arctic and elsewhere. After processing the data through sophisticated software programs, it then licenses the results to oil and gas companies searching for deposits. GIS argued in the Alberta Court of Queen’s Bench that it had copyright ownership of such data. The data GIS licenses to others must be submitted by production companies to various energy boards when they seek permission to drill. Normally, boards will keep that data private for five to 15 years, but after that, it may give the public – including other oil companies – access.
GIS, bringing action against a number of regulatory boards and energy companies, argued that was an infringement of its copyright, which under Canadian law would protect its data for 50 years or more. The defendants argued that since the data is primarily collected and processed by machines, GIS had no copyright.
The appeal court held up the lower court’s ruling in favor of GIS, concluding it had copyright over its seismic data. It found that in the creation of map, charts and other material, even when their creation was assisted by technologies, there was still the requisite human creativity, intervention and the authorship to grant copyright.
Kratz says that the court held, “that the software had to be programmed and set up to do certain processing functions ... so in the seismic case the human intervention includes human beings deciding where to plant explosives to generate seismic waves that they were going to record. The Alberta Court of Queen’s Bench was quite generous and flexible in defining the amount of human intervention.”
This “more thoughtful consideration of the existence of copyright in a database or the data itself,” explains Kratz, “is important for acquirers to consider during M&A transactions.” Now we have to go from the acquirer’s perspective back to Due Diligence and say, did the seller actually own the copyright? Or where did the data come from? If there is copyright, the question is, do you own or it or is there an intermediary between you, the seller and where the data is being acquired. So we have to do back and look at who [or what] is recording the data, who is processing the data.”
Data Due Diligence
Of course, to properly answer the above questions, M&A teams need to do thorough Due Diligence, drilling down deep into the data’s roots and the potential tangle of multitudinous licensing agreements and copyright issues.
One thing a sophisticated buyer will often do, says Martin Kratz, is conduct penetration tests. Using so-called “white hackers” a buyer – with a target’s permission – will see how easy it is to get past a target’s firewalls and into its data. (That’s much harder to do, of course, in a hostile takeover, increasing the risk of a buyer acquiring tainted data.) If getting into the data was too easy, that should raise red flags about potential liabilities that may be lurking in the data. Such Due Diligence is not all about sophisticated data audits on the part of a buyer’s legal and consulting teams during M&A, says George Takach. It is important to interview people as well.
Before a purchaser’s team enters a data room, especially if the data assets contain personal information, the parties enter into a contractual agreement about the Due Diligence process itself, in accordance with federal and provincial statutes.
Those statutes, such as Canada’s Anti-Spam Legislation (CASL) and PIPEDA,
for instance, may require a vendor to give notifications to affected individuals, says Bradley Freedman
, a Vancouver-based partner and National Leader of Cybersecurity Law Group at Borden Ladner Gervais LLP
. “The ability to use data for commercial messages will depend on the provenance of the data set,” says Freedman. How was it collected? Does it reflect express, or implied, consent? Can that be proven? If there were third-party sources, can the buyer be confident that those sources are legitimate?” Fortunately, there are automation technologies to help with the appropriate Due Diligence.
And it seems, purchasers are still taking on risk. Big Data takes us to the realm of unintended consequences.
“I have been involved in transactions,” recounts Freedman, “where vendors have told me, ‘Look, we can’t tell you with any sort of confidence where we got this data.’” And that’s a risk a buyer has to decide to accept or not.