September 21, 2019

September 20, 2019

Subscribe to Latest Legal News and Analysis

September 19, 2019

Subscribe to Latest Legal News and Analysis

Effective Management of Cybersecurity Risk in Transactional Due Diligence

According to a report by West Monroe Partners, Approximately 40% of companies engaged in corporate transactions reported finding a cybersecurity issue during post-acquisition integration of the target company.  While companies routinely conduct robust transactional due diligence to manage legal risk, many fail to adequately conduct cybersecurity due diligence. As a consequence, many companies and investors are leaving themselves vulnerable to potentially severe latent cyber risks.

Cybersecurity is especially relevant in healthcare transactions as the industry continues to be riddled with cyber-attacks.  Protenus Breach Barometer reports that healthcare has been the most targeted industry over the last few years, with 1.13 million3.15 million, and 4.4 million patient records compromised in the first three quarters of 2018, respectively, and more than half of breaches occurring due to hacking.  The cat is out of the bag.  Healthcare entities usually amass very lucrative personal data – social security numbers, demographic information, health insurance records, and prescription information – making them attractive targets for hackers.

Despite the high frequency of cyber-attacks in the industry, many healthcare entities spend only half as much to improve security protections when compared to other industries.  As a result, these companies remain vulnerable to cyber threats.  In the case of a breach, companies could face penalties from government agencies as well as class action lawsuits. Cyber risks may intensify during acquisitions, as the likelihood of a breach increases with the expansion of the overall cyber footprint.  Further, in a transaction, the target company’s vulnerabilities ultimately become an issue for the acquiring company.  Thus, if the target entity does not have adequate safeguards to protect patient records, then the acquiring company is at financial and reputational risk for those failings.

Given the potential risks, it is important that acquiring companies prioritize cybersecurity as an integral part of due diligence efforts.  An effective due diligence process should at a minimum evaluate cybersecurity preparedness and risks related to the following: 1) current state of risk assessment; 2) technical security features of business-critical information systems and network architecture; 3) implementation of policies and procedures related to information security; 4) policies and procedures related to detecting, responding to, and recovering from cyber incidents; and 5) historical indicators of legal and regulatory compliance issues related to cybersecurity.

©2019 Epstein Becker & Green, P.C. All rights reserved.


About this Author

Alaap Shah Attorney Healthcare Life Sciences

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

Eric Moran Employment Lawyer

ERIC W. MORAN is a Member of the Firm in the Litigation & Business Disputes and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Moran:

  • Represents clients in complex commercial litigation matters, including business and banking disputes
  • Defends clients in white-collar criminal matters, and performs internal investigations for entities facing potential action by state and federal governments
  • Advises clients on anticipating, managing, and mitigating complex legal and regulatory issues related to white-collar enforcement
  • Represents employers in disputes involving restrictive covenants, the misappropriation of confidential information and trade secrets, and unfair competition

An accomplished trial lawyer and litigator, Mr. Moran joined Epstein Becker Green after serving for 10 years as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the District of New Jersey, most recently as Co-Chief of its Criminal Division. During his tenure as Assistant U.S. Attorney, Mr. Moran supervised investigations and prosecutions of a wide range of white-collar cases involving health care and securities fraud, money laundering, obstruction of justice, and violations of the Foreign Corrupt Practices Act, the Food, Drug & Cosmetic Act, and Computer Fraud and Abuse Act, among others. As an Assistant U.S. Attorney, Mr. Moran handled some of the Office’s most significant matters. He was appointed by the Department of Justice as a Special Attorney to investigate fraud and corruption allegations against the Philadelphia District Attorney, which led to a 2017 indictment and multi-week trial that ended in a guilty plea. Mr. Moran successfully tried numerous cases, including the month-long fraud and public corruption trial of the mayor of Trenton, New Jersey, which ended in a guilty verdict. As a supervisor, Mr. Moran oversaw the Economic Crimes, Asset Forfeiture, and General Crimes Units and, later, the Camden and Trenton branch offices. He also coordinated the Office’s Bank Secrecy Act, Suspicious Activity Report Task Force and served as a liaison to the Office of International Affairs. A principal advisor on legal and policy issues affecting the Criminal Division, Mr. Moran managed relationships with federal agencies, consulted on responses to Congressional inquiries, and participated in decision-making at the highest levels of the U.S. Attorney’s Office.

Prior to becoming a federal prosecutor, Mr. Moran was a commercial litigator at a national law firm, where he handled complex business disputes, securities arbitrations, shareholder actions, and environmental cases. He also clerked for U.S. District Judge Stanley R. Chesler and then-U.S. Magistrate Judge Patty Shwartz in the U.S. District Court in New Jersey. Mr. Moran teaches “White Collar Crime” as an Adjunct Professor at Rutgers Law School.

Brian Hedgeman, Epstein Becker Law Firm, Washington DC, Health Care Law Attorney
Law Clerk

BRIAN HEDGEMAN is a Law Clerk - Admission Pending - in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green.