In-fo’ a CFIUS Review: The Expanding Power of CFIUS through Data Security Scrutiny
CFIUS is expanding its reach. Where the Committee on Foreign Investment in the United States has generally scrutinized foreign acquisition of U.S. “critical infrastructure,” it has now signaled that it may look closely at any deal where the target collects or maintains sensitive personal information.
So be CFIUS-wary on foreign investment in:
internet service providers,
recruiting and job placement platforms,
even sports teams that collect data on their fans . . .
. . . and the list goes on. It will end up including just about any industry where companies collect personal information about individuals in the United States.
An Imposing Barrier: The Latest Failed Deal
Last week, CFIUS reportedly refused for the third time to accept the mitigation steps proposed in Ant Financial’s proposed acquisition of MoneyGram, the U.S. money transfer service. For that reason, Ant Financial gave up the effort and paid a $30 million termination fee to MoneyGram to compensate for the deal’s collapse.
But the question remains: Why is CFIUS looking at a deal about cash wiring services?
The Narrow Scope: Where CFIUS Usually Looks
The implementing regulations authorize CFIUS to examine any transaction in which a foreign person will take ownership or control of a U.S. company. Based on that review, the President of the United States is empowered to suspend or unwind transactions that affect U.S. national security. As a rule of thumb, CFIUS review has typcially focused on transactions where a foreign person might take control of a U.S. company in the defense sector, or in the sectors falling within the broad category of “critical infrastructure.” That term, though not clearly defined in the regulations, includes energy infrastructure, telecommunications, and goods and services that the U.S. government relies on for day-to-day function.
The Broad Horizon: Where CFIUS may Begin Looking Now
The refusal of the Ant Financial/MoneyGram deal continues a trend we have seen in our recent dealings with CFIUS: a laser-sharp focus on data security and protection. The Committee is clearly concerned that non-U.S. persons will acquire access to the sensitive personal information of persons in the United States. U.S. companies considering foreign direct investment and non-U.S. investors looking at the U.S. market would be well advised to prepare meticulous data security plans, even limiting the sharing of data held by the U.S. target company from its putative foreign parents.
As we report here, the trend of expanding review of foreign investment does not appear to be going away soon. The best placed companies will be those that adapt to the changes and prepare themselves to pass that scrutiny come through to a successful deal.