Managing Privacy in a M&A

6 Tips for Ensuring Data Security When Two Organizations Merge
Managing Privacy in a M&A
In early October, the National Credit Union Administration announced the creation of two bridge corporate credit unions to assume operations of U.S. Central Corporate Federal Credit Union (US Central) and Western Corporate Federal Credit Union (WesCorp).

These actions represent a new phase in the transition of corporate credit unions currently under NCUA conservatorship. And they represent the ongoing consolidation within the banking industry, which has seen 144 banks and credit unions closed, acquired or conserved so far in 2010.

As mergers and acquisitions continue, privacy officers frequently face the daunting task of integrating two disparate companies into one.

"These events will only increase as businesses integrate to gain something that it doesn't have right now," says Kenneth Newman, vice president and information security manager at Central Pacific Bank. "And it's always going to be a case when cultures are going to clash."

Having experienced about a dozen merger and acquisition events in his 16-year career, Newman say managing risk and privacy in such events is almost like overseeing and managing any large project.

"It's like working with a new service provider, where you need to do your due diligence right," he says. "It has all the same elements and like any other project -- we are accountable for things, but not responsible for the decisions."

M&A Challenges

There will always be a challenge for privacy officers in integrating the cultural and technological differences brought forth by merging organizations.

For instance, when one group is far less conservative and more open to risk because of revenues on the business side, versus the other, which is risk averse, the question for privacy officers is always: "How can [we] bridge the differences and embrace a common ground for risk and privacy with least impact on the revenue stream?"

George Tumas, SVP and CIO of internet services development at Wells Fargo recently experienced a big merger when his institution acquired Wachovia Corporation early last year. In a merger or acquisition, each side may look at privacy in different ways and/or different technologies, he says. The key for privacy officers in such events is to "define a target operating model that clearly sets requirements on how the go forward organization looks at privacy. There is no scary part in the process when it's all well thought out and planned."

Tumas made extensive plans six-to-nine months before the merger and had defined dates for how and when data conversions, testing, customer education and other processes will follow.

"Privacy management in such cases is all about the customer," he says. "It is both challenging and a rewarding experience- especially when you see your customers with you in the forefront."

Tips for Managing Privacy in a Merger

Tumas and Newman offer six tips for managing privacy concerns in a merger or acquisition:
  1. Plan & Get Involved: The first step in privacy management involves having a solid plan and a map of all critical data elements holding high risk implications, including customer account information, social security numbers, employee and customer records, proprietary information. "Get a basic understanding of who will need access to what types of information, at what points and for what purposes," says Newman. This will produce an initial data management plan that can be vetted by all parties. The privacy officer must further understand who the key entities are on each side with oversight and control of information.
  2. Streamline the Process: Establish a simplified process to know what critical data elements are there, what regulations are effective and play an active role on the acquiree side, what type of security and IT controls they have and chalk out details on how the data needs to move. "We need to have defined calendar dates for data conversions and address the how, when and with whom this information needs to be shared," says Tumas.
  3. Constantly Communicate: There has to be a constant flow of open communication on both sides regarding questions such as: Who will manage the data? Who is responsible for which data on each side? How is the control structure and impact of regulations on both sides with respect to data privacy? Who will participate in data conversions, testing and dry runs? Who is responsible for communicating with customers on what's happening? "Data can never be unowned and we can never automatically assume who's playing the primary or secondary role here," Newman says.
  4. Understand the Infrastructure: It is critical to understand the technical controls environment of the acquiree or the merging organization to know where the gaps are with respect to data privacy, says Newman. For example, in one of his merger and acquisition cases the acquiree organization had extensive wireless networks and systems. Newman had to investigate to find loose controls and work out the cost to protect and secure the wireless structure to suit the needs of his banking institution. "It is better to know what changes are needed as early as possible rather than be surprised later."
  5. Understand the Legal Aspects: Focus on what the privacy policies are on both sides. Look into details of privacy notices handed out to clients. And understand the commitments made to customers. "Whether or not the company engages in selling customer lists to outside entities is important to know to effectively protect privacy of our customers," says Tumas
  6. Train and Educate: Setting appropriate training and awareness programs for employees and customers of the organization in such events is a must, says Tumas. "All parties involved must know what to expect." From a customer's perspective, privacy officers need to address what's happening to their account information. How soon can they access their online accounts? When are data conversions taking place? What measures is the company taking to protect their information? Provide a lot of education to them on new functions and information disclosure procedures to avoid being the target of phishing scams and other fraudulent activities. "We can never let our guard down and let fraudsters find ways to exploit us," says Tumas. "We need to constantly educate ourselves to know what tools to invest in and find our areas of vulnerability."

Legal Implications

As both entities begin to come together, a big role for privacy officers is to look into agreements and contracts with regards to vendor relations, regulations, customer information and more.

According to Kirk J. Nahra, partner at Wiley Rein, LLP, "Data is a big driving force for these types of transactions," he says. "Here, privacy officers need to understand the big picture of what a true integration is and what the legal status of the new or acquiree company is."

Nahra's advice for privacy officers handling such events is to invest time in understanding how the business at the acquiree or merging company works practically. He suggests looking into the company's customer base, countries and regulations involved, business usage of its customer information and legal commitments made by the company to its customers. "If a merging stock brokerage company sells its customer information to a third party, the privacy officer ought to know this."

From his experience, Nahra notes that it is a lot easier when two companies from the same industry are involved in a merger or acquisition scenario, as then the rules are pretty defined for both entities.

Newman agrees and cites an example from his tenure at Deutsche bank a couple of years back, when the financial institution acquired a company called National Discount Broker. "The company had an internet brokerage component which we never understood, and for a long time this system was alienated from our main IT environment," he says.

Closing Thoughts

Newman's advice for privacy professionals: "Put your personal differences aside and focus on what's best for the organization, and don't be afraid to raise red flags and questions when the need arises."

He also adds, "Understand that change cannot be brought within a day or two. It is time-consuming, and involvement follows the cycle of pre-integration, through it and post it."


About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network