by Rebecca L. Rakoski, Esq. and Patrick D. Isbill, Esq. of XPAN Law Partners
When it comes to the intersection of law, business, and technology, the legal cannabis industry is arguably at the center of all three. Relying heavily on creative, innovative technology to distinguish itself while continually analyzing profitability forecasts to take advantage of new business opportunities and having to monitor at the same time the changing data privacy regulatory landscape, it can all seem rather daunting when added up. Securing trade secrets and overseeing reputational management related to cybersecurity and data protection are some of the challenges rooted at the forefront of this industry, especially after last year’s stunning pace of mergers and acquisitions. Increasing consolidation of fragmented segments of the cannabis industry is foreshadowing a strategic, long-term business approach to achieving higher profits and revenue, leaning on market advantages such as relatively favorable interest costs for now and lower valuations.
Data security and past cyber events play a significant role in these transactions, as do regulatory compliance and data privacy laws. One of the primary, if not foremost, objectives of any deal involving a merger or acquisition is of course valuation. Poor cybersecurity practices, lack of a comprehensive security and data protection program, and digitally unsecured proprietary assets on the part of the target company could spell unforeseen financial, not to mention legal liability, headaches for the acquiring organization.
The business of legal cannabis is after all a highly unique industry because of the already intense regulatory oversight and the enormous amounts of data inherently built in and circulating throughout its diverse industry sectors. From cultivation and laboratory research to manufacturing that incorporates processing for global distribution and all the way out to consumer dispensaries, the aggregate value of such data is almost nothing short of priceless. Simply put, data equals money in today’s global digital economy. So when the acquiring organization fails to adequately perform its due diligence when it comes to cyber compliance, it may be in for a rude awakening post merger or acquisition, especially if this data has been unknowingly compromised.
Every company should first seek to identify and classify the type of data it is acquiring to determine regulatory compliance. Personally identifiable information (PII) and/or protected health information (PHI) and where either comes from, e.g., a consumer or patient, will go a long way to understanding whether state and/or federal laws have been violated. Next, discovery of a past cyber event or breach is critical. Compromised data from inadequate cybersecurity or failure to report potential violations of state data privacy laws to any of the corresponding state enforcement agencies could result in hefty fines and unexpected assumption of liability, not to mention the legal costs to fix it after the deal is done.
Almost every cannabis business knows from the outset it has very particularized regulatory requirements, but such knowledge does not obviate it from complying with additional regulatory data privacy and cybersecurity obligations. Regardless of the side of the transaction, businesses need to keep several key end goals in mind during an M&A deal. Questions include but are not limited to the following: (i) prior cyber practices; (ii) prior cyber incidents; (iii) documented cybersecurity and data privacy programs; (iv) whether those programs are operationalized or just “there” for window dressing; (v) whether there is cyber-liability insurance; and (vi) the nature and type of contractual obligations. All of these elements will help to determine the level of data privacy and cybersecurity maturity of a business which, in turn, affects the value of the data and practices of the targeted organization.
Poor data security and privacy practices can lead to a devaluation of the business calculus and create an unforeseen situation where an organization suddenly becomes a liability rather than the intended asset. In the current shifting legal and technological environment, ignoring or leaving cybersecurity and data privacy due diligence in an M&A transaction to the last minute can be a costly enterprise. In addition, the nature and type of contractual obligations in and around data privacy and cybersecurity can also create a potential for substantial liability if the organization has not operationalized its privacy and security program. Each part of this due diligence is interconnected and can wreak havoc if not properly assessed and, in some instances, immediately addressed.
Like water running downhill, any variation in terrain going forward will cause a parallel, and potentially unpredictable, directional shift.
All in, the industry is keenly aware of what consumers value – privacy. For example, trust in the product sold and confidence that their identity is secure topmost consumer surveys on the topic. Any cannabis business understands this fragile balance, and any path to growth in the industry must account for it. Same applies to trade secrets. Often the linchpin of a merger or acquisition will be the result of interest in innovative research or breakthrough technology developed by the target company. If it is discovered later that this proprietary work was potentially compromised or publicly disclosed, then the initial value used as the basis for negotiations could diminish exponentially if the work has been appropriated by a business competitor or industry rival looking for a market share advantage.
Due diligence is already part of the fabric of M&A deals. Reports suggest the large volume of global mergers and acquisitions overall is expected to continue this year from last despite worries over regulations and rising interest rates. But focusing on accounting and finances without spending time on determining past commitments to cyber readiness and compliance can unravel even the best of intentions. Valuation is a key calculus in these deals. Understanding the true value of what is being acquired or consolidated is essential to taking advantage of business opportunities for growth and return on investment for an industry primed for both.
Rebecca L. Rakoski, Esq. is Co-Founder and Managing Partner at XPAN Law Partners, LLP. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions.
Patrick D. Isbill, Esq. is also Co-Founder and Managing Partner at XPAN Law Partners, LLP. Patrick’s practice focuses on cybersecurity and data privacy compliance and enforcement, addressing the business needs and demands of highly regulated industries.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.