Protecting Data Assets Critical Amid Increased Technology Acquisitions

Data is the new oil.  Or at least its digital counterpart.

As the mining, collection, packaging, and monetization of data accelerates year over year, it should come as no surprise that the acquisition of technology is the leading driver of mergers and acquisitions in 2018, according to Deloitte’s 2018 M&A Trends Report.

The report underscores what many insiders already know: companies are spending significant sums to acquire the technology assets that enable them to slice and dice data like never before. The world’s largest organizations – technology-focused and otherwise – deal in data, not unlike the companies of the 90s that dealt in oil.

The data generated and processed by small and mid-sized businesses (SMBs) remains among the most valuable – and most vulnerable. While all organizations are increasingly susceptible to traditional data breaches by malicious outsiders, there exists an arguably greater threat to SMBs: the inconsistent and casual approach to the protection of company-generated data and its byproducts in day-to-day operations.

As data collection and usage becomes an increasingly influential commodity, and remains largely unregulated at the state or federal levels, it’s up to SMBs to take the protection of their most valuable asset – data – into their own hands. The following are three steps SMBs can take today to better protect their data assets.

1. Identify Valuable Data + Define Ownership

The first step toward protecting your business’ data is to know what is valuable, where it lives, who has access to it, and what do they do with it. Understanding what data your business both generates and processes – from customers’ personal data to the non-personal data created by your connected systems – can help you assess threats proactively.

The value of company data will vary by industry, every SMB that produces, analyzes, uses or stores data in its operations must take steps to protect its ownership. This can be achieved by defining data in operating agreements broadly to include not just raw data, but also all corresponding analyses, models, extrapolations or algorithms created from or related to that data. Further, clarify at the outset – even before the secondary data exists – to whom it belongs and for how long, eliminating the potential for conflict and loss of valuable data.

2. Update Operative + Licensing Agreements

In general, it’s a good idea to revisit how your SMB structures its operative and licensing agreements. Consider how the new data privacy regulations outlined in the European Union’s General Data Protection Regulation may serve as a template when determining what data protection provisions to set forth in your own agreements.

Provisions requiring that data controllers or processors delete your data, along with any and all byproducts thereof, including algorithms and metrics developed at your behest, upon request or the occurrence of certain events, such as the termination of the agreement itself, go a long way toward protecting your data in a variety of situations.

3. Conduct A Data Audit

Companies already in compliance with the GDPR are beholden to requests by EU residents and consumers to access, modify, and even erase their data records completely. While domestic SMBs may not have the same rights, annual data audits can illuminate data insecurities and help keep security top of mind for all stakeholders.

A quality data audit will include a review of the usage and storage of company data across a variety of operating contexts, from relationships with partners, vendors, contractors, suppliers to the data that exists internally, such as in employment files. Written requests for specific information about how company data is used and stored and under what safeguards should be sent to all partners, vendors, and suppliers, while requests for the destruction of data should be made if said data is no longer in use. Internally, a company’s networks, hard drives, and cloud-based systems should be reviewed and scrubbed of outdated records to avoid the release of protected information in the event of a breach.

There is no static formula for protecting company data. In fact, as data assets evolve, the manner in which they must be protected will become more complex. No law or regulation will suffice in completely protecting or safeguarding a company’s data; that responsibility falls squarely on the company itself, so it’s incumbent upon leadership to regularly assess threats, eliminate vulnerabilities, and never get too comfortable.

About the Author

Geoffrey R. Morgan is the founding partner at Morgan Legal Group, LLC., a corporate boutique firm with offices in Chicago and Milwaukee. For more than 25 years, Morgan has counseled corporations and small-to-medium size businesses in the areas of data protection, domestic and foreign joint ventures, securities reporting compliance, complex mergers and acquisitions, and contract preparation and negotiation.