Michael Kauffman – Tech DNA
Imagine this: After months of market analysis, your company has finally separated contenders from pretenders and found its acquisition target: a plucky Silicon Valley startup with a game-changing machine learning technology platform.
Later that day, you see a story on CNN about one of your competitors being fined hundreds of millions of dollars for violating the European Union’s General Data Protection Regulation (GDPR), because the startup it acquired failed to adequately protect people’s privacy.
Once the schadenfreude subsides, the alarm bells begin to ring: This absolutely must not happen to us.
With any luck, it won’t—so long as you give Michael Kauffman a call before closing on the deal.
“If you’re a company acquiring tech, the day those papers are signed you’re on the hook for all the sins of your target; there’s no grace period,” says Kauffman, a former programmer-turned-attorney who now serves as principal and chief legal officer for the Seattle-based Tech DNA, a leading provider of technology due diligence services. “Even if you isolate them within a holding company, the GDPR still gives regulators all the tools to fine you based on 4 percent of your global revenue.”
The revenue of the parent company—not the target. Meaning there’s a potential for fines to dwarf the cost of the acquisition itself.
“Gone are the days where the worst that could happen was the deal ended up not achieving its goals,” Kauffman adds. “Now the downside can be many multiples of the deal itself.”
Opening salvo
According to Kauffman, laws like GDPR (as well as the upcoming Consumer Privacy Act in California) represent a reckoning of sorts for a tech industry that long viewed itself as immune to politics—and, more importantly, regulation.
Prior to GDPR, the biggest privacy violation in U.S. history resulted in a $25 million fine of AT&T. But earlier this summer, the Federal Trade Commissioned fined social media giant Facebook $5 billion—a penalty amount Kauffman says was directly influenced by GDPR, even though GDPR is an EU law.
“GDPR and the tone it set are just the first wave,” Kauffman says. “The gloves have come off on both sides of the pond. And even if you don’t get the billion-dollar treatment Facebook got, the message is clear: The penalties are no longer wrist-slaps; they’re face-punches.”
Don’t Get Bitten
It’s Tech DNA’s focus to ensure that buying tech doesn’t put you on the regulatory radar. First, Kauffman and his team review any and all technology-related documents underlying the transaction: everything from architecture diagrams, to privacy policies to data schemas.
Next, they dive into the code itself. And this is what separates Kauffman’s team from other digital regulatory compliance teams: The documents aren’t the standard of truth; the code is.
“It’s exceedingly rare that the documents tell the whole story. After hundreds of assessments, maybe we’ve seen that once,” Kauffman says. “It’s the tech-as-built, not the docs-as-written, that really drive the regulatory scrutiny, so the tech-as-built is what we focus on.”
The goal, Kauffman says, is to pinpoint any red flags regarding how the target handles its information. For example, when the legal team says to the tech team “delete X from everywhere,” the tech team might not really understand that truly means everywhere. So they delete from key databases and backups, but not POCs, crash dumps, log files with foreign keys or other locations—things few attorneys understand.
“The list goes on and the GDPR gives no relief because tech and legal couldn’t get on the same page,” Kauffman says. “It’s the same with data isolation, consent demonstration, salting, training sets, visual identifiers, context-based sensitive data, leveraged privacy regimes, imposed personal data and so on. The reality is that there’s a painful shortage of the dual-hat programmer/attorney that understands both the tech and the law.”
More Deals Affected
According to Tech DNA’s own data, 9 to 13 percent of all deals fail because of technology problems associated with things like privacy.
“For a lot of acquirers, they take the risk apparently thinking, ‘We’re good. There’s an 87 to 91 percent chance that everything is just fine, right?’” Kauffman explains. “But that’s irrational; the cost of checking is a small fraction of the penalty if caught. It just doesn’t make sense to ride rogue anymore, which of course is by regulatory design.”
“We prevent bad deals before they happen,” he says.
But it’s often not as black and white as “buy or don’t buy.”
For example, Tech DNA’s analysis might support the deal going through, but only under the condition that the target shed historical data not properly obtained under modern privacy regimes.
Alternatively, Tech DNA might identify that a certain privacy-violating feature or functionality needs to be turned off. Or recommend making the calculated choice to stop selling in the EU to simply dodge the GDPR entirely. What’s more, Tech DNA can review if the target’s tech can accurately detect EU customers from others to ensure the GDPR dodge is complete.
“To those who see GDPR and privacy regimes generally as only a cost, they’re missing the point,” Kauffman says. “It’s entirely possible to make GDPR a competitive advantage; and we’re seeing savvy tech acquirers wake up to that. That’s what makes our skills and expertise unique: We understand the tech, the law and the market forces at play.”
The False Comfort of Anonymizing
Still, Kauffman says one the most common attempts to dodge the GDPR is the riskiest of all: attempting to escape privacy regulations by anonymizing data so that no personal data remains—while retaining the profitable insights that make the data so valuable.
The problem, Kauffman explains, is that anonymization is much harder than it seems, as the cracking of a few high-profile anonymized datasets have shown.
Like the time New York City was compelled—through a freedom of information request—to disclose GPS data of its taxicabs. While the data was anonymized, it wasn’t done correctly, so numerous personal details were leaked, such as specific taxi trips by Bradley Cooper and Jessica Alba and the potentially embarrassing fact that neither tipped.
Or the time a supposedly anonymized health insurance database for the State of Massachusetts was used to identify the specific medical condition of then-Massachusetts Governor William Weld that he refused to disclose himself. Or when streaming giant Netflix had to pay $9 million to settle privacy claims for releasing supposedly anonymized data in support of a contest that let teams compete to create a new suggested-viewing algorithm.
What comes next
The problem, Kauffman says, is that terms like “anonymous” have legal meaning but require technology skills to establish if the software actually meets the legal standard. In fact, it’s one of the industry’s big blind spots right now: There simply aren’t enough people with years of technology experience and years of legal experience to fuse those two worlds and provide real guidance.
“Ten years ago, it might’ve been forgivable for being less private and less secure if it was unintentional,” Kauffman says. “That’s no longer the case. We spot personal data all the time at tech companies and they have no idea how much they actually have and how poorly they’ve obscured it. But the regulators don’t seem to care that anonymization is difficult. They just know that post-close, the acquirer is liable for it.”
“The GDPR changed everything and the feds and individual states, especially California, aren’t far behind. Now you have laws that can affect your entire reason for pursuing a deal in the first place. And more regulation is coming.”
Getting a clear-eyed view of the risks is key, says Kauffman—so you can make CNN headlines for all the right reasons.
“Tech due diligence has become a market in its own right, rather than just a niche practice for a few sophisticated acquirers,” Kauffman says. “A few years ago, the market didn’t exist to quantify such tech risks, so companies just bought blindly. But that’s changed and it’s now possible to reduce tech risk even as tech risk becomes more painful.”
Showcase your feature on your website with a custom “As Featured in Vanguard” badge that links directly to your article!
Copy and paste this script into your page coding (ideally right before the closing