Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

By clicking "Sign me up", I confirm my registration to the subscription list and I consent to TCJ processing my email in order to send me newsletters on an ad hoc basis. I confirm that I have read and consented to the Privacy Policy.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

By clicking "Send", I confirm that I have read and consented to the Privacy Policy.

Privacy and cybersecurity

Mergers and Acquisitions: Does Your Due Diligence Process Properly Address Privacy, Cybersecurity and Technology Considerations?

  • Nathalie Lamontagne
  • Élyse Rioux
  • Dany Guimond-Valcourt
By Nathalie Lamontagne , Élyse Rioux and Dany Guimond-Valcourt
During a merger or acquisition, an important question arises: Does your due diligence process include a thorough assessment of the concerned business’s privacy, technology and cybersecurity risks from the outset?

These issues are often addressed too late or only superficially, despite the fact that they involve serious regulatory, legal and operational risks that can result, namely, in substantial post-transaction costs.

As digital transformation accelerates and regulatory requirements surrounding privacy and cybersecurity grow, it is critical to recognize that acquiring a business with inadequate practices in these areas poses more than just legal and financial risks. From the outset, it’s essential to assess risks, understand how the merger will be executed, and identify the resources, efforts and timelines required to ensure integration—while keeping privacy protection at the forefront. These considerations will directly influence the purchase offer submitted.

1. Due Diligence Cannot Be Limited to Traditional Legal and Financial Aspects

While financial, contractual and tax considerations remain essential, a thorough review must also rigorously address three key areas:

  • Compliance with privacy laws
  • Cybersecurity posture and practices
  • Technological maturity of systems, tools, vendors and business models, including the use of artificial intelligence

 2. The Cost of Non-Compliance and Outdated Technology Can Be Substantial

Acquiring a business that:

  • fails to meet legal requirements relating to privacy and cybersecurity,
  • has cybersecurity practices that are incompatible with the acquirer’s or are underdeveloped,
  • operates with outdated technology due to years of underinvestment,
  • lacks the resources needed for integration,

means exposing yourself to a range of post-transaction consequences, including:

  • Unexpected costs for system upgrades and technical integration
  • Potential operational disruptions caused by tool incompatibility, lack of synergy or security vulnerabilities
  • Risk of privacy breaches during the integration process
  • Regulatory exposure due to past, poorly managed privacy incidents
  • Limited cybersecurity insurance coverage if the new integration is deemed too risky
  • Fines, investigations and litigation related to non-compliance

Malicious actors closely monitor these types of transactions, which are often prematurely announced on social media. These critical moments expose both entities to significant vulnerabilities and place them in a precarious position—especially if undetected flaws compromise the integration. A security incident during the integration phase would be particularly devastating.

 3. Critical Checks to Include in Your Due Diligence

Below are key areas to assess during your review process:[1]

Privacy and Cybersecurity

  • Does the concerned business meet its legal obligations under the Act respecting the protection of personal information in the private sector (the “Private Sector Act”)? Does it have an up-to-date personal information governance program in place?
  • Has it experienced any privacy incidents? What mitigation measures were implemented? Failure to establish proper controls is not just a simple oversight—it is a non-compliance issue that becomes the acquirer’s responsibility.
  • Has it conducted risk assessments (PIAs) for its sensitive technology projects?

Technologies and Artificial Intelligence

  • Are the business’s systems compatible with those of the acquirer? Has a realistic technology integration plan been evaluated? Are the right resources in place to execute it?
  • Are AI tools being used? Are they governed by internal protocols and contracts that meet transparency and explainability requirements, including automated processing of personal data?
  • Are the systems current, well maintained and secure? Has the business invested adequately over the years to ensure their robustness? Have penetration tests been conducted to identify potential security vulnerabilities?

IT Vendor Contracts

  • Do the contracts include strong clauses related to cybersecurity, privacy and incident management?
  • Do the contracts reflect requirements for cybersecurity and personal data processing, including considerations for data stored outside Quebec?
  • Is the cybersecurity insurance coverage sufficient and aligned with the business’s technological reality?

Cybersecurity Insurance

Do the existing cybersecurity insurance policies of the prospective business—or even those of the acquirer—adequately cover the risks it entails?

If the business is non-compliant or has a weak cybersecurity posture, the insurer may deny coverage or adjust the terms.

An Incomplete Post-Incident Review Is an Active Risk

It is not enough to simply assess the risks caused by a past incident at the newly integrated business. You must ensure that it has:

  • conducted a thorough root cause analysis,
  • completed all required notifications,
  • implemented corrective and preventive measures to avoid recurrence.

Failure to do so means the acquirer may not only inherit the issue but also finds itself non-compliant as soon as the transaction is finalized. For example, during Verizon’s acquisition of Yahoo, Yahoo failed to disclose before signing the agreement that it had been the target of two cyberattacks compromising over 3 billion accounts. Once the incidents were revealed, Verizon negotiated a $350 million reduction in the purchase price, as well as a liability sharing agreement.[2] Verizon also had to cooperate in investigations and legal proceedings related to the two breaches.

A due diligence review that combines both technological and regulatory aspects—and keeps pace with developments in personal data protection—is now essential. Neglecting these areas can lead to underestimated integration costs and heightened exposure to legal and regulatory risks. These aspects are no longer secondary—they have become strategic levers of a business’s true value. They should not be viewed as mere expenses, but rather as safeguards against future liabilities that might otherwise be uncovered too late. The goal is clear: to maintain competitiveness and support the growth of the new entity.

Our Team Can Assist You

Whether you are navigating an acquisition, a strategic partnership or a digital transformation, our team of technology, cybersecurity and privacy experts can help you:

  • assess data management practices and cybersecurity risks,
  • verify compliance with applicable laws, including the Private Sector Act,
  • review the contractual posture of technology vendors, including clauses related to security, privacy and incident management,
  • evaluate the business’s technological maturity and the strength of its governance mechanisms.

[1] Please note that these are examples of key areas to monitor. A detailed due diligence checklist, based on best practices and tailored to the specific context of the transaction, is required.

Share this article
3