Transition Service Agreements—Don’t Forget the Data!
» Partner Glynna Christian identifies important considerations
concerning your IT vendors when closing corporate transactions.
by Glynna Christian and Nikki Mondschein
The Transition Service Agreement (TSA) is the oft-neglected agreement in an M&A transaction. Although TSAs are starting to get their due, parties tend to focus on the services the divested entity will require from the seller (Forward TSA Services) or the services the seller will require from the divested entity (Reverse TSA Services). In connection with these services, the entity providing services (Service Provider) may provide access to and use of its: (a) proprietary and third-party IT assets (e.g., IT systems, tools, software and equipment); (b) employee, customer and vendor data; and (c) other confidential or sensitive information. The Service Provider also may receive access to and use of IT assets, data and other confidential or sensitive information of the entity receiving the services (Service Recipient).
The scope of Forward TSA Services and Reverse TSA Services certainly should be front and center as they are in other service agreements, such as outsourcing agreements. However, unlike other service agreements, TSAs are just one component of the overall M&A transaction for which neither party is willing to assume additional liability. As a result, TSAs typically either do not include, or include minimal provisions for, indemnification, warranties, service level agreements, business continuity and disaster recovery, and data protection and information security.
While the parties may be willing to assume the potential risk of not having some of these provisions, they need to recognize that the post-closing relationship between the seller and the divested entity, from a data protection and information security standpoint, is akin to an outsourcing relationship. Once the transaction closes, the divested entity is no longer a group company but is a third party, even during the transition period. There are numerous countries with data protection laws requiring consent to the disclosure of personally identifiable information (PII) to any third party—once closing occurs this includes the divested entities. Depending on the type of data being shared, there may be other requirements or restrictions around the protection, collection, use and disclosure of data, such as (a) industry-specific laws, particularly in the financial services industry, (b) the terms in the parties’ privacy policies and (c) contractual obligations with other third parties who provide PII.
It is important for the parties to know what data is being shared and include all requirements applicable to such data in the TSA.
Although TSAs generally have confidentiality provisions to protect the parties’ confidential or proprietary information, these are rarely sufficient to cover the detailed requirements necessary to satisfy applicable data protection laws applicable to the disclosure of PII and other data to third parties. Complying with these requirements, therefore, is a matter of complying with law and other contractual requirements and protecting individuals’ PII and the parties’ reputation.
Data Privacy and Security
Although cybersecurity was covered in-depth earlier in this report, it is important to address the topic as it concerns TSAs. Before beginning to draft and negotiate a TSA, the parties need to understand: (a) the services to be provided; (b) how the services will be provided, including access to or use of systems, facilities or data; (c) what data will be created, disclosed and/or modified; (d) what are the terms on which such data was collected; (e) integration or development required for the services; (f) the flow of data and information between the Service Provider and the Service Recipient; (g) the legal entity(ies) performing services as the Service Provider (which may vary depending on the particular service), including the identity and responsibility of all subcontractors and the jurisdiction where they will be performing such services; and (h) the legal entity(ies) receiving services as the Service Recipient (which may vary depending on the particular service), including the identity and responsibilities of all subcontractors.
For example:
- How will each party access and/or use the other parties’ data and information?
- What is the nature of the data and information being accessed or used, e.g., any PII—not just with respect to employees but also customers? Confidential or sensitive information?
- What is the scope of the consent already received, if any, for the collection, use and disclosure of such PII?
- What is/are the location(s) from which data and information may be accessed or transferred? Will any data originate from the EU? Massachusetts?
- Which entities may access and/or use the data and information (affiliates, subcontractors, etc.)?
- Will any of the entities accessing the data and information also need access to and use of the parent company’s IT assets during the transition? Specifically, what types of access and use will be needed? Can you block access to information not related to the services to be performed under the TSA?
- Will any knowledge transfer or other specific cooperation be needed?
- How will the parties provide for the return or destruction of data or information after the services are completed? How will back-up data be addressed?
- Will any data be provided in connection with services or license agreements between the parent company and third parties? If so, how may the terms impact the TSA? Will any licenses or leases need to be transferred and, if so, will any third-party consents be required? Who will pay the cost, if any, to obtain such consents?
- What practically needs to happen in order for the transition of both Forward TSA Services and Reverse TSA Services to be completed? Who will own the process internally?
Access Controls and Encryption of Data
Once the parties have an understanding of which entities will receive access to data and information, the parties will need to discuss what access controls and data protection measures are currently in place at each respective entity to control access to PII and other confidential information, and whether any additional controls may be needed.
The parties will need to ensure that the other party (and their respective affiliates and subcontractors) with access to the parent company’s data and information implement the necessary technical access controls and other data protection measures, such as:
- Firewalls
- Data encryption
- Secure VPN access
- Secure file transfer protocol (Secure FTP)
- Anti-virus/anti-malware software
Other Contractual Protections
Depending on the data and information being accessed, the parties also may wish to include contractual terms around physical access restrictions and data security, such as:
- Narrowly tailored access grant/ license terms (for access to data and/ or IT assets)
- Approval process/satisfaction of conditions precedent before grant of access
- Background check/employee screening requirements
- Key personnel, ethical wall and other personnel-related requirements
- Strong confidentiality requirements
- Strong warranties and indemnifications
- Governance and dispute resolution process tailored to the services
Although TSAs involve a great deal of complexities and case-specific analysis, there are a number of practical ways in which the parties can get ahead of potential data privacy and security issues by being strategic in drafting the TSA to include terms and conditions that more fully and accurately cover the new relationship of the parties.
- See the article in Infosecurity Magazine.
