Data Due Diligence In M&A Transactions: Data Quality and Liability

As data is quickly becoming a significant corporate asset, lawyers in corporate transactions need to consider the associated legal risks. Failure to understand and address these risks can result in significant future costs to the acquiring company.  There are a number of due diligence considerations a potential buyer must address with respect to the target company’s data assets. The first post in the series discussed due diligence in connection with privacy/data protection issues. The second focused on ownership rights in data. This post will examine due diligence with regard to potential liability risks associated with data quality.  

The issue of data quality and potential liability is not new. However, it is becoming more critical as important decisions are increasingly being made in near real-time based upon data.  Understanding the risks will become more difficult as autonomous vehicles (cars, trucks, drones) and the internet of things become more common. For example, if an autonomous vehicle gets into an accident, will it be due to a hardware failure, a software glitch or poor navigational data? The challenge will increase exponentially as businesses integrate machine learning and artificial intelligence into their operations, as much of the data will often be created and processed without significant oversight by humans. For example, if key decisions (employment, insurability, lending, etc.) are made based upon algorithms, it is important to make sure that the data being used in those algorithms is not subject to biases that effectively make the data set inaccurate.[1]

As with other corporate assets that are integral to a wide range of applications in the target company, it is critical that data is “fit for purpose.”  Otherwise the acquiring organization may inherit liability risk for poor data quality. As a result, it is important to understand what Quality Control/Quality Assurance (QC/QA) practices the target company has in place to ensure that the data is suitable for the intended use. There are many factors that must be considered in terms of data quality.  These include completeness, timeliness, accuracy and precision of the data.

Unfortunately, as in other areas of law involving data, the liability risks associated with data quality are uncertain, as there are not many court decisions on this issue. Moreover, many of the decisions that have been published involve narrow segments of law. For example, there were several cases from the 1980’s pertaining to the role of data incorporated into aviation charts, but many of these cases involved sovereign immunity issues since the charts included data from the federal government. However, these cases do raise some important issues that are growing in importance with the increased use of Big Data. Such issues include if and when product liability claims may apply to a data product[2] or what constitutes negligence when using data with errors.[3] Transactional lawyers will want to closely follow how courts address these issues in the broader commercial and consumer context, so they can understand the potential risks their client is taking on in an acquisition.

Even if the data being used by the target company is fit for the initial use for which it was acquired, others within the organization may find other uses for the data. (To paraphrase Jeff Goldblum from the movie Jurassic Park, “Data . . . finds a way.”) As a result, part of the due diligence effort should be to make sure there is no improper use of data once it has been brought into an organization.  

A less direct, but equally significant liability risk associated with data quality is contractual. It is important to understand whether the target company has made any representations or covenants to third parties with respect to its data or related products and services. In addition, the acquiring company should review contracts with third party data providers to understand whether the agreements provide adequate protection – and remedies – in the event there are data quality issues. Another key consideration is what, if any, insurance coverage does the target company have covering liabilities that arise due to poor data quality?