I am often asked how startups can find the right balance of prioritizing digital legal compliance in their operations and growth strategy. Now I want to address a slightly different version of this questions: how investors (particularly early-stage investors and venture capitalists) should consider these same factors. The latter is a great question, but also slightly more complex, as the VC perspective on legal compliance is heavily influenced by the VC strategy for both optimizing return and exit. Let’s consider these individually.
Funding
Prior to each round of funding, a VC is going to evaluate the potential of the business in terms of the potential for return on investment. A business model that is highly dependent on the free use of regulated data may have lower returns if the marketplace cannot sustain the price models necessary for revenue needed to pay for that compliance effort. Certain types of data are more regulated – and therefore more expensive to govern – than others. Sensitive personal information, data of children, student data, health information, government-controlled data (unclassified or classified), criminal justice information, defense information, and national security information are all subject to regulation above and beyond mere “personal data”. Technology that stores, processes, transmits, or manages these data types must be considered to have a higher cost of maintenance when considering returns.
VCs are also wise to evaluate founders’ understanding of the cost of legal compliance as part of their financial strategy. No one likes a cost center – especially at the bootstrap phase – but legal compliance is an administrative necessity for technology operations where data is continually facing new regulation. VCs know that a good founder is not afraid of new information, approaches feedback with a growth mindset, and is willing to make hard decisions in the midst of known risks. Good founders do not need to ignore or dismiss relevant information just because it identifies areas of work and improvement. This attitude should also be present in their approach towards digital legal compliance. After all, most VCs would not invest in a company whose founders do not want to pay taxes or employees, and there is no reason that compliance with data- and technology-related laws should be the sole area of disregarded law.
Growth and Operations
No company goes straight from funding to exit strategy. Wait… What? Yes… and there are a ton of legal issues that can come up when starting, operating, and growing a digital or digitized business. But not every legal issue needs to be addressed with the same level of urgency. You can and should prioritize. With increased regulation in the U.S. and Europe around the collection and use of data (not to mention existing laws regarding the protection of intellectual property), founders need to address legal risks earlier and earlier in their journey. When founders call me, they frequently want to know “where should we start?” They cannot tackle every legal risk up-front, so they want to know where to put the effort in first, and how they can plan for later.
I frequently tell them the same thing I tell VCs and seed investors: establish a good foundation for scalable legal compliance. What does that mean? Well, given how many times I find myself repeating this, I have outlined what this means below.
- Get the corporate house in order. Register the business and agree among founders how things will run (Corporate Governance documentation and/or Operating Agreement). This should be done before any revenue is generated. No matter how much y’all like each other now, when money gets involved, disputes can happen, and operating agreements will help prevent or resolve those disputes. This is the basic foundational work that corporate lawyers do for new entities, and VCs often have great resources for this.
- Plan for administration. Yes, I am fully aware that absolutely no founder or funder thinks, “What I am most looking forward to is paperwork!” but information and systems management from an early stage can greatly reduce the burden of legal compliance as the business grows. Keeping clear, comprehensive records of assets, data, code, and contracts in a manner that prevents conflicts, inconsistencies, or confusion is necessary to meet various disclosure and notice requirements – and it keeps you from accruing too much “legal debt”. Just like good code hygiene helps prevent technical debt, good legal compliance hygiene will set you up for ongoing success and ease of administration as the enterprise grows and becomes more complex. A failure to keep on top of this will create legal risks when important information is unavailable or incorrect due to record keeping errors.
- Get your statutory notices done – especially online privacy notices. This is particularly important if you collect ANY information (including web analytics) on your website. Online legal notices are how you scream to the world “I am [not] responsible with your information” (bracketed language depending on the state of the notice). An experienced technology lawyer should be able to produce or review your preferred terms very quickly and without huge expense except for the most complex cases, and for those they can advise you of the complex regulatory landscape you are entering. If you eschew this advice and go with someone who “winging it,” or provides you with a standard form template without understanding your business model and exit strategy, your legal debt may quickly outpace your anticipated revenue.
Some folks will think that these statutory notices are less important that commercial contracts, but I prioritize them here – particularly for digital businesses – because of the very public message they send to potential customers and investors. The exercise in producing these notices also provides an opportunity for the company to spot and prioritize additional legal issues, which can be addressed as part of a compliance roadmap.
- Develop clear commercial contract forms. These should be unique to your business and its risk tolerance levels, as well as appropriate for your market and the technology you are selling. While there are great online templates and examples available, beware of using another entity’s contract if you do not have a good understanding to what you are agreeing. And be very wary of templates designed to sell generic “stuff” or “services”. They are usually inappropriate for SaaS or digitally delivered services, particularly if you are in a high-risk or specifically regulated market.
A good way to conserve budget while getting legal advice is to work with a lawyer who has extensive experience with commercial contracts for the type of product or service you offer. If that is not an option, then consider starting with a template you like and send it to your attorney with an explanation of why you think it is appropriate for your business. This can actually be more appropriate than starting with templates held by a law firm that does not have extensive technology commercialization experience. Ask your lawyer not only what you should definitely include in the contract, but what can be removed. I have even found client templates with overly-restrictive terms that could threaten deals while not providing significant benefit. Eliminating those contract clauses and providing my clients with a business-friendly, commercial contract template helps reduce both the time and resources to close deals – and without taking on unnecessary legal risks.
- Keep in contact with your trusted legal advisor. Any of the tasks above would benefit from a trusted legal advisor. Look for someone who understands the challenges of being an entrepreneur. If you think the person is not listening to you, doesn’t ‘get’ your concerns, or will not consider your business priorities, keep looking. Good strategic partnership is not an exercise in legal theory and requires frank two-way communication with mutual respect.
Of course, the benefits of early and strategic legal engagement – particularly for technology startups with global ambitions – go beyond the realm of mere risk mitigation and prioritization. Find yourself a good lawyer who is willing to work within your priorities and budget and you just might find your best partner for meeting the next major milestone for your business – like milestones associated with your exit strategy.
Exit Strategy: M&A – Technical, Cyber, and Legal Debt.
Deloitte’s most recent merger and acquisition (M&A) trend reports indicates that, despite stubborn interest rates, economic indicators suggest that M&A activity will remain strong or even grow in 2024. Cybersecurity, data protection, and privacy risks are associated now with almost all M&A transactions, and M&A activity alone can increase the likelihood that an entity will be targeted by cyber criminals. VCs seeking to fund companies with an M&A exit strategy and established companies looking to acquire these entities should both be aware of the risks that cybersecurity practices may impact their investments. Some examples include:
- Security incidents at Yahoo! were discovered prior to Verizon’s acquisition of Yahoo! This resulted in a $350 million reduction in the purchase price of $4.83 billion (~7%), plus post-closing costs resulting from the incident.
- A security incident at TIO Networks was discovered after PayPal’s acquisition. Within 6 months of closing the deal and after a full investigation in coordination with the New York Department of Financial Services, PayPal wound down operations of TIO network, despite the very recent $230 million price tag.
- Shortly after Spirit AeroSystems was authorized by regulators to acquire Asco for an undisclosed amount, Asco suffered from a successful ransomware attack that shut down a significant part of their business. The deal was cancelled.
- An internal security tool at Marriott flagged activity that eventually led to the discovery that the network infrastructure at Starwood – acquired 4 years prior – had been compromised, resulting in the exposure of up to 500 million guest records. Despite the fact that the security breach pre-dated Marriott’s acquisition, its prompt investigation, and reporting of the incident, the UK ICO imposed a fine of £18.4 million, and Marriott faces multiple class action lawsuits.
- The SEC has charged SolarWinds (the company) and its CISO (individually) with claims of fraud and internal controls failures in violation of a variety of SEC rules after the 2020 cyberattack implemented through SolarWinds software. More on that saga here and here.
Those are just the deals large enough to make the news. The next tech unicorn is out there, waiting to be discovered and brought to market. There is a good chance they will be built in the cloud, using LLMs to develop low-code or no-code AI-empowered solutions. They will be built with and for big data and big data analytics. All of these development and go-to-market strategies come with significant digital legal compliance risks that could impact the deal valuation, either before or after the transaction.
Despite the significant legal and financial risks, it remains atypical to give more than a cursory look at cybersecurity, data protection, or privacy legal compliance as part of the M&A due diligence. At most, you might see a short questionnaire with basic requirements like “Does the target have a privacy policy?” and “Does the target have an ISO 27001 certification?” with very little thought behind the adequacy of either.
This does not mean, however, that an entity must be at “perfect compliance” (no such thing) in order to be valuable or even complete the transaction. As with any M&A strategy – whether you are a VC supporting a target company in exit or an acquiring company – knowing this “legal compliance debt” or “cybersecurity debt” is no different than calculating the technical debt that may existing in the technology that would be driving the transaction. Digital legal compliance due diligence should be treated with the same level of diligence as done by the business when evaluating technical debt, especially now that the laws are evolving such that digital legal compliance may need to be coded into the product or service!
Exit Strategy: IPO – SEC Cybersecurity Disclosures
Of course, not every startup has an exit strategy that is tied to acquisition. The company may also be eyeing and IPO. For IPO disclosures, there is additional risk involved stemming from new SEC Rules on disclosure of cybersecurity incidents. But overall compliance with these rules is a complex story. Many disclosure documents include a nearly cut-and-paste disclosure that simply note the various ways that data breaches might happen and are therefore a risk to the company, and breach disclosures run the gamut from over disclosure to unique interpretations of what might be deemed “material”.
The regulatory enforcement actions relating to breach disclosures and cybersecurity “standard of care” within publicly traded companies is not, however, limited to the SEC investigations and shareholder suits against the company, though. Joe Sullivan (Uber) and Timothy Brown (SolarWinds) are facing personal liability based on their role as the respective CISOs of those companies. While the facts are different in both those cases (see my analysis and follow up for more info), it as also been suggested that CEOs and Boards of Directors should be personally liable for liability stemming from cybersecurity failures if they failed to hire and supervise appropriate security personnel.
Most VCs will continue to be active in the entity post-IPO. They often continue to sit on the Board of Directors and provide C-suite guidance and advice. Boards now have an obligation to understand the cybersecurity risks associated with the entity and to actively participate in their management. In addition to ensuring the entity has the basics in place (see Solving the Puzzle of Legal Compliance: Prioritizing Digital Legal Compliance, with note that the article is far to the left of the IPO timeline), the Board itself needs to be informed and educated on cybersecurity matters, and understand the legal risks associated with the cybersecurity position of the company. Boards should consider specialists for this training and advisory role, lest the law catch up to hold them personally liable for intentional ignorance in this area.
Get Expert Help
VCs can benefit from expert legal advice on areas of cybersecurity, data protection, and responsible AI throughout the investment lifecycle. A good lawyer can partner with them to recognize value in the market, mitigate legal and compliance debt, and maximize the return on investment at exit time. If your legal team needs added expertise in the area of digital compliance, growth, and commercialization, reach out to Forstai Cyber Kinetics to see how we can work together.
ABOUT MATTI NEUSTADT
Matti Neustadt is an international legal advisor for areas of digital law. With experience in the U.S. and Europe covering privacy, cybersecurity, data protection and governance, artificial intelligence, and intellectual property, she focuses on business-centric practical strategies designed to meet current and anticipated legal and business requirements. In addition to her deep legal knowledge, she maintains expertise in operational compliance, data governance strategy, and incident response. She has worked for some of the largest and most well-respected technology companies in the world, developing legal and compliance solutions for consumer, enterprise, and critical infrastructure clients across the world and guiding clients through high-stakes security incidents.