Q&A: Managing Data Privacy and Cyber Security Risks for Private Equity Funds
Sharon R. Klein (CIPP/US), a partner in the Corporate and Securities Practice Group of Pepper Hamilton and the chair of the firm's Privacy, Security and Data Protection practice, participated in a Q&A discussion with Financier Worldwide on "Managing Data Privacy and Cyber Security Risks for Private Equity Funds." Below is an except of the discussion.
Financier Worldwide: Could you provide an overview of the types of risks facing private equity fund managers in terms of their data privacy and cyber security protocols? Why makes the data held by fund managers particularly attractive?
Ms. Klein: Private equity firms collect and hold data from a variety of sources, including limited partners, firm employees, portfolio companies, investment targets, counterparties and vendors. This diversity makes their data particularly attractive. And fund managers face a number of risks related to this data. There’s an investment risk if their portfolio companies don’t comply with privacy and security regulations because that would have a great impact on the return of the PE firm’s capital investment. There’s also legal risk because of increased scrutiny from the SEC and other regulators and more class actions and regulatory enforcement actions. Funds also face reputational risk if the government, or target or portfolio companies have questions about the privacy and security of personal information entrusted to the funds. Finally, firms face operational risk when trying to manage a privacy and security program in an effective and cost-efficient manner. This cost may be shared across a family of funds if centralised privacy and security measures are in place. The Ponemon Institute estimated that a breach in the financial services sector would cost $217 per record. For example, for Target’s 110 million records breached, the costs would be substantial enough to put a fund out of business.
Content contributed by attorneys of Troutman Sanders LLP and Pepper Hamilton LLP prior to April 1, 2020, is included here, together with content contributed by attorneys of Troutman Pepper (the combined entity) after the merger date.