IoT Due Diligence Concerns in M&A Transactions IoT Due Diligence Concerns in M&A Transactions

IoT Due Diligence Concerns in M&A Transactions

More and more businesses are procuring or manufacturing network-capable devices in areas where dumb devices traditionally ruled. For example, smart HVAC systems phone home to maintenance providers over the internet when repairs are needed; smart light bulbs turn on and off based on employee activity in a specific area or through centralized control by maintenance staff over the internet; and even coffee makers allow employees to brew a single cup from their desks over the corporate network and pick it up when done. This network-capable revolution of devices has been called the internet of things (IoT). In addition to providing simple functional benefits, these devices also collect and process information about their surroundings, use, and other network-capable devices. They bring the promise of tremendous insight for product manufacturers and marketers due to the massive amounts of data about their users’ habits and preferences they collect but also bring with them a number of risks and potential liabilities that may not necessarily be obvious to business owners or potential acquirers. 
 
Acquiring these new technologies creates new areas of risk that some companies may not appropriately understand during the procurement process. For example, if your office manager purchases a network-capable coffee maker without following your company’s vendor management program and connects it to the corporate network, there is an unknown amount of risk being accepted by the company as this device is used. A recent study indicates there are currently 8.4 billion connected things in use worldwide, up 31 percent from 2016, and that number will exceed 20 billion by 2020.[1] It’s not just individual consumers who have become interested in IoT devices, businesses are on pace to employ more than 3 billion connected things in 2017.[2] Private equity firms and strategic buyers alike would be well-advised to consider the unique challenges presented by IoT devices and asses their impact on  acquisition targets by incorporating more robust due diligence processes to ensure these risks have been identified and mitigated before closing.
 
Ask Questions About Adoption of IoT Devices
 
When preparing due diligence checklists for potential acquisition transactions, purchasers should ask questions about the target’s adoption of connected devices inside the corporate environment, including personal mobile devices and computers, fitness trackers and connected appliances, heating and air conditioning and lighting, and how those devices were evaluated prior to procurement. Some companies may not even be aware their employees are using IoT devices to perform critical job-related functions.  According to a recent study, “approximately 40 percent of U.S. consumers who work for large enterprises said they use their personally owned smartphone, desktop or laptop daily for some form of work purposes.”[3] Of those employees, only 25 percent are required by their employers to use those devices and, of the remaining 75 percent, almost half said they are doing so without their employers’ knowledge.[4]
 
The technology driving IoT adoption is rapidly changing and certain industries have adopted IoT devices without thinking through the potential liabilities associated with data breaches, secondary uses of data acquired by the devices and other issues. The 2014 Target data breach clearly demonstrated the risks posed by connected devices as it is widely believed the hackers exploited inadequate security measures in third-party software monitoring Target’s heating and air conditioning systems to access Target’s internal systems and steal over 40 million credit card numbers and other personal information related to some 70 million customers.[5] Asking questions about an acquisition target’s use of IoT devices, whether in critical business processes or in unintentional applications, can surface unknown vulnerabilities and sources of liability, which can hopefully be addressed proactively rather than attempting to calm a public relations frenzy after a data breach or privacy mistake has occurred.
 
Review and Evaluate 3rd Party API Agreements
 
In addition to assessing potential IoT exposure for businesses generally, when looking at transactions involving IoT device manufacturers and distributors, prospective purchasers need to evaluate the target’s legal agreements covering third-party application programming interfaces (APIs). Reviewing the terms of the target’s API Agreements is critical to understand the business limitations associated with traditionally non-connected products that now rely upon these APIs for connected functionality. Let’s say you want to acquire a company that sells web-enabled cameras that allow the consumer to logon to a cloud service to view and record their child from anywhere in the world. To facilitate this service, the target’s cloud backbone is hosted by Amazon Web Services (AWS) and uses Facebook as an authenticator. In the event of an acquisition of this company, the purchaser would need to review the AWS agreement and the Terms of Service of Facebook authentication to make sure these services will remain available and the product would still function after the transaction.
 
Devices that Collect Health and Wellness Data
 
Purchasers of mobile app developers and device makers that collect, use or process health or wellness data should assess whether those devices comply with the Food and Drug Administration’s (FDA) “medical device” regulations. In 2016, the FDA clarified it does not intend to examine low-risk general wellness products, which include certain apps, devices, video games and other software programs.[6]  In the applicable guidance, the FDA stated its view that the critical distinction between a “general wellness product” and a “medical device” is whether the product makes a medical claim. However, the FDA also stated it would not consider a device or product to be a low-risk general wellness product, and therefore, the device would be subject to examination, if the device (i) is invasive, (ii) poses a threat to user safety if device controls are not in place, (iii) raises questions of biocompatibility or (iv) raises novel questions of usability.[7]
 
To the extent a device is deemed to be a “medical device,” the FDA has also adopted specific guidance on protecting medical devices from cyberattacks.[8] The FDA has indicated its desire to see device manufacturers boost their cybersecurity measures by incorporating a way to monitor and detect vulnerabilities into the products they make. The FDA also wants device manufacturers to establish a process for receiving information about potential issues from cybersecurity researchers, and if they do detect a vulnerability, the FDA wants the companies to assess the risk it poses to patients. In addition, the FDA wants product manufacturers to provide software patches to fix post-market issues that develop.
 
Conclusion
 
The widespread adoption of IoT devices in a large number of business and personal applications means the issues resulting from the use and adoption of IoT devices can surface in nearly every business, even if those businesses are not traditionally thought of as “technology-enabled businesses.” Prospective purchasers of businesses should strongly consider incorporating IoT-related issues into their standard due diligence processes to ensure these potential liabilities are understood and addressed before closing. For IoT device manufacturers and application developers, additional technical due diligence may be required to identify and assess the complex issues that may be implicated by novel products and use cases.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 
 
Nick Merker is a partner and co-chair of Ice Miller’s Data Security and Privacy practice. His experience is unique, as he is one of only a handful of DSP lawyers in the country who can say that they’ve worked as a computer systems, network and security engineer for 10 years before practicing law. Contact him at nicholas.merker@icemiller.com.
 
Eric Goodman, a partner with Ice Miller’s Business group, concentrates in corporate and securities law, with an emphasis on private equity and venture financing transactions. Contact him at eric.goodman@icemiller.com.
 
 


[1] See http://www.gartner.com/newsroom/id/3598917
[2] Id.
[3] See http://www.gartner.com/newsroom/id/2881217
[4] Id.
[5] See http://www.computerworld.com/article/2487452/cybercrime-hacking/target-attack-shows-danger-of-remotely-accessible-hvac-systems.html
[6]See http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm429674
[7] Id.
[8] See http:// www.fda.gov/download/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022

View Full Site View Mobile Optimized