Transition Service Agreements: Don’t Forget the Data!

The Transition Service Agreement (TSA) is the oft-neglected agreement in an M&A transaction. Parties tend to focus on the services the divested entity will require from the seller (Forward TSA Services) or the services the seller will require from the divested entity (Reverse TSA Services). In connection with these services, the entity providing services (Service Provider) may provide access to and use of its: (a) proprietary and third-party IT assets (eg, IT systems, tools, software and equipment); (b) employee, customer and vendor data; and (c) other confidential or sensitive information. The Service Provider also may receive access to and use of IT assets, data and other information of the entity receiving the services (Service Recipient).

Because TSAs are just one component of the overall M&A transaction, TSAs typically either do not include, or include minimal provisions for, indemnification, warranties, service level agreements, business continuity and disaster recovery, and data protection and information security. While the parties may be willing to assume potential risk, they need to recognize that the post-closing relationship between the seller and the divested entity, from a data protection and information security standpoint, is akin to an outsourcing relationship. Once the transaction closes, the divested entity is no longer a group company, but a third party, even during the transition period – and there are numerous countries with data protection laws requiring consent to the disclosure of personally identifiable information (PII) to any third party.

Although TSAs generally have confidentiality provisions, these are rarely sufficient. Depending on the type of data being shared, it may be important to include other requirements around the protection, collection, use and disclosure of data, such as (a) industry-specific laws (eg, financial services); (b) terms in the parties’ privacy policies; and (c) contractual obligations with other third parties providing PII.

Data Privacy and Security

Before beginning to draft and negotiate a TSA, the parties need to understand: (a) the services to be provided; (b) how the services will be provided, including access to or use of systems, facilities or data; (c) what data will be created, disclosed and/or modified; (d) the terms on which such data was collected; (e) integration or development required; (f) the flow of data and information between Service Provider and Service Recipient; (g) the legal entity(ies) performing services as Service Provider (which may vary depending on the service), including the identity and responsibility of all subcontractors and the jurisdiction where they will be performing such services; and (h) the legal entity(ies) receiving services as Service Recipient (which may also vary), including the identity and responsibilities of all subcontractors.

For example:

  • What is the nature of the data and information being accessed or used – eg, any PII of employees? Customers? Confidential or sensitive information?
  • How will each party access and/or use the other parties’ data and information?
  • What is the scope of the consent already received, if any, for collection, use and disclosure of such PII?
  • What is/are the location(s) from which data and information may be accessed or transferred? (EU? Massachusetts?)
  • Which entities may access and/or use data and information (affiliates, subcontractors, etc)?
  • Will any of the entities also need access to and use of the parent company’s IT assets during the transition?
  • What practically needs to happen in order for the transition to be completed? Will knowledge transfer or other cooperation be needed?
  • How will the parties provide for return or destruction of data or information?
  • Will any data be provided in connection with services or license agreements between the parent company and third parties? If so, how may the terms impact the TSA? Will any licenses or leases need to be transferred? If so, will any third-party consents be required?

Access Controls; Encryption of Data

Once the parties have an understanding of which entities will receive access to data and information, each party will need to ensure that the other party (and its affiliates and subcontractors) with such access implement the necessary technical access controls and other data protection measures, such as firewalls, data encryption, secure VPN access, secure file transfer protocol (Secure FTP) and anti-virus/anti-malware software.

Other Contractual Protections

Depending on the data and information being accessed, the parties also may wish to include contractual terms around physical access restrictions and data security, such as: (a) narrowly tailored access grant/license terms (for access to data and/ or IT assets); (b) approval process/satisfaction of conditions precedent before grant of access; (c) key personnel, ethical wall, employee screening and other personnel-related requirements; and (d) strong confidentiality requirements, warranties and indemnifications.

Although TSAs involve a great deal of complexities and case-specific analysis, there are practical ways in which the parties can get ahead of potential data privacy and security issues by being strategic in drafting the TSA to more fully and accurately cover the new relationship of the parties.

What’s Hot on Infosecurity Magazine?