[caption id="attachment_3106" align="aligncenter" width="620"]
PayPal Headquarters, San Jose, California. [/caption] Despite a growing focus on cybersecurity in mergers and acquisitions (M&A), PayPal's acquisition of payment company TIO Networks has become a cautionary tale. In December 2017, TIO Networks disclosed that up to 1.6 million of its customers’ personally identifiable information (PII) may have been stolen, according to CBS News. While the breach wasn't through PayPal’s own systems, as the new owner TIO Networks, the company is still liable. The incident has come under investigation by the Pennsylvania attorney general’s office after PayPal notified the Bureau of Consumer Protection of the breach. While Pennsylvania is the first state to open an investigation into TIO Networks, it could potentially be far from the only state to do so. With any breach connected to an internet company that operates in all U.S. states, there is the possibility the company could come under 48 different state notification breach laws and 50 different state regulatory investigations. But experts say that in PayPal’s case, such widespread investigations are likely to be rare, given the specifics of the breach. And even if multiple investigations were to occur, PayPal would probably have little difficulty in responding. Jeff Poston, partner and co-chair of the privacy & cybersecurity group at Crowell & Moring, noted that whether states open their own investigations in any corporate breach largely depends on the extent of the incident. “I think each state will make its own determination, but if an incident is big enough in terms of the number of people involved and if the circumstances are egregious enough, it’s a fair bet you’ll have multiple states opening investigations,” Poston said. He added, however, that given what is publicly known about the TIO Networks breach, it is unlikely PayPal will be contacted by numerous state regulators. “I don’t mean to minimize the seriousness of this incident, but press reports say there are 1.6 million people involved, and in the scheme of things, that is not an enormous breach.” Indeed, some recent breaches have compromised far higher numbers of consumers. The recent Equifax breach, for instance, may have affected over 140 million U.S. consumers. The company has since come under investigations by almost all state regulators. But while there is always the possibility that dozens of states may open investigations into breached companies, it doesn’t necessarily mean the companies will need to respond to each one individually. “Depending on how many states take an interest in a particular case, frequently they will establish a committee of representatives from three or four states to coordinate [the investigations] for other states, and that is typically what happens in larger data breaches,” said Kevin Coy, a partner in the privacy practice at Arnall Golden Gregory. He explained that states often form these committees to increase “their bargaining power” with the company in question and to also “make the process more manageable for all the parties.” But even if states are not officially coordinating, Coy said there will be a level of influence state investigations will have on one another. “You can certainly expect that state AG offices will be potentially talking to one another in connection with investigation, whether they are coordinating through a committee or not.” He added that such communication may likely “influence state investigators’ document requests, just as part of the normal ebb and flow of the process.” Poston added that though states often require breached companies to notify their local consumers of a breach, what states require in such notices are often “similar but not identical. So oftentimes, what a company will do is just take the state with the most stringent requirement and draft a template around those requirements that would obviously comply what those states involved have.” But Coy cautioned that while numerous state breach notification laws “can be read in a higher common denominator way to address requirements, there are a couple of exceptions where information has to be convened a little differently.” He noted that in Maryland and North Carolina, for example, “there is the obligation to include specific contact information for the state attorney general’s offices in some cases, and sometimes this is done through separate notices.” Yet even in those situations, companies still look to streamline and aggregate notification requirements. What is becoming common, Coy said, is for companies to include “a special note in the [notification] package saying if you’re a resident of North Carolina or Maryland you can also contact your state AG at this address.”