When archives collide: managing eComms risk in pharma M&A
Pharma M&A due diligence often overlooks eComms data, and that gap can cost acquirers millions. Learn how communications due diligence can surface hidden compliance liabilities.
Written by a human
Communications data: the blind spot in M&A due diligence
The most expensive skeletons in a biopharmaceutical M&A aren’t hiding in the IP portfolio or the clinical trial data. They’re sitting in a WhatsApp thread nobody thought to audit.
Biopharma dealmaking is accelerating as the upcoming ‘patent cliff’ nears, a term coined to describe the sudden and sharp decline in revenue when a top-selling drug (or in this case, drugs) expires. Analysts estimate that by 2032, between $200 billion and $300 billion in annual sales could be affected by 2032.
Savvy buyers are already moving into the deal room. But while due diligence teams traditionally focus on IP portfolios and clinical trial data, past M&A failures have proven that the most expensive skeletons could be hidden in plain sight.
Electronic communications (eComms) data, such as internal chats, emails, and messages, are frequently overlooked in the rush to close. Failing to audit these digital conversations during the transition doesn’t just invite regulatory scrutiny; it leaves the door wide open for undisclosed liabilities to sink a deal.
Bottom line: don’t skip the eComms data
Consider a cautionary tale from 2022, when a multinational pharmaceutical company acquired a biotech subsidiary and, along with it, inherited a $60 million compliance liability that pre-deal due diligence hadn’t surfaced.
Inheriting a regulatory violation
The acquired company had engaged in improper financial relationships with healthcare providers—consulting fees and other financial incentives that influenced prescribing behavior and ran afoul of the Anti-Kickback Statute (AKS). The Department of Justice (DOJ) determined these arrangements had generated fraudulent Medicare and Medicaid claims. Once the deal closed, responsibility for those past failures transferred to the acquirer.
What made this avoidable wasn’t a failure of legal review or clinical data assessment but the absence of proactive communications monitoring. Internal discussions about financial arrangements with physicians, the kind that surface in emails, messaging platforms, and other business channels, can reveal compliance red flags that spreadsheets and data rooms won’t. Without a system to capture and review those communications before close, buyers assume risk they can’t yet see.
The lesson isn’t that acquirers need to distrust their targets. It’s that a thorough due diligence process now includes eComms data as a safeguard for both parties entering the deal.
Key risks in eComms data
Electronic communications are where compliance failures live before they become enforcement actions. In pharma M&A specifically, eComms data can surface:
- AKS and Stark Law violations: WhatsApp chats can reveal the ‘quid pro quo’ behind physician speaker programs or consulting agreements long before patterns emerge in payment records.
- False promotions and off-label marketing: Records of chat and collaboration channels can expose patterns of risky behavior by sales and marketing teams.
- HIPAA and data privacy breaches: In a rush to develop new products, researchers may take shortcuts or share protected health information (PHI) over unauthorized channels.
- Data integrity: Laws like 21 CFR Part 11 set specific standards for eComms data. Acquiring companies inherit liability for non-compliant archives.
During a merger or acquisition, pharmaceutical companies come under the microscope of major regulators including the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and the Food and Drug Administration (FDA). This is when the speed and scale of your compliance program is tested. For example, teams with thousands of employees, partners, and vendors across multiple jurisdictions can generate onerous bodies of communications data. That’s where eDiscovery and good data governance comes in.
The due diligence gap
Due diligence teams evaluate assets, but eComms data is treated as infrastructure: reviewed last, resourced minimally, handed off to IT. When the regulator comes knocking isn’t the time start paying attention to eComms data. You should be performing due diligence before and after the deal to properly safeguard against liability.
Pre-deal due diligence: Before a deal closes, compliance teams should be running targeted keyword searches on acquired communications data for high-risk terms—the same searches a federal investigator would run.
Post-deal integration: Post-close, the single highest-risk moment is the one most programs aren’t built for: day-zero ingestion. Getting legacy data from the acquired entity into your archive immediately upon closing before anything gets deleted, migrated, or lost in integration chaos is the difference between a defensible record and a gap a regulator will find before you do.
What is required for audit-ready eComms?
The patent cliff has shifted leverage toward buyers who show up prepared. That means decisions are made before you’re in the deal room:
- Establish a data map: Document every communication channel used across both organizations, including off-channel apps like WhatsApp or Slack
- Verify chain of custody on every data transfer: Inspect metadata and automate preservation to verify that all data transfers maintain original timestamps and sender identities
- Build for the footprint you’re acquiring: Ensure your eDiscovery and archiving infrastructure is built to handle the volume and complexity of your new data load
- Conduct proactive search audits: Run targeted keyword searches on acquired data for high-risk terms before the regulators do to make sure you know exactly what you’re inheriting
Global Relay helps pharmaceutical and life sciences companies capture, preserve, and produce eComms data across the full M&A lifecycle by centralizing legacy data and real-time communications into a single, immutable archive. Learn more about Global Relay’s eDiscovery solution.
