Assessing M&A Risk through GDPR Due Diligence

Assessing M&A Risk through GDPR Due Diligence

Due Diligence and M&A: getting under the bonnet of a Target


Anyone who has been through an M&A process will tell you that merging the organisations is only a first hurdle, and without good post-merger management the entire enterprise is likely to create a Frankenstein’s monster whose total is far less than the sum of its parts, or at worst it might fail entirely.


Amongst the risk factors is incomplete due diligence, covering security and data protection, which can risk the primary objective of the M&A activity, i.e. the creation of an efficient organisation with a better margin and higher profit than the original organisations, due to the significant financial penalties that can be levied as a result of a failure to meet regulatory data protection requirements, as well as the associated reputational damage that can have long lasting impacts on revenue and customer loyalty.


The GDPR focus on Data Security


Security and data protection go hand in hand, and with the advent of the GDPR there is a laser focus on the application of personal data protection principles and data subject rights. Under the 1995 EU Data Protection Directive, the maximum fine applicable for a data breach was £500k, and whilst this was not insignificant, it was unlikely to be a major deterrent when compared to the total value of the merger or acquisition activity. However, with the introduction of higher fines – up to 4% of an organisation’s annual global turnover – understanding a Target’s level of compliance, and minimising the potential financial risk is now essential.


Undocumented or undetected historic data breaches are a significant risk


As an example, take the Information Commissioners Office intention to fine Marriott International almost £100m for the loss of approximately 400 million user records after a cyberattack. This fine followed hard on the heels of the ICO confirming plans to fine British Airways £183m for a hack that exposed the personal data of half a million of the airline’s customers, but the key difference between the two incidents was that the Marriott fine related to a data breach against the reservation database of Starwood, a rival hotel group that Marriott acquired in September 2016. The breach began in 2014, both pre-GDPR and prior to the acquisition, but the penalty notice was based on the GDPR since the breach was only discovered on the 8th September 2018, over three months after the GDPR became enforceable.  Again this underlines the risk of failing to undertake thorough due diligence.


Are Data Breach fines inevitable?


The Marriott breach and subsequent penalty notice raises several questions. First are we saying that data protection focused due diligence would have discovered the breach, prevented the fine, and enabled the Marriott to seek compensation, or indemnity, in relation to the breach, or even to consider whether to proceed with the acquisition? And secondly, does a breach that occurred prior to an M&A activity potentially make the acquirer liable for that breach if it wasn’t discovered, and if an indemnity had not been agreed?


In order to answer these questions, let’s look at what happened.


What went wrong?


Details regarding the Marriott breach are incomplete, but it was detected when a security tool flagged an unusual database query, apparently from a user with administrator privileges. The tool was monitored by Accenture who had been running IT and InfoSec for Starwood pre and post the acquisition. Whilst it was well known that Starwood’s reservation systems were “difficult to secure”, the situation was compounded post-acquisition by the dismissal of the majority of the Starwood corporate technology and security staff, with the Starwood reservation system continuing to be in use for two years with limited continuity of care.


Encryption of credit card details was in place, but unfortunately the encryption keys were stored on the same server, and the majority of the passport numbers were stored as plain text. Although it did not appear that the attack was malicious, in that no data subjects appeared to have suffered a financial loss or any legal implications, Marriott did not offer compensation for stolen data. Instead they offered to pay for a new passport or cover credit card expenses if fraud had taken place. However, whilst there is no evidence that, as of writing, personal details have been put up for sale on the dark web, it is reported that the manner and methods used by the hackers indicate they may have been employed by the Chinese intelligence services, a theory corroborated by Marriott being the top hotel provider to US government and military, and passport numbers could potentially be used to track people’s movements around the world, which might cause many impacted individuals significant concern.


What could have been done differently?


So to answer the earlier questions, although due diligence would not have discovered the breach - as this required a detailed technical investigation - it could have identified failings in Starwood’s systems and processes, raising a red-flag during the M&A process at the very least. This would have allowed for adequate legal protection to be put in place, and inform post-acquisition security activities, mitigating liability for the breach that occurred both pre and post the purchase.


In addition to the ICO fine, there is potential for penalties to be levied by other jurisdictions. Multiple class action lawsuits have already been filed against Marriott and Accenture, and with a six-year limitation period, there may still be more claims raised. Whilst the compensation to individuals may be limited, and even the substantial penalties levied may not significantly impact Marriott, indirect losses as a result of lost custom could see billions of dollars of revenue lost in coming years.


Avoiding problems from the start


In summary, the addition of GDPR due diligence could save an organisation significant money and reputational damage and eliminate an avoidable risk. The Midaxo M&A GDPR Runbook offers both data protection professionals and non-professionals alike a clear, repeatable, and efficient process for assessing compliance with the GDPR, establishing where there are gaps against the regulation, and where potential risks might lay. Going further, the use of a data management tool like AiM’s dataBelt® allows the acquirer to understand the Target’s data landscape, building a picture of not only personal but all business data, to fully understand the value of the data held, and the benefits and possible issues associated with the M&A activity.


For more information on the Midaxo M&A GDPR Runbook, please contact us here.