Privacy and data security in today’s mergers and acquisitions
Privacy and data security factors are central in today’s mergers and acquisitions (M&A) landscape. M&A exposes companies to elevated risk in numerous ways, but acquired databases have potential to provide enormous value to new owners.
Proactive cybersecurity and data privacy practices are strategically critical in the M&A context because of how costly a mistake can be. And conversely, good practices are an added value across a company’s potentially profitable data flows.
However, IBM found that less than half of companies conduct privacy and cybersecurity assessments before completing due diligence. Or, more simply put, data privacy and security practices aren’t adequately considered before the deal is done.
What happens when privacy and cybersecurity aren’t part of due diligence?
Almost every company today has data to protect. It might be consumer data, employee data, vendor or partnership data, or even proprietary information and trade secrets. Although companies that don’t collect consumer data tend to think they’re immune, that’s not the case.
The increasing number of data privacy and security regulations places even greater pressure on the due diligence process. While this is new to some organizations, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPPA) have regulated the finance and healthcare industries for decades.
When a company merges with or acquires a financial or healthcare company, new resources may need to be assigned to address all data privacy and information security requirements.
Because of the sensitive information collected in these industries, the review process should be extensive and major changes may need to be considered.
Additionally, regulators are more keenly attentive to companies’ privacy practices and statements. While this attention has been rising globally, it’s about to heat up significantly in the U.S. In 2023, five U.S. State privacy laws will be enacted.
Mergers and acquisitions in the headlines
A glance at news headlines confirms that numerous companies suffer from data breaches or other privacy and security incidents due to failing to fully assess and address privacy and cybersecurity risks during M&A.
Marriott’s 2016 acquisition of Starwood provides an example of the painful and expensive result of incomplete data security evaluations before acquisition. Years after purchasing Starwood for $13.6 billion Marriott discovered a 2014 breach into the Starwood database.
In 2019, Marriott spent $28 million in expenses related to the personal data breach. A year later, Marriott agreed to a $24 million fine for violating consumer protections outlined in the EU GDPR.
In addition to $52 million in expenses and fines, there’s also the cost of loss of trust due to the data breach and years of media attention about the legal ramifications. And calculating business losses due to distrust is complicated.
Yet the real issue is; once trust is broken, it’s difficult to repair.
Distrust could impact Marriott’s bottom line for many years to come.
How the U.S. will handle the 133 million consumer class action lawsuit against Marriott and Accenture (who ran IT for Starwood and the legacy system Marriott acquired) is undecided.
A Federal Judge ruled that the class action lawsuit against Marriott and Accenture may proceed with 45 million certified members of the action class in May of 2022. However, Marriott is appealing that decision.
Data privacy and cybersecurity are front and center in IoT acquisitions
As the Internet of Things (IoT) seems to appear everywhere you look, from cars to watches and thermostats, thousands of everyday objects continuously collect user data.
Arguably, the rise of IoT helped privacy advocates make data protection more mainstream and critical in the eyes of people who haven’t thought much about their data privacy.
For example, data protection was paramount in the 2019 Google acquisition of Fitbit for approximately $2.1 billion. Both companies made a point to note choice and data control in their announcements:
“Strong privacy and security guidelines have been part of Fitbit’s DNA since day one, and this will not change. Fitbit will continue to put users in control of their data and will remain transparent about the data it collects and why.
The company never sells personal information, and Fitbit health and wellness data will not be used for Google ads,” Fitbit expressed.
Google also further echoed its commitment to data privacy rights, “[Google] will give Fitbit users the choice to review, move, or delete their data.”
Yet in November 2022, a $392 million settlement was announced between 40 U.S. States and Google for violating consumer protection laws through data collection via the Google Maps App.
Deceptive practices such as unclear settings and controls reasonably feed consumers’ distrust of a company’s data privacy and security practices.
Data privacy advocates also recently raised concerns when Amazon acquired iRobot. Because Amazon already captures so much data through products such as Alexa devices and cameras, the added home mapping data could reveal significant information about data subjects.
Best data security practices for M&A
Poor data quality, privacy, and security practices decrease a company’s valuation.
The acquiring company must thoroughly assess and understand the level of risk the acquisition will put on the current organization from a privacy and cybersecurity perspective and what those consequences may be.
- What is the quality of the data? Does it add value?
- What about data security practices? Do they leave the acquiring organization open to risk? If so, this must be considered in the valuation of a company.
To avoid landing your company in a harmful situation, consider best practices for privacy and data security during the M&A process. Some are summarized below to get you started.
Pre-M&A planning and internal strategy/objectives
Assess and fully understand your data privacy program maturity level, data flows, information security practices, partners’ data inputs and outputs, and contractual obligations.
Even if the transaction is not focused on the data, all parties should consider how their privacy and data security posture could have a material effect on the proposed deal.
What to consider
What is your organization’s risk profile, and that of any potential transactional partners? Consider the risk profile in terms of actions that will alleviate risk concerns.
How will the new entity achieve relative regulatory compliance robustness?
How can the value and usability of any underlying personal data be maintained in the event of a data transfer?
Confirming compliance against regulations example
Has an M&A-interested party been assessed against the EU GDPR, which impacts most companies that handle EU resident data?
Have the same companies assessed or requested that their partners/vendors be GDPR-compliant?
What about the U.S. State laws such as the California Privacy Rights Act, Colorado Privacy Act, or Virginia Consumer Data Protection Act?
When considering M&A and fourth-party vendors and suppliers farther down the supply chain, it’s often necessary to consider global privacy regulations such as the China PIPL, Japan APPI, and Brazil LGPD.
The due diligence and pre-signing stages
At a minimum, all parties involved must evaluate their privacy notices for all products, services, and regions, whether covering mobile devices, a mobile application, an ad tech platform, or a marketing website.
Next, identify potential areas where they may implicate different countries’ domestic legislation, such as in the U.S., with the FTC Act § 5 covering unfair or deceptive practices.
Consider carefully your data security protocols, the bounds and monitoring of vendor relationships, and your employees’ personal data.
After M&A: Post-signing and post-closing
- Will a special regulatory review be necessary based on the publicly-traded nature of the parties, the proposed deal’s financial valuation, or because the transaction implicates a highly-regulated industry?
- Is any data adjudged to be either not related to the merged entity or overly sensitive and unwanted such that it will be intentionally excluded from the data transfers (and thus deleted, returned, or grouped)?
- How will the companies’ policies be revised and or combined?
- How will employee and HR records be integrated?
- Whose infrastructure will be used, and whose data will be ported in?
- Will any other regulators need to be notified?
Before you begin a merger or acquisition, partner with experienced experts that can assess the privacy and data security risks and help you attain the best possible deal – no matter what side of the table you’re on!
Map personal data and manage risk