Your organisation completes a takeover of a competitor as part of your mergers and acquisitions (M&A) activity. Two years later, the data protection authority fines your organisation for a cyberattack initiated on the acquired party’s IT system 17 months before your merger.
Is this a severe sanction? Perhaps. However, the UK Information Commissioner’s Office (ICO) has included specific M&A guidance in its recently updated Data Sharing Code of Practice, which suggests that this is neither illogical nor unfair. This article outlines key data protection due diligence recommendations for organisations undertaking M&A activities.
The Marriott International Inc personal data breach
In July 2014, an unidentified cyber attacker installed a piece of code known as a `web shell’ onto a device within the Starwood Hotels and Resorts Worldwide Inc network to enable remote access as a privileged user. The attacker installed further tools to gather login credentials for additional users within the Starwood network and thereby, export a database.
It is estimated that 339 million guest records (including 7 million in the UK) worldwide were affected. Personal data may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival / departure information, guests’ VIP status and loyalty programme membership numbers.
Marriott International Inc acquired Starwood on 31 December 2016 or 1 January 2017, but the attack remained undetected until September 2018.
On 30 October 2020, the ICO fined Marriott £18.4 million for the personal data breach.
The importance of due diligence
In light of this, it is important that purchasing organisations incorporate data protection considerations as part of their M&A due diligence. This should include:
- establishing whether the potential acquiree will be wholly absorbed within the purchaser or continue to operate as a defined entity (for example, as a subsidiary);
- establishing the applicable data protection regimes – the potential acquiree may process personal data in countries that the purchaser currently does not;
- establishing the purposes for which the potential acquiree originally obtained those data, and whether these purposes will be compatible with any purposes for processing subsequent to the merger;
- conducting a data mapping exercise and / or update to the record of processing activity (ROPA) in respect of such data, including in respect of envisaged data flows subsequent to the intended merger;
- conducting an assessment of the organisational and technical security measures that the potential acquiree has in respect of such data, and the equivalent measures that will be required in respect of the potential acquiree sharing such data with the purchaser to ensure that such data are not compromised, corrupted, or lost; and
- clarifying accountability in respect of roles and responsibilities for the personal data, such as Senior Information Risk Owner, Data Protection Owner, Information Asset Owners, Information Security Manager, Records Manager and / or equivalent, particularly where there is overlap in this regard between the purchaser and potential acquiree.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in respect of due diligence. We offer a range of data governance services. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. For more information, please feel free to contact our advisers, who would be more than happy to help.