This article has been written by Saswata Roy, pursuing the Diploma in M&A, Institutional Finance, and Investment Laws (PE and VC transactions) from LawSikho.

Introduction

The most common reason for any Merger and Acquisition deal is value creation and significant value addition for the acquirer. However, M&A can be a very risky and complicated process containing a variety of steps, ending with Post-Merger Integrations (PMI).  PMI, even though the last step, is an important step in an M&A deal. The success of PMI determines the success of the whole deal. 

Among various issues that need to be considered before finalising an M&A deal, data protection or privacy issues of the target company have emerged to be the most important ones. It is also the most overlooked issue, especially in the earlier stages. In an M&A deal, the acquirer also acquires the virtual information of the target company including customer information, online websites, etc. Thus, they acquire even the cybersecurity risks that come with the target company. Since due to the Covid-19 pandemic, M&A is being managed virtually, cybersecurity concerns are on the rise. A recent survey by Deloitte reported that data protection in a target company is one of the key issues in consideration while going forward with an M&A deal. 

Data privacy concerns have to be taken seriously in M&A deals, following the data breaches as seen in Marriott International-Starwood Hotels and Verizon-Yahoo deal. These breaches not only lower the valuation of the acquired company but open the door to potential lawsuits and other liabilities in the form of fines imposed by regulators. 

Cyber security issues

Data breach in a target company can lead to depreciation of the value of the company and can even lead to the whole M&A deal being called off by the acquirer. The problem is much bigger when such data breaches are discovered post-merger. The acquirer has to face all the liabilities in the form of various lawsuits. This is quite common as found out by West Monroe in 2016 through a survey where 40% of respondents replied that data security breaches were discovered after the deal went through. Vulnerable security not only leads to breaches of customer data but hackers can also steal trade secrets and IP. Such breaches can either damage the target company prior to the merger or the acquirer company after the merger. 

Marriott International acquired Starwood Hotels in 2016. In 2018, Marriott became aware of a security breach of the Starwood server. Further, investigations revealed that the Starwood network had already been compromised back in 2014. The credit card and passport information of millions of customers had been stolen. This was a result of improper due diligence on the part of Marriott prior to the M&A deal. After the deal was closed, Marriott failed to integrate the network of Starwood Hotels with their own which, if done, could have prevented the breach. Several class-action lawsuits were filed against Marriott and were also fined £18.4 million for violating General Data Protection Regulation.

In the case of the Verizon-Yahoo deal, massive data breaches of Yahoo were discovered by Verizon before the deal was finalized. Such discovery resulted in a US$ 350 million reduction in the purchase price. Yahoo also had to settle lawsuits to the tune of US$ 80 million that were bought due to such breaches and pay a fine of US$ 35 million as imposed by the U.S. Securities and Exchange Commission.

In most cases, parties look into data privacy issues in the post-merger stages, however, this is an unnecessary risk on the part of the acquirer as potential risks in data security which if discovered in pre-merger stages would have served as cost avoidance or cost savings. Discovery of these issues in the post-merger stages when the deal has already gone through leaves the acquirer in a bad position where the acquirer has to spend money to rectify the data privacy issues.

Compliance with privacy laws

Privacy laws have evolved over time and non-compliance with such laws attracts fines and the risk of vulnerable security. There are stringent privacy laws present across the world that deal exclusively with issues of data privacy and cybersecurity like the General Data Protection Regulation (GDPR) in Europe, or the California Consumer Privacy Act (CCPA) in California. These laws also focus on data security issues post-merger. In India, currently, there is no such law but the Personal Data Protection Bill, 2019 which has yet to become an Act has been made following the blueprint of the General Data Protection Regulation. The Bill will bring about various changes in the privacy policies of companies by implementing rules regarding the privacy of customer data and their confidentiality. 

Till then, data protection in India is regulated by various Acts and regulations like Section 43A of the Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. They lay down provisions regarding punishment for negligent maintenance of sensitive personal data, acquiring consent from consumers before utilizing their data, etc. 

According to RBI’s Framework for Storage of Payment Systems Data, entities in the Payment Sector have to store consumer data locally; they can transfer such data abroad by following certain conditions such as the data can be transferred only for 24 hours and the foreign entity to which such data was outsourced has to undergo an audit. Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provides for rules regarding cyber security issues. 

Non-compliance with privacy laws is a critical issue in M&A deals. If such non-compliance is not discovered before the deal, the liabilities arising afterward will have to be taken up by the acquirer. The liabilities can be in the form of imposition of huge fines and potential lawsuits. Back in 2010, Disney acquired Playdom, an online social network game developer for US$ 563.2 million. In 2011, Playdom was charged with violating the Children’s Online Privacy Protection Act (COPPA). These violations happened between the period 2006-2010. The Federal Trade Commission ordered Playdom, which had become a subsidiary of Disney to pay a fine of US$ 3 million. 

Issues arising in the post-merger integration step

In the post-merger integration stage, huge data is transferred from the target company to the acquirer. The IT sector is responsible for integrating the data of the target company and securing such data. While doing such a task, it becomes important to comply with regulatory and privacy laws.

Due to weak or no data privacy due diligence pre-merger, most of the complications in the form of vulnerable security or breaches are discovered in this stage. It then becomes the headache of the acquirer to improve the security and take additional steps to comply with the local laws. This becomes a burden for the acquirer which could have been solved with proper due diligence.

Other than already existing cybersecurity issues and non-compliance of privacy laws, various issues arise in the post-merger integration stage. Since data security in most cases is an afterthought, the absence of any strategy to seamlessly integrate information of the two entities leads to potential security risks and compliance issues. Internal security threats should also be considered a possibility where current or former employees pose a threat; the absence of proper identification and authentication process leads to security breaches. 

Steps to mitigate data privacy concerns

There are certain steps to mitigate the data privacy issues that arise during the M&A deals:

1. Due diligence 

This is the most important procedure before an M&A deal is finalised. The acquirer needs to give similar importance to cybersecurity issues in due diligence as in other issues. The acquirer should examine the target company’s privacy policies, compliance issues, past data breaches, if any, data security and confidentiality mechanisms, etc. It is also important to consider the target’s contract with third parties such as suppliers and whether there are any privacy-related issues. The reason behind giving such importance to data privacy due diligence is that the acquirer comes to know about potential data liabilities that might occur in the future. Due to proper due diligence, Verizon was able to find out about prior data breaches of Yahoo which resulted in a reduction of the acquisition price.

2. Representation and warranties and indemnities

During the negotiation stage of M&A deals, it is important to include warranties from the target company that they will indemnify against any future unforeseeable breach that might occur post-merger, and such should be included in the M&A agreement. Representations and warranties help acquirers in protecting themselves against any privacy breach that might occur to the target company. In case such breaches occur, it will be upon the owners of the target company to pay off the liabilities. The acquirer may also anticipate data breaches considering the industry to which the target company belongs and may provide for indemnity against the same.

Conclusion

Cybersecurity issues have become one of the most critical issues to be considered in an M&A deal. In the M&A of tech companies, consumer information is one of the assets that is acquired by the acquirer. A breach in such drives down the value of the company. However, data privacy issues are not only the headache of tech companies but of every other company. One has not to look further than the Marriott International-Starwood Hotel deal to see how cybersecurity issues can affect a company. During the pandemic situation, where most of the M&A deals are taking place virtually, the acquirer has to put in extra effort in privacy due diligence in order to close the door to potential liabilities in the form of lawsuits, financial repercussions, and loss of goodwill.

References

• https://www.logic2020.com/insight/data-privacy-in-mergers-and-acquisitions
• https://www.infosys.com/iki/insights/data-privacy-mergers-acquisitions.html
• https://www.nixonpeabody.com/en/ideas/blog/data-privacy/2020/07/28/data-privacy-and-merger-considerations

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: