In 2016, Marriott International purchased Starwood Hotels & Resorts to become the world’s largest hotel chain.
But at no point during that $13.6 billion takeover did Marriott realise that it wasn’t only acquiring 11 new brands but also an unsecure guest booking system that had been exposing customer data for years.
Guests’ names, addresses, dates of birth, gender, passport numbers, rewards information and credit card details continued to spill out onto the web for two more years before Marriott was made aware of the breach.
By that point, 339 million guests had been affected, which would eventually lead to a £18.4 million fine from the ICO (Information Commissioner’s Office).
But that was only the start of Marriott’s problems. It was slapped with several class action lawsuits, its share price dropped 5.6% and it has become a case study in the dangers of acquiring compromised assets.
Whether you’re looking for help on your data controller or processor requirements, other aspects of the GDPR or general guidance on how to boost your information security practices, our Privacy as a Service package is ideal.
If you compare the Marriott incident with Verizon’s purchase of Yahoo in 2017, the benefits of cyber security due diligence are clear.
Verizon had originally agreed to purchase the firm for more than $4.8 billion, but that offer dropped significantly following a series of catastrophic data breaches, which affecting all three billion Yahoo customers.
But that wasn’t all. Verizon demanded that Yahoo contributed towards any future legal costs, as well as the cost of reparations arising from the breach.
Verizon would still have to foot the bill for overhauling an information security system that clearly wasn’t adequate, but it learned this before finalising the deal and factored it in to the purchase price.
Performing due diligence
The examples we’ve discussed here are two of the most high-profile cases of mergers and acquisitions that were affected by data breaches – but it’s an issue that all organisations, no matter their size, must consider.
After all, a National Cyber Security Centre Study found that 39% of businesses in the UK suffered a cyber attack in the past year. In many of those incidents, the victim lost money, data or other assets – and that’s without mentioning the reputational damage.
Yet, although organisations recognise the threat to their own organisation, they don’t place enough emphasis on it when performing due diligence.
Often, their review goes little further than asking whether the target is aware of any previous data breaches. Even the more assiduous organisations may only perform a cursory evaluation of the target’s GDPR (General Data Protection Regulation) compliance status.
This clearly isn’t enough. At the very least, you must:
- Perform your own privacy and cyber security risk assessment to review the target’s data, systems and supply chain arrangements.
- Review historic data breaches to evaluate the organisation’s past performance and identify whether improvements have been made. This information should be readily available, because the GDPR requires organisations to log all security incidents, not only those that that must be disclosed.
- Consider whether the current defence mechanisms are adequate. If you’ll need to spend significantly to bring the organisation’s data protection practices up to standard, you may wish to adjust the purchase price.
By completing these steps, you will have a strong understanding of your target’s cyber security background and avoid getting more than you bargained for.
If you want to learn more about how to perform cyber security due diligence, our experts are happy to help.
GRCI Law is led by a team of experienced lawyers, barristers, and information and cyber security experts, and we provide GDPR, data breach, data privacy management, and data subject access request support, as well as associated non-reserved legal services.