Turning Lemon Data Into Lemonade-Cybersecurity and Data Privacy Counts in M&A Transactions

Mergers and Acquisitions (M&A).  M&A is a general term that refers to the consolidation of companies or assets through various types of financial transactions. It’s how a lot of business grow and expand. When one business (the acquirer) looks to purchase another (the target), there is always some sort of valuation of the target.  Different aspects can affect the target’s purchase price. Generally, acquirer and the target determine the purchase price by multiplying the target company’s earnings before interest, taxes, depreciation, and amortisation (EBITDA) by an agreed-upon multiple. However, many things can affect the final purchase price including the target company’s assets and liabilities, which impact the target’s future cash flows, even though it does not necessarily affect its EBITDA.

Nowadays, a company’s data can vastly affect its value.  In fact, data has become a commodity; the new “oil” if you will.  Just as with any commodity, there can be factors that affect its value.  Almost two years ago, XPAN wrote a blog post about cybersecurity due diligence in M&A transactions. However, true due diligence in today’s world must also include a component of privacy due diligence as well. As data privacy laws are surfacing domestically (the California Consumer Privacy Act “CCPA” as a prime example) and the European Union’s General Data Protection Regulation (“GDPR”) that went into effect last May, it is not just what data is collected – but how the data is collected that will affect is value.  And more than that, if an acquirer takes on the assets and liabilities of the target, and the data is not collected in a compliant manner then the acquirer has basically bought only a liability.

The Harvard Business Review just issued an article entitled, “Don’t Acquire a Company Until You Evaluate Its Data Security”.  The HBR likened purchasing “bad” data to acquiring a lemon, citing the example of the Marriott International-Starwood acquisition where Marriott had no idea about the Starwood data breach and ended up with a $912 million GDPR fines related Starwood’s breach.  So how do you even start to address cybersecurity and data privacy due diligence in an M&A transaction?

First, THINK ABOUT IT.  Do not wait until the end, right before pen meets paper, to consider cybersecurity and data privacy.  It should be one of the first considerations.  Second, don’t think that just because you are an M&A attorney you understand the nuances of cybersecurity and data privacy. This is a complicated area of law that intersects directly with technology.  You need to understand both to be truly effective. You should bring in your “special forces,” your Seal Team, to address this complex and ever-changing area of due diligence.

Third, as you get “into” the due diligence, you need to review the target’s cyber maturity.  Do they have a breach/disaster response plan? Are there written policies and procedures that address cybersecurity and data privacy?  Does the target actually practice what it preaches in those policies. What does the target’s privacy policy look like? Does the target have a data map or data categorization completed? Does the target have a vendor management program?

The target company’s third party vendors are another area of potential issues.  We have all heard the story about the Target breach- it was the result of an HVAC vendor.  Consider how the target vets its vendors to determine the risk factors that exist from those third parties.  And, it is not enough to just consider how the target vets its vendors, but to review the due diligence on those vendors yourself. In other words, you need to look at the target and the target’s vendors to get an accurate security perspective. Part of a review of the vendors must include an assessment of their incident response capabilities. We know that properly vetting the target’s vendors must be included in all good cyber due diligence- but you should need to also consider the target’s incident response capabilities as well.

Finally, what are the target’s data collection practices.  Has the target considered what data privacy regulations apply to them or are they just hoarding data with abandon? Cybersecurity and data privacy is a key piece to any M&A transaction.  Examine the pertinent information and make an informed decision. Fail to do so, and you will suffer the potential liability and regulatory fines that come with buying a lemon. Good cyber and privacy due diligence can help turn a lemon into lemonade by reducing the purchase price or segmenting the target’s business to avoid purchasing the lemon data.  Creativity in an M&A transaction can only come by knowing the facts, and that includes the data security and privacy issues the target may have. And remember, in M&A transactions, just as in all issues involving cybersecurity and data privacy, luck favors the prepared!


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.