When Marriott International received Starwood in 2016 for $13.6 billion, neither employer was aware of a cyber-attack on Starwood’s reservation gadget that dated back to 2014. The breach, which uncovered the sensitive personal data of almost 500 million Starwood customers, is a superb instance of what we name a “statistics lemon” — a concept drawn from economist George Akerlof’s paintings on information asymmetries and the “lemons” problem. Akerlof’s insight changed that a customer no longer understands the nice of a product being presented by a supplier, so the purchaser risks shopping a lemon — think about automobiles.
We are extending that idea to M&A activity. In any transaction between an acquiring employer and a goal employer (dealer), there is asymmetric data approximately the goal’s nice. While managers have long understood this idea, recent occasions shed light on an emerging nuance in M&A — that of the information lemon. That is, a goal’s fine can be linked to the strength of its cybersecurity and its compliance with information privacy regulation. When an acquirer does now not guard itself in opposition to a records lemon and are searching for enough information approximately the goal’s records privateness and safety compliance, the acquirer may be left with a facts lemon — a safety breach, for example — and resulting authorities penalties, together with brand harm and loss of consideration. That’s the scenario Marriott is now managing. The employer faces $912 million in GDPR fines within the EU, and its inventory fee has been taken successfully. The hassle doesn’t stop there. According to Bloomberg, “the enterprise ought to face up to $1 billion in regulatory fines and litigation prices.”
Marriott isn’t the handiest organization in this situation. In 2017, Verizon discounted its original $4.Eight billion purchase price of Yahoo with the aid of $350 million after it found out — post-acquisition — of the latter’s information breach exposures. Similarly, in April 2016, Abbott announced the acquisition of St. Jude Medical, a clinical tool producer based totally in Minnesota, best to research a hacking hazard in 500,000of St. Jude’s pacemakers 12 months later in 2017. Abbott finishing up recalling the devices. Daiichi Sankyo, a Japanese firm, received Ranbaxy, an Indian pharmaceutical producer. Daiichi Sankyo later went to court, alleging that the target company misrepresented FDA safety compliance statistics to Daiichi(among different issues).
So what to do about information lemons? You can clearly make the deal anyway, mainly if the cost created by way of the deal outweighs the risks. Or you can take the Verizon path and reduce the valuation put up-acquisition. We advocate a third alternative: due diligence no longer simply on the financials of the coal company but also its regulatory vulnerabilities throughout the M&A dialogue procedure. The concept is to identify capability statistics breaches and cybersecurity issues before they become your problem.
Finding the Problem Before You Own It
In this method, we borrow from mounted compliance requirements meant to protect in opposition to bribery and environmental troubles. The acquirer would investigate the goal firm’s past data breaches and require disclosing prior information-related audits and any pending international investigations. The obtaining company would additionally behavior an assessment of the target’s methods and approaches regarding statistics protection — like an ideal use of facts, records classification, and records handling. The acquirer also has to examine target company compliance with cybersecurity frameworks from NIST, CIS, ISO, and the AICPA.
If a few hazards are found through due diligence, an acquirer must engage in a more intense audit of the goal firm’s policies. For example, does the goal adheres to any records requirements or certifications? (Examples consist of Graham Leach Bliley and HIPAA.) Finally, due diligence has to additionally consist of a review of the data-privateness necessities in third-party contracts.
Also, note that documents that trade arms between the target and obtaining companies can themselves emerge as risks for “information spillage” — the unintentional launch of sensitive records. Hence both the target and acquiring firm are particularly liable to assault by hackers for the duration of the M&A due diligence procedure, on occasion thru a hack of 0.33 events including banks, regulation companies, accounting corporations, or third-celebration carriers concerned in M&A. It’s vital to increase the security of such information and assessment the practices of 0.33 events to reduce such danger.
Once You’ve Acquired a Data Lemon
Even in case you’ve done all the above, you may still collect an information lemon. What should you do then? At this point, it’s miles vital to install an incident reaction strategy to address dangers, such as legal or regulatory or patron-facing in nature. Such an incident-response approach needs to be brief and decisive, adopting a multi-disciplinary technique, and the board ought to be brought in. Management of public members of the family and outreach to policymakers will be transparent. These are simply on-the-spot steps. The acquiring company desires to review the practices that brought about the breach and discover measures to improve the data privacy compliance application in the future.