When Marriott International received Starwood in 2016 for $13.6 billion, neither employer was aware of a cyber-attack on Starwood’s reservation gadget that dated back to 2014. The breach, which uncovered the sensitive personal data of almost 500 million Starwood customers, is a super instance of what we name a “statistics lemon” — a concept drawn from economist George Akerlof’s paintings on information asymmetries and the “lemons” problem. Akerlof’s insight changed into that a customer does no longer understand the nice of a product being presented by a supplier, so the purchaser risks shopping a lemon — think about automobiles.
We are extending that idea to M&A activity. In any transaction among an acquiring employer and a goal employer (dealer), there is asymmetric data approximately the goal’s nice. While managers have long understood this idea, recent occasions shed light on an emerging nuance in M&A — that of the information lemon. That is, a goal’s fine can be linked to the strength of its cybersecurity and its compliance with information privacy regulation. When an acquirer does now not guard itself in opposition to a records lemon and are searching for enough information approximately the goal’s records privateness and safety compliance, the acquirer may be left with a facts lemon — a safety breach, for example — and resulting authorities penalties, together with brand harm and loss of consider. That’s the scenario Marriott is now managing. The employer faces $912 million in GDPR fines within the EU and its inventory fee has taken successfully. The hassle doesn’t stop there. According to Bloomberg, “the enterprise ought to face up to $1 billion in regulatory fines and litigation prices.”
Marriott isn’t the handiest organization in this situation. In 2017, Verizon discounted its original $4.Eight billion purchase price of Yahoo with the aid of $350 million after it found out — post-acquisition — of the latter’s information breach exposures. Similarly, in April 2016, Abbott announced the acquisition of St. Jude Medical, a clinical tool producer based totally in Minnesota, best to the research of a hacking hazard in 500,000of St. Jude’s pacemakers a 12 months later in 2017. Abbott finishing up recalling the devices. Daiichi Sankyo, a Japanese firm, received, Ranbaxy an Indian pharmaceutical producer. Daiichi Sankyo later went to courts alleging that the target company misrepresented FDA safety compliance statistics to Daiichi(among different issues).
So what to do about information lemons? You can clearly make the deal anyway, mainly if the cost created by way of the deal outweighs the risks. Or you can take the Verizon path and reduce the valuation put up-acquisition. We advocate a third alternative: due diligence no longer simply on the financials of the coal company, but also its regulatory vulnerabilities throughout the M&A dialogue procedure. The concept is to identify capability statistics breaches and cybersecurity issues before they turn out to be your problem.
Finding the Problem Before You Own It
In this method, we borrow from mounted compliance requirements meant to protect in opposition to bribery and environmental troubles. The acquirer would investigate the goal firm’s past data breaches and require disclosure of prior information-related audits and any pending investigations international. The obtaining company would additionally behavior an assessment of the target’s methods and approaches regarding statistics protection — like an ideal use of facts, records classification, and records handling. The acquirer has to also examine target company compliance with cybersecurity frameworks from NIST, CIS, ISO, and the AICPA.
If a few hazards are found all through the due diligence, an acquirer have to engage in a more intense audit of the goal firm’s policies. For example, does the goal adheres to any type of records requirements or certifications? (Examples consist of Graham Leach Bliley and HIPAA.) Finally, due diligence has to additionally consist of a review of the data-privateness necessities in third-party contracts.
Also, note that documents that trade arms between the target and obtaining companies can themselves emerge as risks for “information spillage” — the unintentional launch of sensitive records. Hence both the target and acquiring firm are particularly liable to assault by hackers for the duration of the M&A due diligence procedure, on occasion thru a hack of 0.33 events including banks, regulation companies, accounting corporations, or third-celebration carriers concerned in M&A. It’s vital to increase the security of such information and assessment the practices of 0.33 events to reduce such danger.
Once You’ve Acquired a Data Lemon
Even in case you’ve done all the above, you may still collect an information lemon. What should you do then? At this point, it’s miles vital to installation an incident reaction strategy to address dangers, such as each those that are legal or regulatory or patron-facing in nature. Such an incident-response approach needs to be brief and decisive, adopting a multi-disciplinary technique, and the board ought to be brought in. Management of public members of the family and outreach to policymakers will be transparent. These are simply on the spot steps. The acquiring company desires to review the practices that brought about the breach and discover measures to improve the data privacy compliance application going forward.