Data privacy, cybersecurity, and data breach risks are important due diligence issues in mergers and acquisitions. Discovering data breaches during an M&A deal can terminate the deal or cause delays/added costs. It is very common to discover security problems, and sometimes breaches after the acquisition. According to one report, more than a third (40%) of acquiring companies engaged in a merger and acquisition transaction said they discovered a cybersecurity problem during the post-acquisition integration of the acquired company.

Data breaches can lower a deal’s valuation. A recent example is Verizon’s acquisition of Yahoo, which closed in 2017. After Yahoo’s disclosure of two massive breaches in previous years, Verizon cut its offer by $350 million. Also, the part of Yahoo that wasn’t sold to Verizon agreed to assume 50% liability from any future lawsuits related to the data breaches. Yahoo also paid a $35 million penalty to settle securities fraud charges alleged by the U.S. SEC and an additional $80 million to settle securities lawsuits brought by unhappy shareholders.

Sometimes a lot of risk is inherited during M&A deals. Marriott announced that cyber thieves had stolen data on approximately 500 million customers. The breach occurred on IT systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018. Take a look at the recent M&A security breaches that made the headlines like Court Ventures/Experian , Viator/TripAdvisor , Staminus/Stackpath , Yahoo/Verizon (merger), Women’s Health Care Group of PA (merger), Multiple companies acquired by Equifax, Whole Foods/Amazon , TIO Networks/PayPal , Uber/Softbank (sold a stake), Bongo International/FedEx, MyfitnessPal/Under Armour, Starwood Group/Marriott, FitMetrix/MindBody. One thing that we have to remember is - Breaches will happen. It is how we prepare for it that matters. Due diligence during M&A deals can help mitigate risk. Companies considering an acquisition, or a merger should fully investigate and identify the particular cybersecurity and data privacy risks and liabilities posed by the transaction. Here is a good paper from Illumio that addresses a few of the challenges and how to address those challenges.