GDPR, Cyber and M&A
The UK Information Commissioner intends to fine Marriott Hotels £99,200,396 for a security breach affecting the Starwood Hotel chain, which it acquired in 2016. The security breach arose in 2014, before the acquisition, but was not identified until 2018.
The Information Commissioner has stated organisations must be accountable, and this includes “proper due diligence when making a corporate acquisition”. We consider the implications for M&A and the likely intensification of information security due diligence.
Has a fine actually been issued?
No. The Information Commissioner has just served a ‘Notice of Intent’, which sets out her intention to fine Marriott.
Marriott can now make representations to the Information Commissioner both about the decision to issue the fine, and the amount of the fine. The full details of the breach will only become public once that process is complete and the fine is issued.
Why such a large fine?
The fine will be issued under the General Data Protection Regulation. This provides for sanctions of up to 2% of group-wide turnover for security breaches and 4% for other types of breaches. The proposed fine is much larger than expected, much like the Information Commissioner’s earlier proposed fine of £183,390,000 for British Airways after its website was hacked last year.
The actual fine could be reduced as a result of Marriott’s representations, though the Information Commissioner’s position on the issue is uncompromising. In an interview in the Wall Street Journal she said:
“For a fine to be dissuasive against a company that has a turnover in this stratosphere, we have to provide the fine accordingly. This is not a small business. This is not a charity.”
Can my lawyers fix this for me?
Only partly. The due diligence process should already address cyber security issues. For example, most due diligence questionnaires will ask for details of security breaches, reportable personal data breaches and breaches of data protection legislation. That list is likely to expand in the future to include details of breach response plans, supply chain diligence and other compliance measures.
Where there is a known security breach, these questions should identify the issue early on and allow it to be dealt with appropriately in the deal documentation (see below).
However, this may not have helped with Marriott’s acquisition of Starwood, for two reasons: first, this was a public takeover, so Marriott’s due diligence would be more limited. But secondly, and more importantly, as the breach was not known about at the time and was only discovered two years later, there would have been nothing to disclose as part of that diligence at the time.
Who can help?
The best way to address this issue is through technical due diligence into the target’s systems. We have worked with a number of clients to commission specialist third party penetration testing or a technical security audit as part of an acquisition.
At the very least, the purchaser should ask for the results of any penetration testing or IT security audits already conducted by the target (and if the answer is “we haven’t conducted any”, that is a serious warning sign). It may also be useful to know if the target uses intrusion detection software and data loss prevention tools, as well as getting a better understanding of the operational response to the cyber threat.
Will technical due diligence spot everything?
The scope of this technical due diligence will vary. Many acquisitions take place under considerable time pressure with limited access to the target’s system. This means that due diligence may not spot all the vulnerabilities within, or breaches affecting, the target’s system.
This makes post-acquisition compliance assessment just as important as the due diligence carried out at the time of the acquisition. There are a number of reasons for this:
- Forgotten systems: From a practical perspective, there is a risk the subsequent transformation and integration results in some of the target’s systems being ”forgotten about” and so becoming an increasing vulnerability over time.
- Time limits on warranties: Any warranty protection is likely to be time limited, so the purchaser will want to identify any potential security vulnerabilities in time to claim under those warranties.
From a purely regulatory perspective, the fact the pre- and post-acquisition due diligence doesn't actually spot a breach may not matter. The GDPR does not impose strict liability for breaches; rather it requires businesses to take appropriate measures to secure their systems. Therefore, so long as sensible data security due diligence takes place, and is documented, that will provide a powerful defence against any subsequent regulatory action.
What should I say in my deal documentation?
The answer depends on the type of deal. For private M&A, many purchase agreements will already contain warranties that the target has not had a material security breach or other material breach of data protection legislation. The purpose of these warranties is to flush out disclosures and, in the absence of disclosure, apportion risk for the breach.
We are likely to see greater attention on these warranties in the future, though it is not clear they are likely to change very much. For example:
- Awareness qualification: Many sellers seek to attach an awareness qualification to avoid liability for unknown breaches, but this is likely to be resisted for a wide range of reasons (not least because it creates an “ignorance premium”).
- Focus on materiality: There may be some interesting discussions about “materiality”. The Starwood deal was a $12billion acquisition; so the £99million fine is just under 1% of the deal size. Is that material?
More significant changes are likely to be seen where a data breach is disclosed. Historically, purchasers may well have ‘taken a view’ on those breaches and not sought any additional protection. It now seems likely that, for any moderately serious breach, purchasers will at a minimum want indemnity protection and, so far as possible, the breach to be remedied before completion. For more serious breaches, purchasers may want a price retention, reduction or might even decide not to proceed with the transaction.
Wasn’t Marriott a public takeover?
Yes. Marriott’s acquisition of Starwood was pursuant to a Delaware law-governed merger agreement between two publicly-listed entities. As Starwood was a U.S. public entity subject to mandatory disclosure requirements, Marriott may have relied on existing SEC disclosures of material issues to a large extent and conducted a more limited due diligence process directly with the target company. Marriott did not obtain warranty protection directly addressing data security breaches in the transaction’s merger agreement but, even if it had, it is unlikely this would have allowed for recovery of losses post-closing given this was a public takeover, although it may have helped to identify the target’s security gaps.
Data security may be more of a focus in future public takeovers, but there will normally be less post-closing protection available compared to a private acquisition. This means that focused and detailed due diligence early on in the transaction and post-acquisition review of the target’s data security will be the primary means to avoid, or at least minimise, liability for security breaches.
Does this apply to other types of data protection breaches?
Both the Marriott and the British Airways fines were for security breaches. However, the Information Commissioner has said there are a further 12 fines expected over the summer. This will provide some indication as to whether other types of breaches under the GDPR will attract a similar sanction.
For the time being, it would be sensible to assume that GDPR compliance is a material risk for any consumer-facing organisation. However, conducting detailed due diligence into a target’s wider GDPR compliance is challenging for a number of reasons:
- Time and cost: The scope of data protection legislation is extremely broad. This means that detailed due diligence into the target’s processing, policies and procedures will rapidly expand into a GDPR mini-audit. This is potentially extremely costly and time-consuming, and would require significant co-operation by the target.
- Issues, issues, issues: The process is likely to reveal a large number of areas of potential non-compliance, given the broad, principle-based framework within the GDPR. Sorting through those issues to work out which are material, can be remedied before exchange, require indemnity protection etc. is likely to be an involved process.
Is there anything else I should think about?
This article focuses on due diligence into a target’s data security measures and substantive compliance with the GDPR. However, data protection law has a number of other implications for M&A deals. For example:
- Disclosure during due diligence: Sellers need to think carefully about what personal data is disclosed as part of the due diligence process. Appropriate steps should be taken to anonymise or pseudonymise personal data. Bidders should be subject to appropriate non-disclosure agreements and data processor contracts should be put in place with those providing on line data rooms. Additional issues arise where bidders are based outside the EU.
- Business sales: Additional complications arise where the acquisition takes place by way of business or asset sale (rather than share sale) as this involves the disclosure of personal data by the seller to the purchaser. This raises a range of concerns, particularly in relation to marketing consents.
- Transitional service agreements: Where the deal requires a transitional services agreement, you need to consider the context in which each party processes personal data and, where relevant, impose data processor terms on the supplier.
The Information Commissioner’s statement on the Marriott fine is here. The actual fine is likely to be issued in the next couple of months.
By Rich Jones
