In many mergers and acquisitions (also called "mergers and acquisitions," or M&A), the topic of "privacy" previously played little or no role. Privacy has also become a "hot topic" in M&A land since the introduction of the General Data Protection Regulation (AVG, or in English: GDPR) and after some privacy scandals in acquisitions. This article explains why privacy is important in mergers and acquisitions and what the privacy concerns are.
What if privacy goes wrong in a merger or acquisition?
It is easy to underestimate the importance of privacy in a merger or acquisition, but if it goes wrong, it can result in high costs and losses for both the seller and the buyer.
According to a 2018 IBM annual study, the cost of a data breach (a security incident in which, for example, personal data was lost, or accessed by unauthorized persons) increased by 6.4% from the previous year, to an average of $3.86 million per data breach. There is also a category of "mega breaches," where 1 to 50 million files of personal data have been captured and the cost is estimated to be between $40 million and $350 million.
A data breach during or after a merger or acquisition
Suppose a data breach occurs before, during or after a merger or acquisition, it can have a major impact on the value and reputation of the company to be acquired or acquired. This is annoying for the seller, who may get much less money for the company he wants to sell due to the decreased value of the company.
But a data breach can also be painful for a buyer. If, for example, a data breach at an acquired company is discovered after an acquisition, the new owner faces the adverse consequences of a data breach, such as reputational damage, a lower share price, customers walking away, damages to be paid, investigations by privacy authorities (in the Netherlands: the Autoriteit Persoonsgegevens) and possible fines or settlements.
What we can learn from the TripAdvisor and Yahoo acquisitions
The TripAdvisor and Yahoo! companies have experienced these drawbacks themselves in the acquisitions in which they themselves were involved.
Tripadvisor had acquired a company and shortly thereafter it was announced that there had been a major data breach at the acquired company. Tripadvisor shares were down 4% in one day due to this news.
In 2016 it was revealed, during an acquisition process with Verizon, that Yahoo! had concealed a previously discovered data breach from 2013 and 2014. This was possibly the "largest data breach of all time," in which the personal data of more than 1 billion people had been stolen.
This concealed data breach directly impacted the previously agreed-upon $4.83 billion sale price, which was reduced by $350 million. The then CEO of Yahoo!, Marissa Mayer, missed out on a multi-million dollar bonus and had to step down after the acquisition. The buyer, Verizon, also paid half of the settlement costs of $50 million. All in all, this was quite a "takeover horror scenario" for Verizon.
Intentionally concealed data breaches difficult to detect
These examples underscore the importance of proper privacy and cybersecurity due diligence before buying or selling a business. Of course, not all risks can be eliminated, as (intentionally) concealed data breaches are difficult to detect. With contractual warranties and indemnities, you can cover these risks to some extent, but these also provide no comfort against reputational damage, customer walkouts, fines and settlements. So it is in the interest of both seller and buyer to do everything possible to avoid such surprises as much as possible.
Privacy matters in all 5 phases of an acquisition
Privacy, as well as cybersecurity, matters in all phases of a merger or acquisition. Below are some privacy questions for each phase that you can ask during any proposed merger or acquisition:
Market and buying strategy
Privacy is already important when determining the buying strategy. Before you get to due diligence (bookkeeping), it is important to know what the buyer ultimately wants to do with the seller's personal data. Does the buyer want to take over customers or employees or not? What role do personal data have in the buyer's growth strategy?
Selection of suitable vendors
Based on what criteria do you choose the companies to be acquired? What do you want to do with the personal data this company has? What reputation does this company have with regard to handling personal data and (information) security? Is it a stock transaction or an asset-asset transaction? In a stock transaction, the company itself is not being sold, only the shares in the company. This ensures that the data controller - within the meaning of the AVG - remains the same. In an asset-liability transaction, on the other hand, the controller will change after the transaction. The buyer then automatically assumes the obligations of a data controller once the personal data has been transferred. The seller and buyer must then work well together to meet these obligations.
The due diligence phase
How does the company handle personal data, including during the due diligence phase (setup of data room)? Are the required privacy safeguards and security in place? Does the 'paper' reality from the 'data room' match the impression from interviews with various stakeholders? Is the company transparent about their own vulnerabilities, or do they engage in 'window dressing'?
The 'closing'
If the due diligence phase is passed successfully and the 'deal' goes through, then, based on the due diligence report, the buyer will want to include various contractual warranties and indemnities in the acquisition contract, in order to cover the risks and vulnerabilities (identified or not) as much as possible. This can be a lengthy negotiation process. It is also important here to make agreements about the transfer of personal data and communication about this.
The "post-closing" integration
After the transfer, the "real" work begins and integration must take place between the buyer and the purchased company. During the IT integration, vulnerabilities and privacy risks may surface that were previously unknown. It is important to make proper arrangements for such situations.
Are you asking the right privacy questions?
Privacy has long been an underexposed topic in mergers and acquisitions, but that is now a thing of the past due to the AVG and multiple privacy scandals. The examples of Tripadvisor and Yahoo! do show that data breaches involving the theft of personal data can have major financial consequences for the seller and the buyer.
Both the seller and the buyer have a responsibility to comply with the AVG. Privacy has therefore become an aspect to consider, at all stages of a merger or acquisition and not just during the due diligence phase. Privacy is therefore "here to stay" in mergers and acquisitions.
It is easy to underestimate the importance of privacy in mergers & acquisitions. When things go wrong, it can lead to high costs and losses. How can this be avoided?
On May 11, 2021, the course "Privacy Issues in Mergers and Acquisitions is a Snapshot" will take place. In this online course, attorney I Chu Chao explains the specific privacy concerns in the various phases of a merger or acquisition, from the due diligence phase to the post-closing phase.
Do you have or will you be dealing with personal data in a merger or acquisition? Sign up for the course here.
