Why is Privacy important in mergers and acquisitions?
In many mergers and acquisitions (M&A), the subject of privacy did not or hardly ever play a role. Privacy has become a hot topic in M&A since the introduction of the General Data Protection Regulation (GDPR) and after some privacy scandals after acquisitions. This article explains why privacy is important in mergers and acquisitions and what the privacy concerns are.
What if it goes wrong?
The importance of privacy in M&A can easily be underestimated, but if it goes wrong, it can lead to high costs and losses for both the seller and the buyer.
According to an annual IBM study in 2018, the costs of a data breach (a security incident where, for example, personal data has been lost) has risen by 6.4% compared to the previous year, averaging $ 3.86 million per data breach. There is also a ‘mega breach‘ category in which 1 to 50 million files containing personal data have been lost and which costs are estimated between $ 40 – 350 million dollars.
A data breach during or after a transaction
If a data breach occurs before, during or after a M&A transaction, this can have major consequences for the value and reputation of the purchased company. If the company value is lower, the seller can ask less money for the company he wants to sell.
A data breach can also be painful for the buyer. For example, if a data breach is discovered after the purchase, the new owner will be confronted with the negative consequences of a data breach, such as reputation damage, a lower share price, leaving customers, lawsuits, compensations, investigations by the privacy authorities, and possible fines or settlements.
What we can learn from TripAdvisor and Yahoo
Tripadvisor had taken over a company and shortly after, it became known that a large data breach occurred at the acquired company. The share price of Tripadvisor dropped 4% in just one day due to this news.
In 2016, during a takeover process with Verizon, it was announced that Yahoo! concealed a large data breach in 2013 and 2014. This was possibly the ‘biggest data breach of all time’, in which the personal data of more than 1 billion people were stolen.
This data breach had a direct impact on the previously agreed selling price of $ 4.83 billion, which was reduced by $ 350 million. The CEO of Yahoo! at that time, Marissa Mayer, had to pass on a $ 2 million bonus and had to make way after the takeover. The buyer, Verizon, also paid half of the settlement fee of 50 million dollars. All in all, this was quite a ‘M&A horror scenario’ for Verizon.
The importance of privacy due diligence
These examples underline the importance of a privacy due diligence, before you buy or sell a company. Of course, not all risks can be excluded, because (intentionally) concealed data breaches are hard to detect.
With contractual warranties and indemnities, you can cover certain risks to some extent, but they are not a remedy against reputation damage, leaving customers, fines or settlements. So, it is in the interest of both the seller and the buyer to make every effort to prevent such ‘surprises’ as much as possible.
Privacy important in all M&A phases
Privacy, but also cyber security, is important in all phases of a merger or acquisition. Below you will find a number of privacy questions for each phase that you can ask in an M&A transaction:
- Market and growth strategy
Privacy is already important when determining the strategy. Before you even start with due diligence, it is important to know what the buyer ultimately wants to do with personal data. Does the buyer want to take over customers or employees? What role do personal data have in the buyer’s growth strategy?
- Selection of suitable sellers
Based on what criteria do you select the companies you want to buy? What do you want to do with the personal data of the seller? What reputation does the seller have in terms of data protection and (information) security? Is it a share purchase or an asset transaction? In a share purchase, the company itself is not sold, but only the shares in the company. The controller of the personal data then remains the same. In an asset transaction, however, the controller will change after the transaction. The buyer will have the obligations of a controller as soon as the personal data have been transferred. The seller and buyer have to work well together to meet these obligations.
- Due diligence phase
How does the company deal with personal data, also during the due diligence phase (set-up of a data room)? How do the privacy and security policies look like? Does the ‘paper reality’ of the data room match with your impressions from the ‘live’ interviews? Is the company transparent about its own vulnerabilities, or is it mainly ‘window dressing’?
- The closing
If the due diligence phase has passed and the deal continues, then the buyer will, on the basis of the due diligence report, want to include various contractual warranties and indemnities in the purchase agreement, to cover any risks and vulnerabilities as much as possible. This can be a lengthy negotiation process. It is also important to make contractual arrangements about the transfer of personal data and how you will communicate about this.
- ‘Post-closing’ integration
After the deal is done, the ‘real’ work starts and an integration takes place between the buyer and the purchased company. In IT integrations, vulnerabilities and privacy risks may emerge that were previously unknown. It is important that clear contractual arrangements are made for such situations.
Are you asking the right privacy questions?
Privacy has long been an underexposed subject in mergers and acquisitions, but that is now a thing of the past, with the GDPR and several privacy scandals. The examples of Tripadvisor and Yahoo! show that data breaches in which personal data are stolen, can have major financial consequences for the seller and the buyer.
Both seller and buyer have an own responsibility to comply with the GDPR. Privacy has become a permanent factor to take into account, in all phases of a M&A transaction. Privacy is ‘here to stay’.