The discovery of a data security breach affecting over 500 million Yahoo! Inc. accounts during the proposed billion-dollar purchase by Verizon Communications Inc. alarmed many in the business community. This “mega-breach,” termed as the “largest hack ever” by many media outlets, potentially delays the acquisition, invites further investigations, and might reduce the final sale price. This was highlighted further when Yahoo announced another breach in December affecting over a billion accounts from August 2013.
The Verizon/Yahoo situation isn’t unique. In 2014, Facebook’s acquisition of WhatsApp drew attention over user data use and transfer concerns. These events emphasize the importance of data protection in M&A activities, not just in major digital and telecommunication corporations, but also in traditional businesses. In today’s digital era, data is a valuable asset for almost all businesses. With increasing data protection regulations like the GDPR in the EU, and rising customer expectations about data privacy, data protection has become a crucial aspect of any business transaction.
However, data protection concerns are often overlooked during M&A processes. As an example, in 2014, just two weeks post-acquisition by TripAdvisor Inc., Viator Inc. reported a data breach affecting 1.4 million customers. Not addressing such issues early can disrupt transactions and even question the feasibility of a deal. Thus, it’s essential to consider data protection during the sale or acquisition of a business.
To avoid data protection issues, businesses need to prepare. During M&A transactions, companies should be prepared to address data protection at three main stages: initial engagement, during due diligence, and post-acquisition during IT integration.
Privacy is crucial not just for major deals like those involving major tech giants.
During initial stages, sellers should ensure compliance with data protection regulations. They should audit the personal data they hold, determine its relevancy, and understand the intricacies of its processing. Having up-to-date privacy policies is also crucial.
For buyers, understanding a target’s data protection and security is vital. This understanding can influence the overall strategy of the acquisition. Considerations should include changes in data handling post-acquisition, the need for new customer consents, and any potential changes in products, services, or technologies that might influence privacy and compliance needs.
In essence, both sellers and buyers need to give due consideration to data protection issues to ensure smooth and compliant business transactions.