Data breaches in M&A transactions: true stories of breaches and lessons to learn

Facts: the role of data in the current M&A market

Data is now one of the most valuable commodities in the world, with a market estimated at USD 92 billion globally by 2026.  Rapidly increasing values mean rapidly increasing responsibilities: this is why both the sellers’ and buyers’ approach to certain transactions has significantly changed over the past few months.

It is hard to say at what particular stage of a transaction data and analytics are most impactful: certainly, “the sooner the better” saying seems to fit perfectly also in these cases and the data protection issues might arise in the very early stages of any transaction, when the parties start sharing their initial data and figures and agree on the transaction’s structure.

However, data protection issues follow the transaction at every stage, from the due diligence process (in which any potential buyer should be more focused on these areas of risk, whether by means of specific requests or by investigating the incident history of the target company regarding previous data breaches and relevant remedies or through deeper examinations of the relevant regulatory compliance) to negotiating transaction documents, in which the target’s managers could be required to provide specific assessments, without prejudice to including additional specific statements made by the seller to address the risk of a breach, triggering potential strenuous negotiations for providing limitations or qualifications (such as knowledge qualifiers or time limitations).

Once upon a time: the Yahoo! / Verizon case

During 2013 and 2014 Yahoo! underwent two major data breaches involving all of its 3 billion accounts; those data breaches were not immediately reported by Yahoo!, not even when in June 2016 Verizon Communications announced it had entered negotiations to acquire Yahoo Inc., with closing forecasted in March 2017, for an overall value of around USD 4.83 billion.

The 2014 data breach was revealed in September 2016, while the 2013 data breach was revealed in December 2016.

At that time, Verizon considered at least 3 different options: (a) stepping out of the transaction, probably by triggering a material adverse effect clause; (b) negotiating a lower price for the acquisition; or (iii) having Yahoo assume the liability for lasting damage caused by the breaches.

Initially Verizon picked above option (b) and sought to change the terms of the transaction: after evaluating the impact of the data breach disclosures, Verizon proposed to reduce the price by almost USD 1 billion.  To make a long story short, an agreement was reached between the parties and the transaction closed in June 2017 for USD 4.48 billion: this means that the above data breaches were evaluated at around USD 350 million (not exactly peanuts!).

History repeating itself: the Marriott / Starwood case

In March 2016 Marriot International acquired Starwood Hotels and Resorts Worldwide, generating the world’s largest hotel chain with top brands including Sheraton, Ritz Carlton and Autograph Collection; the transaction was worth around USD 13.6 billion.

On September 8, 2018, Marriott first detected a breach in the US Starwood guest reservation database; then, further investigations uncovered unauthorized access to the Starwood network starting in 2014, as the same Marriott confirmed on November 19, 2018: in short, hackers stole the records of around 383 million Starwood guests.

Such a “colossal” hack involved a large range of personal data, including names, mailing addresses, phone numbers, e-mail addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences, as well as card numbers and expiration dates; and even worse, although credit card information was encrypted, Marriott could not exclude the possibility that the encryption keys were also stolen.

The day after the above news leak, emphasis was mostly placed on two risk factors: (i) the scale of the problem, and (ii) the delay in reporting it to the public (e.g., to the data subjects involved).

In July 2019, the Information Commissioner’s Office (ICO), the UK Data Protection Authority, proposed a fine of GBP 99.2 million, although the GDPR could have allowed for a maximum fine of GBP 117 million (under the GDPR, fines for data breaches are up to 4% of annual turnover).  Elizabeth Denham (Head of the ICO) focused her attention on two major points:

  • Principle of accountability (Article 5, para. 2, of the GDPR): “the GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”; and
  • Principle of integrity and confidentiality (Article 5, para. 1(f), of the GDPR) and Security of Data Processing (Article 32 of the GDPR): “Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public”, she said.

Meanwhile in the U.S.A., class-action lawsuits from consumers, financial institutions, investors and the city of Chicago were consolidated in February 2019 into multi-district litigation of more than 80 cases against Marriott.  Separately, several state attorney general’s offices are still investigating.

Finally, on July 24, 2019, Marriott customers filed a complaint against Accenture PLC for allegedly playing a part in the Starwood data breach: those customers are accusing the consulting firm Accenture of a “failure to maintain adequate security controls to detect and neutralize known and obvious security threats” in Starwood Hotels’ reservation system, which Accenture managed.

Breaking news: a potential data breach affecting another big hotel player

Now, while the Marriot case is pending (and we look forward to seeing what the next chapter will be), another big player in the same field of business, the France-based and leading European B2B hotel booking platform Gekko Group (a subsidiary of Accor Hotels) very recently discovered to have suffered a massive data breach, that may have affected a customer base of 600,000 hotels worldwide, since the database exposed contained over 1 terabyte of data, including Gekko Group brands and their clients, as well as external websites and platforms with which their systems communicate (such as

What can we learn from the above cases? Some practical advice.

First of all, data is the new oil (or better, the data that has been collected and processed lawfully): compliance with the GDPR is extremely critical (due to the high fines, up to EUR 20 million or 4% of worldwide turnover) and data protection is definitely a hot topic also in M&A transactions.

Starting from the due diligence phase, in which the seller/target must disclose data in compliance with data protection law, and the buyer must identify the data compliance risks by conducting a proper data protection due diligence (DPDD), the seller and the seller’s advisors must set up the data room, and the buyer and the buyer’s advisors must process the data stored there, complying with all the rules and principles under the GDPR.

From a practical perspective, the parties can enter into a set of agreements (such as Data Sharing Agreement / Data Processing Agreement / NDA) aimed at agreeing on different types of data processing (e.g., encryption, deletion, return) and data transfer rules (e.g., in the case of cross-border transfer, by including EU standard contractual clauses, if necessary).

At the drafting stage, and irrespective of the result of the due diligence, the buyer must seek adequate protection by including the most extensive set of protection clauses regarding compliance with privacy and data security laws, such as: (i) compliance with contractual requirements; (ii) security of information technology assets; (iii) detection of network vulnerabilities and data breaches; (iv) disclosure of data-related claims and compliance investigations; (v) disclosure of arrangements under which data is shared with or by third parties; (vi) security assessments and correction of any gaps, etc.  It is important to say that, based also on the Verizon and Marriott cases, a simple representation on “Compliance with law” is not sufficient.

Of course, in the event where a buyer has detected some potential issue during the due diligence phase, this must be properly addressed and covered under specific indemnity clauses, or even have an impact under the envisaged purchase price (see Verizon case).  In other words, the buyer must check the adequate of the seller’s insurance coverage to protect the business, and clearly define the indemnities to be paid by the seller for any breach of these representations and warranties, as well as for any non-compliance with data protection laws prior to the acquisition.

On the other hand, the seller must try to limit its potential liability, whether in terms of amount, duration and/or nature of damages (e.g., by excluding the liability for opportunity loss or reputational damage).  Under a practical perspective, and considering the nature of the potential issue, the parties could agree on entering into a warranty and indemnity insurance policy to specifically cover the risk of loss in connection with unknown and unintentional data protection offences as a way to reduce their potential liability.

The parties could also agree to include in the SPA certain closing conditions to address the implementation of missing IT safeguards, compliance gaps or covenants to address ongoing safeguards of sensitive data. Furthermore, the parties could try to minimize the potential risk by entering into complementary agreements, such as transactional services agreement dealing with post-closing data integration and services, or data sharing agreements to govern pre-closing data transfers, or other licensing and data processing agreements for post-closing business operations .

Seguici su