Data Due Diligence is Critical to Maintaining Compliance and Mitigating Breaches During and After M&As

Corporate mergers and acquisitions (M&A) are on the upswing according to the most recent EY-Parthenon Deal Barometer, which predicts a 12% increase in corporate M&A activity in 2024. There are a lot of reasons why organizations are being acquired and/or merging, but EY claims part of the increase is due to organizations bolstering their product portfolios with AI and other technologies. Despite the reasons, organizations have a responsibility to not only their stakeholders, but also their customers, to prioritize data due diligence prior to a merger or acquisition. 

What happens to sensitive customer and corporate data should be a top concern for organizations. The question is whether data governance and cybersecurity best practices are taking a backseat as companies go through the tumultuous process of merging with another organization or an acquisition. The importance of adhering to cybersecurity and data governance best practices prior to an M&A can be an effective strategy to mitigate the impact and fallout from a data breach and ensure the protection of an organization’s customer and corporate data.

M&A success depends on data governance best practices

The importance of data due diligence during the acquisition process, including assessment of security controls and protections, was in the spotlight in 2018 when Marriott announced it was hit with one of the largest data breaches in history – affecting about 500 million –  after its acquisition of Starwood Hotels.

For at least four years, hackers had access to a database belonging to Starwood Hotels and Resorts, which Marriott acquired in 2016. The breach affected more than 130 million records, according to court documents. The class action lawsuit(s) are still winding their way through the courts.

Not only was personal information compromised, so was the brand equity Marriott spent decades building. The breach also made it clear that data governance and management, as well as cybersecurity protections, must be a top priority before the ink is dry on an acquisition or merger deal. No matter the industry, organizations being acquired must also spend the time and resources conducting due diligence on the acquirer because in the case of a breach, they can also be held liable for non-compliance and/or violations of consumer privacy laws, including the GDPR and the California Consumer Privacy Act (CCPA). The company being acquired should evaluate the acquiring organization’s data privacy practices, policies, and compliance history as well as ensure the acquiring organization has adequate data protection measures in place. The organization should also work with the acquirer to develop a plan for integrating data privacy practices between the two organizations.

Preparation priorities for companies being acquired

When companies merge or are acquired, handling data appropriately is critical to ensure compliance with legal regulations, data integrity, and the protection of customer and company information. It’s critical for companies to follow best practices prior to a merger or acquisition to ensure the security of both customer and corporate date, which includes:

1. Data Asset Audit: 

• Performing an audit identifies all data assets, including customer information, intellectual property, employee data, and operational data
• It also evaluates the accuracy, completeness, and relevance of the data and pinpoints sensitive information that requires special handling, such as personal data, financial information, and proprietary business information

2. Maintain Legal and Regulatory Compliance:

• Evaluate the acquiring organization’s data privacy practices, policies, and compliance history
• Review relevant data protection laws and regulations, such as GDPR, CCPA, or industry-specific requirements
• Examine existing contracts to identify data-related obligations and restrictions
• Ensure that appropriate consents have been obtained for data use, especially if data will be used in new ways post-merger

3. Prioritize Data Security

• Perform a thorough security assessment to identify potential vulnerabilities and restrict access to sensitive data to authorized personnel only
• Ensure robust security measures are in place, such as encryption, access controls, and monitoring
• Establish robust network security measures, such as firewalls, intrusion detection systems, and secure communication channels
• Create and/or update a data breach response plan to handle potential security incidents

4. Develop a Data Integration Plan

• Map out how data from both organizations will be integrated, including matching data formats and structures
• Clean and de-duplicate data to ensure consistency and avoid storing redundant information 
• Work with the acquiring company to develop a data migration process, including timelines, resources, and tools required

5. Data Retention and Disposal

• Do review and align data retention policies between the organizations
• Ensure only necessary data which must be retained for legal, financial and compliance purposes is retained, and redundant, obsolete and trivial (ROT) data is disposed of properly using auditable data sanitization 

6. Communicate Clearly with Stakeholders

• It’s important to keep employees informed about how data will be handled, any changes to data access, and security protocols
• It’s equally important to promptly notify customers about the merger or acquisition and explain how their data will be used and protected
• Finally, inform relevant regulatory authorities about the merger or acquisition and any changes to data handling practices

The focus on cybersecurity and data governance doesn’t end once the merger or acquisition is complete. The acquirer must establish a unified data governance framework that includes data ownership, policies, and procedures. And if they haven’t already, the organization should establish a new “steward” or data protection officer who will own the management and protection of data, including the implementation of continuous monitoring to ensure compliance with data policies and regulations.

Acquirers and organizations being acquired can better manage liability for data breaches during mergers by creating and executing a data due diligence plan based on industry best practices. Not only will both entities safeguard their operations and brand reputation, they will maintain the stakeholder trust that took years or decades to cultivate and lay the groundwork for success post-acquisition.

About the author

Fredrik Forslund currently serves as Vice President and General Manager of International Sales for Blancco Technology Group. Fredrik brings over 20 years of experience in IT security. This includes most recently leading Blancco’s data center and cloud erasure initiatives and before that, founding SafeIT, a security software company focusing on encryption and selective data erasure. His experience also includes serving as a management consultant for McKinsey & Company.

Sign up for the free insideAI News newsletter.

Join us on Twitter: https://twitter.com/InsideBigData1

Join us on LinkedIn: https://www.linkedin.com/company/insideainews/

Join us on Facebook: https://www.facebook.com/insideAINEWSNOW