Insufficient attention to data protection in M&A transactions may result in unexpected and substantial losses.
Marriott International (Marriott) in the United Kingdom may face a fine of £ 99,200,396 for failure to verify the compliance of Starwood Hotels (Starwood) with the personal data protection regulations prior to their acquisition.
The UK Supervisory Authority's Information Commissioner's Office (ICO) has sent Marriott a notice of intent to impose a fine of £ 99,200,396 for violation of personal data protection regulations.
It is believed that the vulnerability of Starwood Group's information technology systems, which led to the leakage of customer personal data, began in 2014. Marriott acquired Starwood in 2016. The ICO investigation found that Marriott had not conducted sufficient due diligence prior to the acquisition of Starwood and that it should have done more to protect personal data thereafter.
Although ICO has yet to make a final decision on the amount of the fine, the size of the potential penalty underlines the importance of thorough assessment of the adequacy of the target company data protection when acquiring shares or business of a company or merging with other companies, as well as developing a strong information security strategy after acquisition.
To avoid negative financial consequences, always verify the compliance of the operations of the target company with the requirements of the general data protection regulation (the GDPR) or obtain representations and warranties of a seller regarding its compliance with those requirements before acquisition of shares or business of a company or merger. In the event of non-compliance, obtain the seller’s representation to compensate the buyer or the company for any loss. In any case, eliminate any discrepancies immediately after acquisition.
Proper review of the GDPR compliance during the due diligence of the target and obtaining of the respective representations and warranties or indemnities of the seller will ensure compensation of sizeable fines imposed on the buyer. Pre or post-acquisition elimination of the GDPR non-compliance of the target will reduce the length of non-compliance.