Daniel Sokol Offers Ways to Avoid “Data Lemons” in Mergers & Acquisitions

When Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was aware of a cyber-attack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of what we call a “data lemon”.
- from “Don’t Acquire a Company Until You Evaluate Its Data Security” by Daniel Sokol and Chirantan Chatterjee

Law professor Daniel Sokol, University of Florida’s Levin College of Law, and his colleague Chirantan Chatterjee, Stanford University Fellow, examine the risk of cybersecurity vulnerabilities within merger and acquisition activity. Similar to the concept of purchasing a ‘lemon’ in a car purchase, often the buyer does not know the quality of a product being offered by a seller. Professors Sokol and Chatterjee point out that “In any transaction between an acquiring company and a target company (seller), there is asymmetric information about the target’s quality.”

In their article, “Don’t Acquire a Company Until You Evaluate Its Data Security,” Professors Sokol and Chatterjee emphasize that “recent events shed light on an emerging nuance in M&A [mergers & acquisitions] — that of the data lemon.”

That is, a target’s quality may be linked to the strength of its cybersecurity and its compliance with data privacy regulation. When an acquirer does not protect itself against a data lemon and seek sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon — a security breach, for example — and resulting government penalties, along with brand damage and loss of trust. That’s the situation Marriott is now dealing with. The company faces $912 million in GDPR fines in the EU and its stock price has taken a hit. The trouble doesn’t end there. According to Bloomberg, “the company could face up to $1 billion in regulatory fines and litigation costs.”

Professors Sokol and Chatterjee provide guidelines on how to avoid data lemons; and they also offer recommendations for what to do if an acquirer discovers they have a data lemon, despite all efforts to avoid that scenario. Below are a few more excerpts from “Don’t Acquire a Company Until You Evaluate Its Data Security:”

So what to do about data lemons? You can simply make the deal anyway, especially if the value created by the deal outweighs the risks. Or you can take the Verizon path and reduce the valuation post-acquisition. We propose a third option: due diligence not just on the financials of the target firm, but also its regulatory vulnerabilities during the M&A discussion process. The idea is to identify potential data breaches and cybersecurity problems before they become your problem.

Finding the Problem Before You Own It

In this approach, we borrow from established compliance standards intended to safeguard against bribery and environmental issues. The acquirer would investigate the target firm’s past data breaches and require disclosure of prior data-related audits and any pending investigations worldwide. The acquiring firm would also conduct a review of the target’s processes and procedures regarding information security — like acceptable use of data, data classification, and data handling. The acquirer should also evaluate target firm compliance with cyber security frameworks from NIST, CIS, ISO, and the AICPA.

Once You’ve Acquired a Data Lemon

Even if you’ve done all the above, you may still acquire a data lemon. What should you do then? At this point, it is essential to set up an incident response strategy to address risks, including both those that are legal or regulatory or customer-facing in nature. Such an incident-response strategy needs to be quick and decisive, adopting a multi-disciplinary approach, and the board must be brought in. Management of public relations and outreach to policymakers will have to be transparent. These are just the immediate steps. The acquiring firm needs to review the practices that led to the breach and identify measures to improve the data privacy compliance program going forward.

The more acquirers are proactive and address this issue through effective self-regulation, or through an industry-based peer-driven regulation, the less likely more severe government regulation will be put in place as a response.

Read the full article: “Don’t Acquire a Company Until You Evaluate Its Data Security” (Harvard Business Review, April 16, 2019).

D. Daniel Sokol is the University of Florida Research Foundation Professor and University Term Professor at the University of Florida's Levin College of Law.

Chirantan Chatterjee is the ICICI Bank Chair in Strategic Management and Associate Professor in Business Policy and Economics at the Indian Institute of Management Ahmedabad, India, also a 2018-2019 Campbell and Edward Teller National Fellow at Hoover Institution, Stanford University.