Company mergers and acquisitions offer immense value to all involved through newly acquired customers and their corresponding assets, including holdings, systems, and data. However, mergers can expose companies to elevated risks if not done carefully. Transferring data requires as much protection during a merger as at any other time.

Today, we’ll be looking at a few real-world examples of privacy risks that can surface during company mergers and acquisitions, as well as a few steps your business can take to safeguard your own data.

Consequences of Ignoring Mergers and Acquisitions Risks

The Marriott-Starwood Data Breach (2018)

In 2016, the massive hotel chain Marriott acquired Starwood Hotels & Resorts. Two years later, Marriott was still using Starwood’s existing reservation system to handle bookings at their new hotels. This turned out to be a risky decision. In September 2018, when a security tool flagged a particular attempt to access guest records as suspicious, staff began looking closer. The investigation uncovered that not only were an estimated 500 million guest records compromised or stolen, but also that this massive data breach had been going on since 2014.

The cause of the original data breach remains unknown. But regardless of how or why it happened, the fact remains that Marriott failed to perform due diligence during their acquisition of Starwood and ongoing use of its booking systems. The incident cost the company a good deal of money. Marriott originally faced $28 million in expenses related to the breach, from lawsuit settlements to damage control. Most of this was covered by the company’s cyber insurance. However, insurance did not cover any of the approximately $24 million fine levied by GDPR enforcement for failure to protect European citizens’ data.

Google’s Data Collection Through FitBit (2019)

When Google acquired FitBit in 2019, both companies proclaimed their intentions to safeguard customer data and give users full control over their own information. FitBit in particular emphasized that they never sold user data, and it would not be used for Google ads.

Unsurprisingly given Google’s track record, the company was not being entirely honest about its data collection practices. The company paid $392 million in a lawsuit settlement involving 40 US states following allegations that Google Maps continued to track users’ locations even when location sharing was turned off. The location data was then allegedly sold to digital marketers for advertisements.

This scenario is different from the Marriott data breach because rather than simply failing to perform due diligence, Google actively went against users’ wishes and misled consumers into believing their data was secure.

Concerns About Amazon’s Acquisition of iRobot (2022)

Amazon’s announcement that the company was purchasing iRobot, the company behind the famous robot vacuums known as Roombas, raised a lot of eyebrows. Roombas are designed to memorize a home’s floor plan and follow a set cleaning schedule. Combined with Amazon’s existing line of smart home products like Alexa (all of which come with their own privacy concerns), and Amazon’s abysmal privacy track record, the merger was concerning. Privacy watchdog groups called on the US government to intervene. However, as of July 2023, the acquisition is complete.

While not many major news stories have surfaced about Roombas posing massive privacy risks, at least one incident from 2020 has been reported where a Roomba’s camera captured private moments in a family’s home. Screenshots later made it onto employees’ social media. The thought of Amazon having access to similar images, alongside the massive amount of data the company collects already, is alarming.

So, how can your business avoid the same massive missteps as these companies? Let’s get a birds-eye view of a few best practices.

Best Practices for Reducing Mergers and Acquisitions Risks

Remember to consult your company’s legal team for a more personalized approach.

• Pre-Acquisition Planning & Internal Strategy/Objectives
  • Assess the maturity level of your data privacy program and information security practices.
  • Evaluate data flows, contractual obligations, and potential risks associated with the transaction.
  • Consider the impact of your privacy and data security posture on the deal.
• Confirming Compliance Against Regulations
  • Assess the acquisition target’s compliance with relevant regulations such as GDPR, state privacy laws, and global privacy regulations.
  • Ensure partners/vendors involved in the transaction also adhere to compliance requirements.
• Due Diligence & Pre-Signing Stages
  • Evaluate privacy notices and assess potential legal implications in different regions.
  • Review data security protocols, vendor relationships, and employee data handling.
• After Acquisition: Post-Signing & Post-Closing
  • Determine if special regulatory reviews are necessary based on the nature of the transaction and industry regulations.
  • Identify data that should be excluded from transfers and establish protocols for its handling.
  • Revise and integrate policies, including employee and HR records.
  • Assess infrastructure and data portability, and ensure compliance with relevant regulators.

Mitigating Mergers and Acquisitions Risks

Privacy and data security considerations should be at the forefront of acquisitions in today’s business landscape. Neglecting these factors can lead to financial losses, regulatory penalties, loss of trust, and long-lasting business impacts. But your company has some power to reduce the risks commonly associated with mergers and acquisitions. By incorporating best practices throughout the process, organizations can safeguard sensitive data, maintain regulatory compliance, and maximize the value of their acquisitions.

Contact us for more information on privacy compliance and how you can mitigate risks during mergers and acquisitions.