Proposed £99 million fine for Marriott group illustrates the importance of attention to data protection issues in acquisition due diligence
A recent penalty decision by the Information Commissioner illustrates the importance to buyers and sellers of businesses of ensuring that data protection breaches are identified and dealt with during the due diligence process.
On 9 July, the Information Commissioner announced that she intends to fine Marriott International £99.2 million in relation to a security breach in a business acquired by it in 2016. The breach occurred at the Starwood Hotels group in 2014, but was not discovered or disclosed in the due diligence process relating to Marriott’s acquisition of Starwood in 2016. By the time the breach was reported by Marriott to the ICO in November 2018, the financial details and other personal data of millions of Starwood customers had been compromised.
The Commissioner’s decision is particularly interesting because of the emphasis on the buyer’s responsibility for detecting the breach during due diligence. Implications for buyers and sellers of businesses and their professionals include the following:
1. The ICO expects data protection compliance to be dealt with in due diligence and will not make allowances for “legacy” problems:
The Commissioner says that organisations must
“[carry] out proper due diligence when making a corporate acquisition, and [put] in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”
In short, the fact that Marriott “acquired” the breach with the Starwood business was no excuse. Marriott knew it would be responsible for the safety and security of the customer data and systems it would acquire with Starwood. It should therefore have undertaken “sufficient due diligence when it bought Starwood” to detect the problem and, to the extent it did not, this should have been discovered promptly post-acquisition.
The implication is that data protection due diligence should be robust enough to identify any breaches and these should be rectified pre-completion. If breaches are not discovered during due diligence, the buyer will be expected to give appropriate priority to uncovering and resolving breaches during integration of the new acquisition.
2. Sellers should consider a review of data protection compliance and risks when preparing a company for sale:
If processing personal data is an integral part of the business, sellers should consider commissioning a GDPR compliance review before the sale process starts (which need only be proportionate to the business’s use of personal data) and having the technical security of electronic systems assessed by an independent expert.
3. Bear in mind GDPR liabilities and reputational risks when structuring a sale and negotiating warranties and indemnities:
The ICO can levy penalties under the GDPR of the larger of (i) 4% of global turnover, or (ii) €20 million, and will actively publicise its enforcement measures. Affected persons can also seek civil damages under the GDPR, leading to further financial or reputational damage.
Where a substantial data protection risk is identified during the pre-sale process, buyers and sellers will need to consider not only what warranty and indemnity protection is appropriate but whether such protection is adequate at all, in light of the potential level of fines and civil damages and the reputational damage which could result from a buyer becoming associated with a breach.
Where a substantial issue is identified, this may affect the timing of the transaction (e.g. will the buyer insist on a breach being reported to and resolved with the regulator) and even whether the buyer considers it prudent to proceed with the acquisition.
If you have questions about the Marriott case or your own data protection compliance position, contact our data protection specialists, Ian Lindley and Victoria Jessup to see how we can help.
The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. PDT Solicitors LLP accepts no responsibility for the content of any third party website to which this webpage refers.