Marriott International’s acknowledgment that hackers had stolen records for more than 500 million customers over the past four years highlights the risk of exposure to cyberthreats during mergers. The data breach, which started in 2014, superseded the Marriott and Starwood merger, which kicked off in 2016, and the leak was ongoing as two of the travel industry’s largest loyalty programs (and membership datasets) merged into one.
According to a press release issued on November 30, the company had yet to confirm duplicate information but said they had data for close to 327 million guests including “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128),” said the company. “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Reputational damage and regulatory drama
Jeff Pollard, VP and principal analyst at market researchers Forrester told the Enterprise Times in the UK that the fact Marriott properties were not affected suggests it was “solely a Starwood incident.”
“That means it also went undetected during the merger and subsequent consolidation efforts,” Pollard told ET. “With all the M&A occurring, it highlights the importance of robust cybersecurity due diligence during the acquisition process.”
There’s a chance the breach could draw hefty fines up to 4 percent of annual revenue (around £117 million, according to the Guardian), from the European Union’s General Data Protection Regulation (GDPR).
“Marriott now faces brand and reputational damage, regulatory oversight and legal issues as the result of a cybersecurity incident that occurred two plus years before they announced the acquisition of Starwood,” says Pollard, pointing to the long tail and unanticipated costs of data breaches.
Cybersecurity and data protection derailing acquisitions
For Marriott and Starwood, the damage is already done but stiffening regulations and hefty fines surrounding customer data and security practices is having an adverse effect on mergers and acquisitions.
Around 900 deals totaling about $1.3 trillion fell through in 2018, according to Bloomberg. A survey of 539 M&A professionals found cybersecurity and data protection is top of mind for acquirers.
More than half of respondents (55 percent) claimed concerns about a target company’s data protection policies derailed their deal. Further to that, two-thirds said the new GDPR law would “add a level of complexity to due diligence as acquirers scrutinize their targets’ compliance.”
It also adds logistical challenges given that the GDPR applies to companies both in the the EU and companies from anywhere else in the world that process personal data of people in the EU.
For mid-sized companies looking at targets in the EU, it’s not a stretch to see GDPR compliance as a hiccup, or perhaps even a detraction. Even a company with only five percent of its business relating to European customers is still obligated to keep step with GDPR.
Unlike their mega-multinational counterparts, many middle market companies lack access to in-house legal departments capable of wading through the GDPR rules. In cases where a company in North America is looking to acquire another with access to the EU market, the acquirer will need to conduct thorough GDPR-specific security infrastructure due diligence to ensure that they’re not buying a cybersecurity risk (as Marriott seems to have stumbled into with Starwood.)
Making an example out of the middle market
Even the exchange of information during dealmaking takes on new meaning under GDPR, Steven de Schrijver, a practicing M&A lawyer with Astrea in Brussels, told Tom Wheeler, managing director of IR Global during a roundtable for The DealRoom in September.
Schrijver says he always cautions sellers to be selective about the data they put into a virtual data room, specifically anything that could relate to employees in the EU. “Sellers may need to include information about key employees, but not everyone,” he says adding that the key to exchanging any data in the post-GDPR world is anonymization. “Give any potential buyers the key to unlock personal data separately and do not keep it together with other documents.”
Some analysts believe GDPR missteps by middle market companies are more likely to provoke consequences from regulators in order to establish precedence for taking on larger companies further down the road.
“While many executives have been dismissive of the impact of GDPR on their organization, they may be ignoring a very significant warning in a way that will cause significant pain later,” Daimon Geopfert, Principal, RSM US, said in RSM’s Q1 2018 US Middle Market cybersecurity report. “GDPR is an indicator of the very likely course of upcoming privacy laws in the United States, as well as other international locations.”
Geopfert says middle market companies would do well to take a hard look at their data privacy processes and lean in to GDPR rules surrounding consent and “right to be forgotten,” so when “such laws inevitably come to the United States or regulatory agencies, organizations can avoid the perspective of having to deploy such controls in a compressed timeline.”