In 2016, Marriott International purchased Starwood Hotels & Resorts to become the world’s largest hotel chain.
But at no point during that $13.6 billion takeover did Marriott realise that it wasn’t only acquiring 11 new brands but also an unsecure guest booking system that had been exposing customer data for years.
Guests’ names, addresses, dates of birth, gender, passport numbers, rewards information and credit card details continued to spill out onto the web for two more years before Marriott was made aware of the breach.
By that point, 339 million guests had been affected, which would eventually lead to a £18.4 million fine from the ICO (Information Commissioner’s Office).
But that was only the start of Marriott’s problems. It was slapped with several class action lawsuits, its share price dropped 5.6% and it has become a case study in the dangers of acquiring compromised assets.
If you compare the Marriott incident with Verizon’s purchase of Yahoo in 2017, the benefits of cyber security due diligence are clear.
Verizon had originally agreed to purchase the firm for more than $4.8 billion, but that offer dropped significantly following a series of catastrophic data breaches, which compromised the personal data of all three billion Yahoo customers.
But that wasn’t all. Verizon demanded that Yahoo contributed towards any future legal costs, as well as the cost of reparations arising from the breach.
Verizon would still have to foot the bill for overhauling an information security system that clearly wasn’t adequate, but it learned this before finalising the deal and factored it in to the purchase price.
The examples we’ve discussed here are two of the most high-profile cases of acquisitions that were affected by data breaches – but it’s an issue that all organisations, no matter their size, must consider when going through a merger, acquisition or IPO.
Often, their review goes little further than asking whether the target is aware of any previous data breaches. Even the more assiduous organisations may only perform a cursory evaluation of the target’s GDPR (General Data Protection Regulation) compliance status.
Indeed, organisations often rely on questionnaires and contractual agreements to perform these tasks. However, contracts tend to describe the controller’s expectations with respect to data processing in a generic manner.
In particular, clauses related to data security and privacy measures are often worded in broad terms that offer limited recourse in the event the processor suffers a data breach. Without specific details, it will be challenging to enforce or fully assess specific requirements.
Questionnaires are equally problematic. The larger and more detailed they are, the less likely external parties are to engage with it. But conversely, smaller, less detailed questionnaires will inevitably be less effective.
There is no way to know if the answers given are accurate, or if key details have been omitted. Even where the recipient has been honest, you still only have a snapshot of the situation at the time the questionnaire was completed.
Despite these challenges, contracts and questionnaires aren’t without their merits – particularly if they are combined with an audit or due diligence assessment.
Due diligence success
There are many ways to plan and execute a due diligence programme. However, a successful assessment is likely to contain these seven steps:
1. Identify suppliers and relevant requirements
First, if you have not already done so, you need to identify all suppliers that process personal data. You must also establish exactly which GDPR and contractual requirements those suppliers need to meet.
2. Prepare and send out questionnaires
Next, you should prepare due diligence questionnaires to send to your selected processors, asking about their security measures and how they handle personal data.
3. Review the questionnaire responses and develop and audit programme
You should review the questionnaire responses to help identify which processors you want to audit. Typically, these will be your highest-risk processors based on factor.
4. Plan the audit
Taking into account the questionnaire responses received, you should plan the audit. Begin by defining the requirements you will audit against.
5. Conduct the audit
Whether conducted on-site or remotely, each audit typically starts with an opening meeting, before the ‘meat’ of the audit is conducted. This usually involves interviews with key members of staff, as well as a review of relevant documentation, processes and systems to determine whether they meet requirements.
6. Issue audit report
The auditor will describe their findings in detail in an audit report. A copy must be provided to the auditee so they can take corrective action to resolve any nonconformities. You should work with the auditee to define acceptable timescales and priorities for the necessary actions.
7. Conduct a follow-up
Finally, you should conduct a follow-up review after an agreed period to make sure that any nonconformities have been satisfactorily mitigated, and to arrange a date for the next audit.
Due diligence success with DQM GRC
You can find more detailed advice on the topics we’ve discussed in this blog by downloading Third-Party GDPR Audits – Conducting Due Diligence.
This free green paper provides in-depth guidance about each step of the process, alongside further tips for completing due diligence checks.
Meanwhile, if your organisation is going through a merger or acquisition and you’re looking for support, DQM GRC’s team of experts are here to help.
Our Supply Chain Audit Service offers support for organisations that need to assess the data protection practices of their suppliers. Auditing for due diligence takes time and expertise, and can compromise focus on other projects.
Additionally, our interim and seconded consultants can support your businesses through the change. We can help prepare your organisation for a merger and ensure that your data protection processes and procedures are up to date.
We’ll also review your practices and suggest improvements, and advise you on things you must do to meet your legal and contractual requirements.