October 20, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

Data Security Diligence Checks — Not Just For Breakfast Anymore

In a statement that is sure to affect any acquisition involving data assets subject to GDPR, the Information Commissioners Office (ICO), the UK’s independent body set up to uphold information rights, appears to have greatly increased an acquirer’s risk of suffering successor liability.

Information Commissioner Elizabeth Denham just announced the ICO’s intention to fine Marriott International, Inc. almost $125 MM for a data breach that occurred at Starwood Hotels Group, which Marriott acquired in 2016.  That was two years before Marriott acquired Starwood and that breach wasn’t discovered until two years after the acquisition.

Citing Marriott for a failure to conduct “proper” due diligence, Commissioner Denham said that she would not hesitate to take “strong action” to protect the rights of the public:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

We don’t yet know the facts upon which the ICO acted and Marriott has indicated that it intends to “respond and vigorously defend its position.”  What we do know is that our clients should take heed of the many ways that this potentially groundbreaking action may affect acquisitions involving data assets subject to GDPR.

For a start, what is “proper” due diligence? In this case, what we know is that the breach occurred well before the acquisition and wasn’t discovered until well after it closed.  In such a situation, standard representations, warranties, and indemnities could well have proved useless to the acquirer.  Insurance might be unavailing as well because there may have been no breach of applicable reps.  Purchase price holdbacks and escrows could well have expired as well.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Philip Gura, Womble Dickinson Law Firm, Atlanta, Cybersecurity Law Attorney
Of Counsel

Phil Gura has more than 30 years of experience helping companies manage privacy, data security, governance and regulatory compliance challenges. For the past 15 years, he has served as the Chief Legal Officer of major corporations, including Merchant Customer Exchange LLC (MCX), RaceTrac Petroleum Inc. and LaRoche Industries, Inc. His in-house experience includes managing and directing corporate governance, regulatory/compliance, privacy/ data security and intellectual property efforts.

Phil most recently served as Chief Legal Officer of Sionic...

404-888-7480