DealLawyers.com Blog

July 29, 2019

M&A Cybersecurity Diligence Lapses Result in £99 Million GDPR Fine

We’ve previously blogged about the growing importance of cybersecurity due diligence in M&A.  The UK Information Commissioner’s Office brought home some of the risks of inadequate diligence in this area when it announced its intention to impose a £99 Million fine on Marriott for GDPR violations associated with a data breach at Starwood Hotels, which Marriott acquired in 2016.

The press release announcing the fine specifically said that the ICO’s investigation “found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” This excerpt from a recent Debevoise memo says that the ICO’s reference to inadequate diligence was unprecedented:

The proposed Marriott fine is the first major regulatory action anywhere to specifically call out a company for purportedly inadequate cyber due diligence in connection with an M&A deal. The proposed fine comes hot on the heels of the ICO’s notice of intent to fine British Airways £183 million. That proposed fine relates to British Airways’ 2018 data breach affecting approximately 500,000 customers.

The ICO has not yet published the details of Marriott’s alleged GDPR violations. Hence it remains to be seen exactly what more the ICO thinks Marriott could or should have done to identify and remediate the Starwood breach, whether pre- or post-closing of the acquisition.

The Starwood data breach apparently occurred in 2014, but the resulting exposure of customer data wasn’t discovered until 2018. The memo notes that approximately 339 million people across the world were affected by the breach, including 7 million in the UK.

John Jenkins