Avoiding Costly Mistakes in Mergers and Acquisitions
Although technology merger and acquisition (M&A) activity slowed significantly in 2020 due to the pandemic—market uncertainty resulted in deal values falling to decade-low quarterly performances of $35B USD, as compared to $127B and $165B in 2019 and 2018, respectively—things picked back up in Q3. Each month included at least ten billion-dollar deals as pent-up demand drove nearly record-breaking activity.
Intelligent acquisitions determine fit and alignment with the parent company’s growth strategy, but now liability for owning personally identifiable information (PII) is an emerging factor that all M&A activity must revolve around.
Data Privacy Requirements Have Changed M&A
Consider the recent class-action lawsuit levied against Marriott International for a security breach they experienced a year and a half earlier. The leaks came via their acquisition of the Starwood Hotels Group in 2016, and had been occurring from 2014 through 2018.
The UK Information Commissioner’s Office ruled that Marriot could have done more to protect their customer’s privacy and also did not perform a thorough data storage inspection prior to the $13 billion acquisition. A global litigation financing firm is underwriting the suit, an alarming indicator that data privacy breaches are becoming a lucrative arena for litigation.
Marriot’s fine stands at a whopping $23.8 million. In fact, numerous companies in Europe have been fined due to not meeting General Data Protection Regulation (GDPR) standards. Since the California Consumer Privacy Act (CCPA) was started earlier this summer, the US will now start to see similar regulations enforced across the nation.
Determining What Should Be Flagged and Reported
The actual process of discovering PII starts with identifying the platforms that target data is held in, be it structured or unstructured or some combination of the two. Although companies typically expect to scan sources like HDFS or S3 for files, even with relational databases, accurate scanning is required, as columns and tables can contain leaked PII or be improperly labeled. In addition, determining context is required to assess whether information is liable PII. For example, a date of birth is specific data that does not mean anything on its own, but if found along with someone’s full name, would need to be reported as sensitive information.
The process of figuring out which information needs to be flagged as PII and reported necessitates building policies that can be used to search for different categories of sensitive data within a single scan. From there, fine-tuning and adjusting discovery scans can ultimately lead to remediation, in which sensitive data can be masked or encrypted to remove risk of ownership. Being able to configure reports around the scanned data and controlling access to the metadata brought about from the discovery scans is crucial for engaging multiple parties within M&A projects.
Effectively Evaluate PII as a Part of Due Diligence
Recently, a global technology client introduced Dataguise to an internal M&A team in order to complete accurate assessments and diligence that are key to the company’s ability to audit data that will be changing ownership. The firm routinely engages with prospective companies to determine which ones will fit their company’s portfolios and growth strategies. But the wide horizon and scope of potential data environments outpace their own capability to discover sensitive data.
To meet data compliance with multiple regulations such as GDPR and CCPA, M&A-driven companies need versatile and precise software to discover the targets’ personal data. In this particular case, the customer is also bringing stark challenges of backward compatibility with some target companies’ legacy systems, requiring a broad range of platform support beyond what they normally use in terms of cloud and data lakes.
Does Your M&A Process Incorporate Data Compliance?
Accurately valuating a potential acquisition’s Return on Assets (ROA) is a key challenge for any M&A deal. Only after PII is audited and reported can M&A teams properly evaluate the ROA of a target company against whatever risks owning their data carries.