In a statement that is sure to affect any acquisition involving data assets subject to GDPR, the Information Commissioners Office (ICO), the UK’s independent body set up to uphold information rights, appears to have greatly increased an acquirer’s risk of suffering successor liability.
Information Commissioner Elizabeth Denham just announced the ICO’s intention to fine Marriott International, Inc. almost $125 MM for a data breach that occurred at Starwood Hotels Group, which Marriott acquired in 2016. That was two years before Marriott acquired Starwood and that breach wasn’t discovered until two years after the acquisition.
Citing Marriott for a failure to conduct “proper” due diligence, Commissioner Denham said that she would not hesitate to take “strong action” to protect the rights of the public:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
We don’t yet know the facts upon which the ICO acted and Marriott has indicated that it intends to “respond and vigorously defend its position.” What we do know is that our clients should take heed of the many ways that this potentially groundbreaking action may affect acquisitions involving data assets subject to GDPR.
For a start, what is “proper” due diligence? In this case, what we know is that the breach occurred well before the acquisition and wasn’t discovered until well after it closed. In such a situation, standard representations, warranties, and indemnities could well have proved useless to the acquirer. Insurance might be unavailing as well because there may have been no breach of applicable reps. Purchase price holdbacks and escrows could well have expired as well.