Data Security and M&A Due Diligence: Lessons From Marriott/Starwood
In September 2016, Marriott International, Inc. bought Starwood Hotels & Resorts Worldwide, Inc. The acquisition was approved by the shareholders of each company respectively. Starwood shareholders received 0.8 shares of Marriott including $21 per Starwood common stock. In the last couple of years, Marriott has been slowly integrating Starwood into its larger business operations.
At the end of November 2018, it was announced that there has been an ongoing breach of the Starwood databases going back to 2014. See new report here. The data exfiltrated includes travel details such as arrival and departure information, personal addresses, email addresses, dates of birth, passport numbers, and credit card data. The breach affects 500 million customers worldwide. According to reports, data security experts assert that defects in Starwood’s database and network security allowed attackers to access the information. The security defects should have been caught as early as 2014.
The Marriott/Starwood case offers yet another example of why cybersecurity must be part of any merger and acquisition due diligence, particularly with a M&A of this size. If your company is considering a M&A, you need an experienced San Diego corporate attorney to help. According to the security experts, the Starwood network security weaknesses were of the nature that should have been easily uncovered had sufficient attention been paid to the issue leading up to the merger in 2016.
This will be a very costly breach. Marriott has already offered to pay the cost of credit reports (which tend to cost around $20 each) and the cost of obtaining new passports. Multiplied by 500 million customers, Marriott is already paying an enormous cost that could have been avoided with sufficient and adequate due diligence. In addition, a class action lawsuit has already been filed and governmental investigations will start soon. Starwood is international, so many governments will become involved. If the data breaches were known prior to the sale in 2016, the Securities and Exchange Commission might investigate since data breaches are now part of what must be disclosed in security transactions. See our discussion here.
Cybersecurity risks are not usually severe enough to kill off an M&A, but known risks and data breaches certainly affect the acquisition price and, potentially, other aspects of the deal. The price “paid” by Marriott for Starwood is now going to vastly increase to include the costs of credit reports, lawsuits, legal fees, settlements and judgments, public relations damage, the cost of governmental investigations, and more. Aside from helping to verify the value being paid, due diligence that uncovers security breaches and/or risks can trigger technological alternatives that can potentially quarantine the damage. For Marriott/Starwood, no doubt the customer data was a valuable part of the deal. However, technologically speaking, had breaches been discovered in 2015-2016, the data might have been transferred without the potential of infecting the wider networks and computer systems of Marriott. That is actually the larger danger now.
In terms of drafting M&A purchase contracts, several steps are recommended, including:
- Data and network security should be specifically included as due diligence items
- The acquiring business should control the due diligence investigation into the cybersecurity issues, but the target should pay
- Consummation should be conditioned on a clean bill of health with respect to cybersecurity or, at minimum, price adjustments should be provided for a less-than-clean bill of health
- Holdbacks and clawback provisions should be considered as high as 5-10% — the price paid by Marriott for Starwood was $13 billion and the breach will likely cost Marriott at least $500 million
Contact San Diego Corporate Law Today
If you would like more information about M&As and proper due diligence, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard’s law practice is focused on business, transactional, and corporate matters, and he proudly provides legal services to business owners in San Diego and the surrounding communities. Like us on Facebook.