Data Security and Acquisitions: Finding the Problem Before You Own It

When an acquirer does not protect itself against a data lemon and seek sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon.

Don’t Acquire a Company Until You Evaluate Its Data Security

Extract from an article by Chirantan Chatterjee and D. Daniel Sokol as published by Harvard Business Review

In any transaction between an acquiring company and a target company (seller), there is asymmetric information about the target’s quality.  While managers have long understood this concept, recent events shed light on an emerging nuance in M&A — that of the data lemon. That is, a target’s quality may be linked to the strength of its cybersecurity and its compliance with data privacy regulation. When an acquirer does not protect itself against a data lemon and seek sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon — a security breach, for example — and resulting government penalties, along with brand damage and loss of trust.

So what to do about data lemons? You can simply make the deal anyway, especially if the value created by the deal outweighs the risks. Or you can take the Verizon path and reduce the valuation post-acquisition. We propose a third option: due diligence not just on the financials of the target firm, but also its regulatory vulnerabilities during the M&A discussion process. The idea is to identify potential data breaches and cybersecurity problems before they become your problem.

Read the complete article at Don’t Acquire a Company Until You Evaluate Its Data Security

Additional Reading

Source: ComplexDiscovery