When acquiring a business, many clients ask whether due diligence is a necessary step. People often see skipping due diligence as a way of saving legal costs during the transaction but there are pitfalls for the unwary and in the current regulatory climate the consequences can be serious.
As a team of corporate and commercial lawyers, our advice is always that whilst a buyer may have carried out preliminary investigations into a business prior to making an offer, there is no substitute to carrying out a full due diligence exercise.
A matter which has recently highlighted the importance of due diligence is the recent statement issued by the UK data protection authority, the Information Commissioner’s Office (ICO), stating that it intends to fine Marriott International Inc (Marriott) more than £99.2 million for infringing the General Data Protection Regulation (GDPR).
Marriott acquired Starwood Hotels (Starwood) in 2016 for around $13 billion. In November 2018 Marriott notified the ICO that, as a result of a cyber incident, the personal data in approximately 339 million guest records had been stolen. It was reported that approximately 30 million compromised related to residents in 31 countries in the European Economic Area, with 7 million of those being UK residents.
It is understood that the cyber incident occurred as a result of Starwood’s guest management systems being compromised in 2014, two years before the sale to Marriott. Marriott however did not discover the incident until 2018. This suggests a lack of due diligence during the acquisition process.
The ICO has stated, following an extensive investigation, that Marriott failed to undertake sufficient due diligence at the time it acquired Starwood and it should also have done more to secure its systems. The ICO has further commented that Marriott should have assessed what personal data had been acquired by Starwood and also how it is protected.
Whilst Marriott intends to appeal the fine, this matter highlights the importance of carrying out due diligence prior to completing an acquisition. The ICO can fine up to 4% of a company’s global annual revenue for a breach of GDPR and so it is a real risk which should have been investigated in this case.
If you are considering buying a business or if you would like to understand more about the due diligence process and how it can protect you, please speak to Emma Benniston in our Corporate & Commercial team. Contact her on 0121 716 3701 or firstname.lastname@example.org to hear how we make it happen.