Data is both a precious asset and a dangerous minefield for companies in the global business theatre. Smart operators take data compliance seriously, writes Leslie Zhang
As more Chinese enterprises spread their operations globally, the control of data compliance risk is now a key corporate compliance task. The control of compliance risks can be viewed from two perspectives: the control of data compliance risks in transactions; and the control of data compliance risks in the course of operations.
Failure to control data compliance risk in a transaction can result in major losses. Take the Marriott Group breach as an example. In November 2018, the group announced that its Starwood guest reservation system had experienced a data breach, with the personal information of an estimated 500 million guests being accessed without authorization.
This meant that private information such as e-mails, accommodation data, bank card numbers, etc., was compromised. Marriott issued an announcement stating that it was assessing the impact, and expressing its apologies to its guests. Additionally, some class action lawyers also announced lawsuits against Marriott, demanding compensation of as much as US$12.5 billion.
The cause of this data breach can be directly traced to Marriott’s acquisition of Starwood two years previously where, in its due diligence for the transaction, Marriott failed to turn up the latent risk of a data breach. Accordingly, after completion of a transaction, this risk could cause the company to suffer a material loss. From a certain perspective, any acquired target company could harbour a data risk issue with any employee information, intellectual property, confidential business information, distributor and customer lists, etc., being potentially vulnerable to a breach.
As can be seen, if such a risk event occurs, the damage and consequences can be extremely serious. In addition to investigations by government agencies, potential class action suits and engagement of outside experts to repair the system, the affected company faces management of a credibility crisis, the suspicion of partners, delays in operations, and other related issues.
A data compliance risk can also cause the seller losses. For example, in the transaction where Verizon acquired Yahoo’s core assets for US$4.8 billion, Yahoo disclosed, after announcement of the transaction, that it had in the past been the victim of data breaches on two occasions. This disclosure resulted in Verizon demanding a revision in the consideration of the transaction, and clear stipulation of future liability for those data breaches.
Notwithstanding the fact that Verizon had already demanded a downward revision of the price by US$350 million, Yahoo would still be liable for 50% of any third party claims lodged after closure of the deal. Accordingly, for both parties to a transaction, data compliance risks may impair value.
Risk control in acquisitions
For buyers involved in acquisitions, close attention needs to be paid to controlling the data compliance risk in the transaction, and there are several ways to achieve this. First, duly carry out data security related due diligence, with a focus on assessing lawfulness, the data compliance regime, risks, etc. Second, get a grip on the target company’s past data compliance situation, identifying the target company’s sensitive data and related data assets, and conducting an assessment of the key risk points. Third, identify the risks in the target company’s data security and risk control infrastructure, as well as routine operating rules and procedures. Finally, the buyer should insert appropriate IT experts into the transaction team, or even go as far as engaging external IT expert consultants, to complete the assessment of, and due diligence on, the target company’s entire data security and compliance risks, and take relevant remedial measures.
Chinese enterprise’s making overseas acquisitions should pay attention during the acquisition to the target company’s data compliance risks. This is of utmost importance for controlling transaction risks and realizing transaction objectives. It is worth noting that if, in the course of an overseas acquisition by a Chinese enterprise, the target enterprise is in possession of a large volume of sensitive data, the issue of government approval of the transaction may become much more difficult. The following examples are from recent overseas transactions of Chinese enterprises: Ant Financial’s acquisition of Moneygram, a US online remittance service company, was blocked by the US government because of the large volume of users’ personal information and privacy data in the possession of the company; in October 2016, an agreement was reached for Oceanwide’s acquisition of Genworth, a US insurance company, but as at the time of writing the deal still had not closed, one of the major reasons being the large number of demands and protective measures raised by the regulator in respect of how Oceanwide is to ensure the security and privacy of the data of American consumers after the acquisition.
Accordingly, whether looked at from the perspective of controlling transaction risk or securing approval for the transaction, duly carrying out the work associated with data security and privacy protection is of utmost importance to the success of a transaction.
Risk control in normal operations
With the strengthening of legislation on, and law enforcement of, data security and privacy protection around the world, enterprises operating globally are becoming more vigilant with respect to the risks presented by data compliance.
Leslie Zhang is the vice president and general counsel at United Energy Group.