M&A: As Buyer Liabilities Increase, Due Diligence Must Cover New Ground

Liability May Arise on Grounds of Stakes Already Sold

The foreword of the survey report cites a case that illustrates the importance of compliance for buyers. The buyer in this case was a large international investment bank that had been a shareholder and the indirect parent company of a cable manufacturer, which was subsequently found to have participated in a cartel. The European Commission fined the cable manufacturer 100 million euros. Roughly a third of the total was jointly and severally payable by the company and the investment bank as its former owner. According to the Commission, the investment bank had exercised decisive influence in the cable company and could therefore be considered liable for the cartel, even though there was no evidence that the bank’s representatives had been aware of the cartel plans or had participated in the cartel’s implementation. This position was confirmed by the Court of Justice of the European Union.

Buyers Cannot Afford to Neglect Data Protection

This July, the British Information Commissioner’s Office issued a notice of its intention to impose a fine of 110 million euros on a major accommodation group for breaches of data protection law. The group had suffered a cyber attack that could be traced back to a corporate acquisition made in 2016: the target company’s information systems had become vulnerable well before the merger. The ICO found that the buyer had not carried out sufficient due diligence upon the acquisition. In a statement, Information Officer Elizabeth Denham said:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition,  and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.  If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

The ICO’s decision is not final, but it sends a strong message to companies considering an acquisition. Buyers must carefully inspect how the target has addressed data protection. It is possible that they will no longer be able to fulfil their duty of care with a customary desktop analysis completed with management interviews. Instead, European data protection authorities may require a thorough assessment of the technical security and adequacy of the target’s data systems. The General Data Protection Regulation has been enforceable for a bit over a year now, and authorities have taken the initiative and imposed fines for non-compliant processing of personal data in several dozens of cases.

Look Deep

Neglected compliance risks can be costly for buyers in M&A. Violations may undermine the profitability of a deal and permanently damage the buyer’s reputation. Moreover, authorities are eager to intervene in suspected breaches.

Properly addressing compliance risks in due diligence helps avoid unpleasant surprises. In addition to reviewing documents, we recommend that buyers have a separate compliance session with the compliance officers of the seller or the target. This helps grasp the target’s performance and identify operations that warrant a further review.