researchHQ’s Key Takeaways:
- In today’s regulatory environment. poor cybersecurity or data privacy practices are frequently deal-breakers in M&A transactions.
- Facebook chose not to acquire a predecessor to TikTok partially because of concerns of American laws governing child internet privacy.
- Verizon’s acquisition of Yahoo was heavily affected in terms of purchase price due to two separate data breaches suffered by Yahoo.
- After acquiring Starwood, Marriott struggled to integrate software from both companies together, eventually leading to a hefty fine after Starwood suffered a major data breach.
Merger and acquisition (M&A) deals can take years to put together, and they involve hundreds of moving parts, but it takes only one faulty element to turn a deal from a success story to a cautionary tale — especially if that element is cybersecurity.
According to one survey by Forescout Technologies, 53% of respondents reported that their organization had encountered a critical cybersecurity issue during an M&A deal that put the deal into jeopardy, and 65% of respondents experienced regret after closing a deal because of cybersecurity concerns.
In the current regulatory environment, with the passage of the GDPR and the CCPA, and with more data privacy laws in the works, cybersecurity, and data privacy have become crucial elements of pre-M&A due diligence. If an acquiring company doesn’t like what they find, they may walk away from the deal or later wish they had.
Here, let’s go over three recent M&A transactions that never got off the ground or whose deal value was severely undermined by data security issues.
Facebook Walks Away From Tiktok’s Forebear
Fortune reports that in 2016, Facebook spent months considering a possible acquisition of Musical.ly, which later became TikTok, the massively popular video app. Facebook passed on the deal because of two concerns: the app was based in China, and its predominately underage user base would likely run afoul of American laws governing child internet privacy.
After Facebook opted out, Musical.ly went on to be acquired by Beijing-based startup ByteDance for $1 billion. Today, TikTok is a runaway hit with over a billion active users, but it’s grappling with the same cybersecurity issues that made Facebook walk away, and those may even threaten ByteDance’s acquisition.
In November 2019, Reuters reported that ByteDance was being investigated by the Committee on Foreign Investment in the United States (CFIUS) because of national security concerns. Apparently, lawmakers were alarmed by reports from TikTok employees that their bosses in China compelled them to censor videos, including political content. There were also concerns about the security of the app’s data on U.S. users, and in December, ByteDance was hit with a class-action lawsuit in California. The suit claims that TikTok collects and stores “vast quantities” of user information without consent and then sends that data to servers in China, in violation of multiple laws.
ByteDance has attempted to address these concerns by fencing off its U.S. operations from China, but if they fail to convince CFIUS, the committee may force ByteDance to divest from its holdings of Musical.ly, effectively reversing the acquisition. It wouldn’t be the first time CFIUS has intervened in M&A deals over data privacy concerns. In recent years, lawmakers have been vigilant about policing cross-border M&A deals, especially between tech companies.
In 2017, CFIUS refused to allow China’s Ant Financial to buy MoneyGram due to worries about the security of personally identifiable data of Americans, and last year, CFIUS forced Chinese company Kunlun Tech Co Ltd to sell the gay dating app Grindr. All of these stories point to the necessity of keeping data privacy top of mind when considering an international M&A deal, especially one with China.
Verizon’s Acquisition of Yahoo Unearths a Privacy Nightmare
In 2017, Verizon acquired Yahoo for $4.48 billion, but the deal almost fell through over two data-breach scandals that came to light in the midst of negotiations.
Yahoo revealed that they had suffered two separate data breaches, which they had not made public. In the first breach, a hacker stole the personal data of at least 500 million users, including some unencrypted passwords and answers to security questions. As TechCrunch reported at the time: “With the answers to security questions, a hacker could easily jump through a number of online forms to reset users’ passwords on sites where an additional means of account verification — like two-factor authentication — is not involved.”
In the second breach (widely reported to have been carried out by a state-sponsored actor), 1 billion accounts were compromised, and again personal information and login credentials were stolen.