When a company decides to invest in or acquire another business, they do extensive checking into what precisely they are buying. This can range from counting the towels and silverware owned by a hotel chain to calculating the validity and future value of a customer list. Lawyers call this “due diligence” and it is an exhaustive process that can take weeks, even months, to complete before a deal closes,
But two things often get overlooked is the process: (i) what data security protection is in place; and (ii) are the licenses valid for the software the target company uses?
These days, data protection and software licenses are a big deal – and overlooking them during the M&A process can be costly.
For instance, when Marriott International acquired Starwood a few years ago, Marriott didn’t think to examine whether Starwood’s vast data base of 500-million customers – including credit card details – had been breached. Yet the leak had been going on for years. As a result, Marriott was fined nearly $1-billion under the European Union’s General Data Protection Regulations, adding to the $13.6-billion acquisition price.
Data Lemons
UC-Berkeley economist and Nobel Laureate George Akerlof won his prize in 2001 for a landmark study on the role of asymmetric information in the market for used cars that are “lemons.” He showed how markets do not function properly when buyers and sellers operate under different information.
There can be data lemons, as well, as the Harvard Business Review observed in an April, 2019 article.
When the buyer of a business doesn’t seek enough information about the target’s data privacy and security compliance, or does not check software licenses, it can be acquiring a data lemon that can lead to fines, major damage to the brand and a loss of trust by customers.
This includes examining things such as the target’s use of open source software (OSS), as Tesla discovered to its embarrassment. Although OSS is generally “free,” typically the license requires the user to meet the developer’s terms and conditions such as providing source code to the software product that incorporates the open source software.
So, for example, roughly 65-percent of open source code available on Sourceforget requires anything built on that platform be redistributed free to the public. If the target company has not done this, the acquirer may find itself in court facing a lawsuit for violating the terms of use.
Unless this is part of the due diligence effort, there can be legal as well as public relations nightmares.
ERP Imperative
This detailed fact-checking is especially important when buying a business that has an ERP software system as a growing number of companies do, especially if they are in the business of manufacturing a product.
Surprisingly, relatively few acquirers – especially hedge funds and private equity funds – do this. They look at almost everything else they are buying but, for whatever reason, do not take a deep dive into the ERP software system that often fuels the engine of the business.
They likely review the contract with a vendor and integrator. But they seldom go much farther than that, asking a security consultant to see if the data stored in the ERP software system has been breached. At the same time, they need to examine whether there are issues with the licenses and other related agreements.
Moreover, since so many ERP installations go off the rails, the buyer of a company which is in the mdist of upgrading a legacy system or installing a new one needs to look closely at any open issues that may derail the project after they own the business. Failing to do so can be an incredibly expensive mistake.
Ounces of Prevention
Making a major investment in buying a company is a carefully-calculated risk. To improve the odds of the acquisition being successful, it is vital to review things that are not always part of the due diligence effort.
Especially when the target company relies on complex and expensive software systems, it is incumbent on the buyer to do more than count the knives in storage rooms to know precisely what they are getting.
As a lawyer whose practice focuses on both ERP software systems and data security and privacy, we tell clients we need to examine everything including projects still under development, the security of the data they will own and control, and the validity of the licenses they will be acquiring.
If you have any questions, please feel free to give me a call or send an email to me. I’ll be happy to answer them and help you ensure that you are not at risk of buying a “data lemon.”