By: Leonardo Neri

A merger and acquisition (M&A) operation represents the business pinnacle of the capitalist system, as it portrays the success in creating value by two companies in the market, one that achieves success in implementing an idea and is acquired by another that has greater financial volume and, therefore, will be willing to expand its horizons to new commercial segments.

However, what is not widely discussed in this type of corporate transaction is the importance of the issue of privacy and data protection in operations, a point that has already become the main topic in international acquisitions, due to the financial impact arising from new legislation.

After the conclusion of an M&A, all hidden liabilities are assumed due to the business succession. Therefore, the injured party will have the right to recourse for compensation purposes.

The phase called Due diligence It is essential for the success of the operation and must be carried out appropriately, with the aim of mitigating risks for the target company and the acquirer.

An interesting practical case that occurred outside Brazil that illustrates the economic losses that may be involved in a transaction tainted by the investigation of irregular contingency of privacy and data protection rules, occurred in the acquisition of Marriott over the network Starwood in 2016.

In July 2019 the Marriott was fined (USD 123.7 million) for failure to due diligence. In other words, it was found that there was no verification of security vulnerabilities in the reservation systems.

This fact was identified in 2018, after a cyber attack that exposed 339 million hotel guest records.

Thus, it can be seen that monitoring data protection and information security compliance is already one of the most important elements in an M&A, especially those involving the acquisition of innovative companies that have been standing out the most in the post-pandemic market.