Marriott International Inc.'s disclosure last fall that it had inherited a massive data breach when it merged with Starwood Hotels & Resorts Worldwide in a $13.6 billion deal should've been a wake-up call from the front desk of cybersecurity and due diligence.  

But only for those who hit the snooze button as Verizon Communications Inc.'s merger with Yahoo Inc. was thrown into jeopardy in late 2016, when Yahoo revealed that about 500 million of its customer email accounts had been hacked.

The revelation spurred Yahoo to slash $350 million from its acquisition price and led to the resignation of its general counsel, though the merger still happened. 

The cyberattacks in the Marriott and Yahoo cases are believed to have occurred in 2014, meaning that it took years for both companies to bring the incidents to light, underscoring the difficulty of determining how and when breaches should be disclosed.

"You see companies struggling with this all the time," noted Ed Ryan, who served as Marriott's general counsel for more than a decade and retired in 2017, before the Starwood breach disclosure. 

"The pressure, on the one hand, is to say something right away, because you'll get faulted for not saying something right away even though you didn't know what you should be saying," he said. "But on the other hand, they don't want to go out and publicly say that we've been hacked when they don't really know what happened. 

"You could be building a fire where there is no fire," he added.

As companies collect and process more data than ever before, they face ever-increasing breach risks, especially during mergers and acquisitions, when firms tend to be at their most vulnerable to cyberattacks. 

To mitigate risk, in-house leaders and executives should be prepared to answer three key questions before and after a breach is suspected during an M&A deal. 

|

What Are the Potential Risks?

A primary role of the legal department is having a thorough understanding of the nature and volume of regulated or sensitive data that will be flowing into the company, according to Brian Vecci, the field chief technology officer for New York-based software company Varonis Systems. 

"Most companies don't really understand the risks that they're undertaking, which is why these data breaches take them by surprise," he said. 

Vecci added the "really smart companies are doing detailed air-gap risk assessments of the systems and data of an acquisition target before they ever connect any devices to their network."

Risk assessments also should include consideration of how often a target company is reviewing the security of its data and, of course, whether it has experienced a prior breach or regulatory incident. If questions or doubts arise, the acquiring company might want to establish a reserve fund in case there's litigation. 

Companies also need to look within and fully consider the potential insider threats that they face during M&A deals. 

"There are lots of moving parts and you lose a lot of visibility. And there are lots of opportunities for insiders to walk off with data, to walk off with valuable information, or just to cause havoc," Vecci said. "We see that kind of thing happening more and more."

|

When Did the Breach Occur?

Regulators at the state and federal levels are placing more emphasis on when a company confirmed the existence of a data breach, according to former federal cybercrime prosecutor Mark Krotoski, now a partner at Morgan, Lewis & Bockius

Krotoski, whose specialties include cybersecurity and privacy, added the timeliness of a breach notification also "has become more of an issue with regulators over the last several years." 

"That is something that is paramount now," he added. 

Making matters more difficult: Notification requirements and deadlines vary by state. Colorado and Florida, for instance, have a 30-day notification period for residents. Other states have a 45-day deadline, including Arizona, Maryland, New Mexico, Ohio, Oregon, Rhode Island and Vermont. In Delaware, Louisiana and South Dakota, the notification period is 60 days.

Other states, including New York, require notification "without unreasonable delay." But if the company falls under the jurisdiction of the New York State Department of Financial Services, which regulates an array of domestic and foreign financial services businesses that are licensed to operate in New York, the notification period is a mere 72 hours.

"You have to manage it [disclosure] by prioritizing which ones have the first deadlines and then hopefully you can learn everything about the incident so you can notify everyone in all the jurisdictions at the same time," Krotoski said. 

"This patchwork of standards has become, in my view, unnecessarily complex, cumbersome and costly," he added. "The remedy is uniform standards. And one way of doing that is to have a federal standard that would apply consistently." 

|

What Was Accessed or Stolen?

Determining what cyberattackers saw and confirming whether they made off with sensitive information is a critical but difficult task that typically requires the help of information technology specialists. 

"Sometimes the technical parts of it quickly overwhelm what most lawyers know about breaches and how breaches occur and getting down into the depths of what was stolen and who's affected," said Ryan, the retired Marriott general counsel. 

"The crossover between those who are legally trained and those who are technically trained is pretty small. So the law department has to rely a whole lot on the IT department to explain what happened and what was affected," he added. "They have to be able to speak the same language, which is part of the challenge sometimes." 

Knowing what data was compromised allows the legal department to determine the scope of potential liability. Some jurisdictions require breach victims to show that the incident resulted in actual harm, not just the potential for harm, Krotoski noted. 

"We've had financial services companies that inadvertently sent Excel spreadsheets with taxpayer IDs or Social Security numbers to the wrong email address," he said. "That was an unauthorized disclosure. But if you're able to immediately contain and delete the data and get verification of that, that shows that it was not used and there would be no harm."

As the first anniversary of its breach disclosure approaches, Marriott is banking on the no-harm argument, which has become a go-to defense in data breach litigation, as it seeks the dismissal of a consumer class action lawsuit over the leak of personal information of 383 million guests. 

The company argued in a motion filed in September that the plaintiffs had failed to allege or show that hackers misused the data, which includes a trove of credit and debit cards and passport numbers.

|