The year 2020 has witnessed significant events which have resulted in a number of business disruptions. Globally, the COVID-19 pandemic has negatively impacted, particularly, those in the travel and hospitality, energy, manufacturing and trade industries. In Nigeria, for example, domestic and international economic activities significantly slowed down due to the nationwide lockdown aimed at containing the COVID-19 pandemic.
Based on the National Bureau of Statistics' Gross Domestic Product (GDP) Report for third quarter, 2020, Nigeria is officially in a recession and as a response to this and the overall business challenges occasioned by COVID-19, we are likely to see an increase in corporate restructuring arrangements (such as mergers, acquisitions, divestitures etc.) in the mid to long term as businesses consider options to be more efficient and manage the fallouts of the pandemic.
Additionally, there is likely to be regulatory action such as the ongoing recapitalization exercise in the insurance industry (which has been extended to September 2021 due to the effect of COVID-19 on businesses). In this regard, it is expected that many insurance companies will have to resort to corporate restructuring arrangements in order to meet their capital requirements. Given current realities, this approach may also be adopted in other sectors as the effects of COVID-19 become clearer and we are likely to see an increase in the number and scope of mergers, acquisitions and other business restructuring options. In carrying out a business restructuring, a key component of the transaction will normally be the conduct of a due diligence exercise on the target entity.
Most due diligence reviews traditionally focus on the legal, financial and tax status of the target business. However, with the increasing focus on data privacy and protection globally and in Nigeria, the failure of a target entity to comply with its data privacy obligations may pose significant risks to the investor and the transaction could easily become the buyer's/investor's worst nightmare, where a data breach incident is identified post-acquisition.
Consequently, it is important for investors to begin to undertake data privacy and protection due diligence on target businesses in order to avoid exposure in this regard. This piece examines the importance of data protection due diligence and the key considerations that a buyer/investor should focus on before consummating the transaction.
Key Considerations in Minimizing Data Protection Risks in a Corporate Restructuring Transaction
The Nigeria Data Protection Regulation (NDPR) which was released in January 2019 introduced major compliance obligations on Nigerian companies across all sectors, including audit checks, publication of data protection policies, filing of audit reports amongst others, and also significant penalties of up to 2% of annual gross revenue for breach of privacy rights.
Where a deal is structured as a merger or share acquisition transaction, the buyer assumes the target's assets and past liabilities, including any privacy related obligations. Therefore, failure to adequately identify and address privacy issues before closing a deal could expose the buyer to adverse consequences. For example, the United Kingdom's Information Commissioner's Office (ICO) fined Marriott £18.4 million for a data breach that occurred in 2014, two years prior to its acquisition of Starwood Hotels.
Starwood had suffered a cyber-attack prior to its acquisition by Marriott in 2016, which was not detected or disclosed to the ICO and Marriott also failed to identify this before the acquisition and put in place any measures to protect the personal data of data subjects, which continued to be compromised even after the acquisition. On the other hand, Verizon, in 2017, discovered multiple massive data breach incidents just before it completed the acquisition of Yahoo and this discovery reduced the purchase price paid by Verizon by a whopping $350 million.
Given the examples of deals that have gone wrong or been impacted by privacy related concerns, we have highlighted some key considerations that buyers / investors need to focus on in order to mitigate data privacy risks prior to completing a deal.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.