Prior to any merger or acquisition, you must do your due diligence analyzing the seller’s security procedures. These means fully investigating the company for current breaches or cybersecurity risks.
Wouldn’t the company you’re set to buy or take over do this before entering into a merger or acquisition? It’s not always the case. In fact, several recent breaches were found during or after acquiring a company.
Why It’s Important to Check
Recently, two mergers and acquisitions have made headlines after data breaches. In both cases, the breaches happened before and after one company acquired another. It has experts urging any company to make data security part of the screening process before taking over or merging two companies into one.
#1 – The Lakeland and Spectrum Health Merger
In 2018, Spectrum Health merged with Lakeland Health. What Spectrum Health didn’t closely investigate was that Lakeland Health used a billing service that was breached. In this initial breach, as many as 60,000 patient records were exposed. While it appeared SSN and other vital information wasn’t part of the breach, a second breach took place after the merger and 1,100 patients were affected.
Spectrum Health Lakeland had to pay for a year of Experian IdentityWorks coverage for each affected patient after the first breach. After the second, the company advised all patients check accounts and credit reports regularly.
#2 – The Marriott and Starwood Breach
After the merger between Marriott and Starwood took place, a huge breach was revealed. This was one of the biggest breaches with 500 million guests affected. For years, customer information had been taken from Starwood prior to the merger and from both companies after.
The information taken in the breach included passport numbers, contact information, names, and emails. Marriott also reports encrypted credit/debit card information for 9.1 million customers was stolen, but no one knows if the encryption key was also stolen. An update to the company’s press release also says several thousand non-encrypted credit card numbers were also stolen.
It was determined that the Marriott Starwood breach started in 2014, two years before the merger, and wasn’t found until 2018. The breach lasted four years before the security systems detected it, and the merger never tripped the discovery of the breach.
The 500 million users affected by the breach received emails telling them to change their password, check credit reports, and put credit freezes in place. A free year of web monitoring was offered. As of December 2018, two law firms had filed class action suits against Marriott.
Make Sure You Scour Data Security Before a Breach or Acquisition
When you’re looking to acquire or merge with another business, it’s vital that you do a thorough cybersecurity assessment. Don’t agree to anything without asking these questions or demanding to see more information.
How Much Do You Budget for Security?
Any company should have money budgeted for security. Find out what they have budgeted and who is responsible for maintaining and auditing security practices. If there is no dedicated employee, find out why.
How Do You Track What Apps and Software Your Employees Use?
The company should know what software and apps are installed to workers’ computers. If they’re letting them install things without any scrutiny, there’s a problem. Even with updated malware and virus protection, installed software on a network computer is a problem.
Find out if the company has strict policies in place and does annual training for cybersecurity measures. Employees need to take measures to keep private information safe. In Massachusetts, a breach hit CommCorp when an employee fell for an email asking for the payroll data’s encryption key. The employee believed the email was really from the CEO, but it wasn’t.
What Security Measures Do You Use?
You need to what security practices the company uses. Find out if they follow and/or are compliant with:
ISO 27001 – Information security management protocol that uses risk management to protect the information of IT systems, employees/customers, and processes.
NIST Cybersecurity Framework – A plan that helps with the protection of the company’s infrastructure. It’s not mandated, but companies can use it if desired to help protect themselves and their clients.
Sarbanes-Oxley – Only publicly-traded companies, some non-profit organizations, and certain private companies must be compliant with the Sarbanes-Oxley Act. This 2002 law created rules requiring auditing of accounting and other financial matters.
SOC 2 – Being compliant with SOC 2 means you have had your security system, privacy measures, processing, and IT evaluated to ensure its security.
Ask to see paperwork proving that they are compliant. If they cannot prove they are compliant, you should ask why. While you’re doing that, ask to look at the audit history. If they don’t have this, it is often a sign that they’re not doing as much as they should. In addition, you could be held liable if you didn’t check the compliance and a breach happens with a company you acquired or merged with.
How Do You Recycle Outdated or Broken Electronics?
The final, very important question to ask is how the company recycles outdated or broken electronics. If the company isn’t using a certified IT and electronics asset disposition (ITAD) provider, it’s a red flag. As printers, copiers, cellphones, fax machines, and computers all store information that could cause a lot of harm in the wrong hands, you must find out what happens to the electronics that are replaced with newer equipment.
ERI Direct holds the highest possible certifications for ITAD. All eight facilities in the United States are e-Stewards, NAID, and R2 certified. Trust in ERI to destroy data and recycle electronics to keep information out of the hands of criminals and out of already crowded landfills. Contact Us to discuss your ITAD and data destruction needs.