The Office of the Privacy Commissioner of Canada (“OPC”) recently published its Report of Findings #2022-005 addressing the due diligence undertaken by a global hotel chain (“Buyer”) when it acquired another hotel chain, where the acquired entity (“Seller”) had been the victim of a data breach that spanned four years, and was detected by the Buyer two years after the acquisition closed.
The OPC made it clear: upon acquiring an entity, a buyer receives control and responsibility of the network, and any data (including personal information) passing through those networks. It is the buyer who is responsible under privacy law, even where the incident occurred prior to the acquisition.
Our discussion in this post highlights the Buyer’s acquisition of the Seller and its consequent takeover of its data security liabilities. Specifically, we look at the various contexts in which the exercise and implementation of accountability practices are pivotal in preventing breaches, but also limiting liability after an acquisition. Although the OPC recognized various measures that the Buyer had taken to prevent or reduce the risks of these breaches, it also highlighted various practices that companies in mergers or acquisitions should implement.
1. The breach, and subsequent acquisition, and OPC investigation
On November 30, 2018, the Buyer announced a data security breach involving unauthorized access to the database of the Seller, a hospitality company the Buyer had acquired in 2016. The breach started in 2014 and spanned over four years, to 2018, two years after the the acquisition. The Buyer reported the privacy breach to the OPC on November 30, 2018, stating that an attacker obtained access to personal information, such as guest profiles, contact and passport details, comprising about 339 million records, and about 12.8 million of those being records of guests having Canadian addresses.
As such, the OPC investigated the Canadian subsidiary of the Buyer, its primary operating company for Canadian hotels. The investigation looked into the Buyer’s:
- Information security safeguards as per Principle 4.7 of the Personal Information Protection and Electronic Documents Act (the “PIPEDA”);
- Information retention practices as per Principle 4.5 of the PIPEDA;
- Notification to affected individuals and mitigation measures as per Principle 4.7 of the PIPEDA; and
- Accountability measures related to the implementation of practices and policies to ensure the protection of personal information as per Principle 4.1.4 of the PIPEDA.
(a) Buyer safeguards and detection inadequate
The Buyer’s internal investigation uncovered that the attacker gained remote access into the the Seller’s network, which allowed for the installation of malicious tools. The attacker was able to bypass the protection measures that the Buyer had implemented, such as access control lists, username and password controls, anti-virus software, multi-factor authentication, monitoring tools, and a centralized security control center.
The OPC concluded that while the Buyer had implemented various safeguards, these measures did not prevent the attacker from overcoming such measures of control, and the Buyer failed to detect the attacker’s activities in a timely way. While some of the information affected by the breach was considered as less sensitive by itself, (i.e. contact phone and address details, “preferred guest” account information, date of birth), the OPC found that the records overall had higher level of sensitivity if and when combined with sensitive information such as a government identifier (i.e. passport number), or financially related information (i.e. encrypted payment card numbers and expiration dates). Having found the information to be sensitive, a higher level of safeguards was expected by the OPC.
The OPC identified various security tools that would have helped the Buyer identify the breach sooner and protect personal information, particularly with regard to access controls, anti-virus software, logging and monitoring, and information storage:
- The complete implementation and usage of multi-factor authentication for anyone requiring access to the Seller’s Cardholder Data Environment (“CDE”) via internal administrative accounts
- The installation and active updates of anti-virus software in conjunction with additional layers of security, such as binary and application whitelisting or sandboxing technology to protect against viruses and malware.
- The implementation of a Security Incident and Event Management (“SIEM”) system to ensure timely detection of suspicious activity. A SIEM system actively responds to threats and may allow companies to identify the direct cause. Active monitoring and audits of privileged or administrator accounts will ultimately better identify suspicious activities.
- The use of encryption, anonymization, or the removal of sensitive personal information to reduce likelihood or scale of a privacy breach.
- Archiving all firewall event logs for a minimum of twelve months
(b) Over-retention of personal information
As part of its investigation, the OPC found that some of the records involved in the breach included 16 year old records at the time the breach was detected. The Buyer’s retention policy – which was to keep records for 10 years – aligned with its requirements under tax legislation and applicable limitation acts. However, the OPC found thatthe bulk of the records containing personal information were being retained for a period significantly longer than was necessary in light of the purposes for the collection. Consequently, this increased not only the volume of records breached but also the company’s liability concerning these records.
Although there may be no “one size fits all” retention period, the OPC recommended that companies consider the following factors when assessing an appropriate retention period:Footnote
- The purpose for having collected the personal information in the first place.
- If personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter, or a reasonable amount of time to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision.
- If retaining personal information any longer would result in a prejudice for the concerned individual, or increase the risk and exposure of potential data breaches, the organization should consider safely disposing of it
(c) Notification to affected individuals adequate, but further mitigation required
The Buyer notified affected individuals via email and press release and took mitigation measures to curtail unauthorized use of personal information following the breach (including providing free Web monitoring services, notifying its payment card network providers, and setting up a dedicated call centre).
Despite these steps, and despite the fact that the Buyer indicated that no affected individual had actually demonstrated that their passports were used fraudulently, and that there had been no substantiated claim of financial loss or other evidence of phishing or other misuse arising from personal information potentially accessed in this incident, the OPC found “the combination of the compromised personal information in this breach introduce a real risk of harm through identity theft or phishing attacks that could lead to fraudulent activities for records in which numerous data elements were present.”
As a result, the OPC noted that additional steps should have been taken to prevent future harm, including credit monitoring services and would expect the organization to offer this “for an extended period” (although it did find the offer of one year of Web monitoring “minimally sufficient”).
(d) Ongoing assessment and accountability measures required during and following an acquisition
The Buyer’s acquisition of the Seller in 2016 gave it full control and responsibility of the Seller’s systems and database. As such, the Buyer became the entity accountable for compliance with privacy law, including the protection of personal information. As part of its due diligence, the Buyer conducted meetings with Seller’s IT employees, and relied on the Seller’s IT vendors and third party assessments of the Seller’s systems to test Payment Card Industry Data Security Standards (“PCI DSS”). Thus, these processes allowed the Buyer to detect issues with the Seller’s systems to improve security management, segmentation and data classification, threat intelligence, identity and access management, and incident and crisis management.
While the Buyer conducted various assessments to ensure compliance with data security and privacy standards, the OPC was not completely satisfied with its approach. The OPC mentioned that the company should have conducted ongoing assessments and monitoring to ensure that periodic and effective revisions were made, and avoid gaps in security. For instance, the Buyer received reports from two independent security assessors in 2015, 2016, and 2017 and confirmations from the Seller’s employees that the Seller had necessary measures, such as multi-factor authentication, in place to operate its CDE in compliance with PCI DSS. However, the Buyer discovered while investigating the breach in 2018 that the multi-factor authentication had not been fully implemented before its acquisition of the Seller. In other words, several administrative accounts and systems with access to the CDE did not have the multi-factor authentication enabled, which allowed to attacker to use these unprotected accounts. Therefore, the OPC was clear that, though security measures may have existed, it is the proper implementation, identification of warnings, and continuous updates and reviews that ensure their effectiveness. This ongoing review was the responsibility of the Buyer.
2. Best practices
Best practices in M&A transactions with regards to privacy and security occur throughout the transaction, from the early discussions to post-closing:
Enhanced due diligence process
A potential buyer will be interested in better understanding the seller’s business and operations, including the state of its technology, systems, information practices, employee and customer base, processes regarding third party management, and financials.
As mentioned, the Buyer had performed due diligence as part of their acquisition. For instance, they analyzed the Seller’s network such as its IT security measures, met with the Seller’s IT employees to confirm the implementation of such systems, and relied on evaluations of the Seller’s IT security by the Seller’s IT vendors and independent third parties.
In addition to suggestions made by the OPC above, buyers should assess the target company’s:
- actual privacy and security practices, as well as documented policies regarding the same, and identify any deviation from the policies
- retention policies, and actual practices with respect to retention (consider spot audits)
- history of actual or suspected data breaches and reports of incidents to any regulator, government agency, or department
Verification of claims made in due diligence
As seen in this incident, though the Buyer conducted a due diligence process, the OPC further recommended additional levels of testing and monitoring (i.e. network testing, audits against recognized industry standards, security assessments or threat risk analysis to identify compromised assets and the measures that an organization needs to take), in order to substantiate any claim made by the target company. This suggests that reliance by the Buyer on the bald claims of the Seller will not be acceptable, and something more may be required. This enhanced due diligence process may involve collecting information through standard procedures such as interviewing key contacts in an organization, or bringing in a third-party specialist to conduct an assessment.
Counsel in M&A transactions will need to consider the additional time and cost this may require, especially in a data-heavy transaction (e.g., retail or hospitality sectors). Sellers anxious to close may want to consider conducting independent third party audits in advance of any sale, allowing them to clean house and support any due diligence claims (including reps and warranties).
Pre-diligence information sharing precautions
Finally, prior to sharing any personal information as part of the due diligence, and if it intends to rely on the PIPEDA exemeption from having obtain consent from data subjects, the seller must ensure that a written agreement is in place in which the organization receiving the personal information undertakes to use the information only for the purpose of completing the commercial transaction and to not communicate the information without the individual’s consent unless as authorized by law. The receiving organization must also agree to take the necessary measures to ensure the protection of the confidentiality of the information, such as by transferring it with secure means, and to destroy the information if the commercial transaction is not completed or if its use is no longer necessary.
Allocating risk as part of preparation and negotiation of the purchase agreement
Once the analysis and due diligence is complete, the purchase agreement should be drafted to reflect such risks or benefits. For instance, if the assessments conducted in prior stages of the transaction revealed critical issues with privacy systems or processes, the buyer may negotiate a lower purchase price to account for costs associated with the implementation of additional security measures and the additional level of risk. Alternatively, the buyer could negotiate a holdback on the purchase price payable to cover security or privacy remediation costs post-acquisition. In addition, the buyer may include a representations and warranties clause in reference to compliance with privacy and data protection requirements. This may include clauses that refer to, namely:
- Compliance with applicable laws, rules, policies, and procedures relating to privacy, data protection, and the collection, use, storage, and disposal of personal data;
- No history of breaches or claims/litigation related to privacy and security;
- Security measures in place or certification of compliance with recognized standards;
- Transaction compliance; or
- Training of employees on data breaches and privacy ad cybersecurity measures.
A buyer may also include an indemnity clause for claims that arise due to the seller’s non-compliance with applicable legislation or with any disclosure made during the diligence process. to allow the buyer to recover losses associated with breaches of these representations and warranties.
On the other hand, sellers may review the compliance status of their internal privacy policies during negotiation. Doing so may involve evaluations of IT systems, cybersecurity measures, and data holdings. In doing so, sellers may identify potential issues or problem areas, develop logs of breaches and monitoring, and limit some of the representations and warranties to avoid liability post-acquisition.
Post-closing activities: assessing and re-assessing
As seen here, privacy due diligence activities continue post-closing. The buyer should work with counsel to devise a post-closing evaluation and implementation strategy to ensure that personal information is secure, and that safeguards and software are continuously implemented, assessed and tested to prevent future risk and reduce potential impact.
The author would like to thank Jaime Hwang, an articling student in Dentons’ Ottawa office, for her assistance in writing this article.
If you have any questions about M&A transactions and privacy due diligence or any other aspects, please contact Kirsten Thompson and Sasha Coutu at Dentons Canada LLP.
For more information about Dentons’ data expertise and how we can help, please see our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.