Privacy Considerations During Mergers and Acquisitions

When news was announced that Amazon acquired iRobot, the enterprise that makes Roomba robot vacuums, many privacy advocates expressed concern.¹ Much of this concern stems from the fact that many Roomba vacuums map users’ homes,² and those data potentially being combined with data Amazon has from its other products (e.g., Ring doorbells, Alexa devices) could reveal a significant amount of information about data subjects. Some commentators have gone so far as to say that Amazon purchased iRobot to see inside people’s homes.³

Regardless of Amazon’s intentions for purchasing iRobot, customers are understandably weary. This consumer concern should be top-of-mind for all enterprises considering an acquisition.

Mergers and acquisitions (M&As) are a way for organizations to gain additional value; however, care and thoughtful consideration need to be put into M&A activities. Many enterprises across a variety of industries experience cybersecurity issues after M&A activities, and some high-profile enterprises have decided not to acquire new organizations due to security and privacy-related concerns. For example, Facebook decided not to acquire Musical.ly, which became TikTok, largely due to privacy issues.⁴ These issues can cause enterprises to lose customer trust among other costs.

There are several privacy-related considerations that should be addressed before an M&A to protect customer privacy and maintain digital trust.

Evaluate Privacy and Security Posture

Any organization looking to merge with or acquire another organization must consider its privacy and security posture. Merging or adding entirely new data systems and processes could pose significant risk. Poor security and privacy practices reflect negatively on the organization that is acquiring those poor practices.

For example, consider the Marriott-Starwood breach that occurred in 2018. The hotel chain was breached, and it appears the failure originated with Starwood’s systems. Although the merger of Marriott and Starwood happened in 2016, Starwood continued using its own infrastructure and had not yet migrated to Marriott’s reservation system. The “bumpy transition associated with the Marriott-Starwood merger”⁵ was a factor in the breach. And though it was Starwood’s systems that were exploited, Marriott’s reputation was on the line, and it was ultimately accountable.

It is important to note that M&As result in organizations having more data and larger attack surfaces. An enterprise that is struggling with security and privacy must address these challenges before acquiring another organization, as problems will only be multiplied. Privacy and security professionals must understand their data protection postures and be able to candidly speak about any shortcomings with those leading M&A activities.

Consider the Implications of the Data Collected

One of the reasons that Amazon’s acquisition of iRobot caused so much concern is because of the amount of data Amazon amasses. Amazon’s Alexa smart assistant already collects voice recordings, browsing history and communication requests with contacts.⁶ Amazon’s Ring doorbell collects records of doorbell activity, including every time the bell is pressed and the motion the camera detects.⁷ This information, combined with information about the layout of a person’s home, might seem excessive.

This concern is not unique to Amazon. Most organizations collect a great deal of information about their data subjects. It is imperative that these organizations understand the vast amount of data they collect and consider the implications of having access to all those data and the conclusions that can be drawn from those data sets. For example, location data may reveal information about a person’s religion, health concerns and social circles. So, if an enterprise that sells wearable devices wants to acquire an enterprise that maps users’ runs and bike rides, it must consider the privacy risk that comes with collecting location data in addition to health-related data.

Enterprises should consider how to protect the vast amount of information they have, including understanding the sensitivity of the data and how to keep data secure. This may include keeping data separated and compartmentalized, as having all data in a centralized location makes it easier for a nefarious actor to exploit the data. For example, a robber who can access smart doorbell footage and learn the layout of a home can do more damage than if they are only able to access one of those data sets.

Be Transparent

A quick way to lose customer trust during M&A is to obfuscate or lie about M&A-related activities. Enterprises should be clear and upfront about the privacy implications of an acquisition and the ways that newly acquired data will be processed. In the days following Amazon’s announcement of the acquisition of iRobot, many privacy advocates called for transparency around if and how iRobot products would relate to other Amazon products.⁸

It is critical for organizations to be transparent about the type of data being collected and data subjects’ ability to control what is collected and shared.

Customer unease is somewhat expected, and organizations should take steps to address it. This may include outreach via news interviews and social media or a frequently-asked-questions document posted on the organization’s website that answers questions about privacy, data processing and data collection practices in a simple, jargon-free manner. It is critical for organizations to be transparent about the type of data being collected and data subjects’ ability to control what is collected and shared. This empowers data subjects to make decisions that protect their privacy, and this control over data ultimately helps build trust between enterprises and consumers. This trust will help enterprises retain more customers and have a strong reputation.

Conclusion

Although M&As can give an organization a competitive advantage when done properly, when done poorly, they may result in privacy breaches and a loss of customer trust. Privacy professionals who understand their organization’s privacy posture should know the implications of the data they collect and encourage transparency to help their organization grow while protecting data subjects.

Endnotes

¹ Johnson, K.; “The iRobot Deal Would Give Amazon Maps Inside Millions of Homes,” Wired, 5 August 2022
² IRobot
³  Pattison Tuohy, J.; “Amazon Bought iRobot to See Inside Your Home,” The Verge, 5 August 2022
⁴ O’Brien, J.; “Recent M&A Deals That Imploded Over Cybersecurity,” Auth0, 25 March 2020
⁵ Fruhlinger, J.; “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?” CSO, 12 February 2020l
⁶ Cohen, J.; “Amazon’s Alexa Collects More of Your Data Than Any Other Smart Assistant,” PC Mag, 30 March 2022
⁷ Burgess, M.; “All the Data Amazon’s Ring Cameras Collect About You,” Wired, 5 August 2022
⁸ Sevilla, G.; “Breaking Down Amazon’s Roomba Acquisition,” Insider Intelligence, 9 August 2022

Safia Kazi, CIPT

Is a privacy professional practices principal at ISACA^®. In this role, Kazi focuses on the development of ISACA’s privacy-related resources, including books, white papers and review manuals. She has worked at ISACA for 8 years, previously working on the ISACA^® Journal and developing the award-winning ISACA Podcast. In 2021, she was a recipient of the AM&P Network’s Emerging Leader award, which recognizes innovative association publishing professionals under the age of 35.