Back to overview
03. June 2021

Is Your Organization Legally at Risk for Data Breaches That Occurred Before a Merger?

Before merging with any company, it's important to audit their data security and ensure you won't wind up liable for their mistakes.

Mergers can help your organization fill in the missing pieces and become stronger. But if there are skeletons in the closet of the company you're looking to merge with or acquire, you could be inviting serious problems into your enterprise. You need to be on the lookout for data breaches in particular. Before merging with any company, you have to audit their data security and ensure you won't wind up liable for their mistakes.

The short answer is yes. You can be held liable for data breaches that occurred before a merger in certain circumstances. If the data breach has not been resolved and settled, then you may have to assume the legal consequences of a breach in progress. Worse yet, there may have been a breach that was completely undiscovered at the time of your merger. In that case, you'll absolutely be held responsible.

One exception is if your merger or acquisition was strictly an asset-based M&A. If all you do is acquire a company's assets and IP, only to liquidate the company, you may be able to dodge a data breach bullet. Dissolving a company can relieve you of any type of data breach legal requirements and responsibilities, as long as the company in question is not formally incorporated into yours.

But if you've acquired another company's stock, you also acquire their past. That means you also pick up their liabilities. That's why it's so important to know your data and that of the company you're looking to merge with. Without a proper data audit, you could be merging with a cancerous company. Consider just how bad the damage could be.

Understanding Your Liability

Each data breach is a unique situation. Some breaches may be minor, requiring no disclosure and minimal expenditure to resolve. However, breaches that involve consumers' personal information may have lingering consequences that require months or even years to clean up. Your liability in these situations depends on several factors.

The most important variable is what kind of data was breached. If the data contained personal identifying information, and some of that data included information about citizens from countries where data privacy laws have been enacted, then you will likely have to deal with fines from regulators. Lawsuits are also possible in these cases, depending on how negligent the company was in the matter.

Do you know what data your acquisition or merger partner holds? If not, you won't be able to determine what laws apply to you.For instance, breaches of Californians' personal information require penalties of at least $2,500 per record breached. A database of 50,000 customers, if stolen in its entirety, could set you back a whopping $250 million, and that's before even getting into the statutory damages that you have to pay directly to consumers.

Your Risk of Data Breaches Depends on the Status of the Breach

While the nature and extent of the breach determine how much damage it can cause, your risk as a merging or acquiring company depends on where in the breach response timeline the merger finds itself.

The timeline is fairly straightforward. First, a breach occurs, then it is detected, analyzed, and resolved. Finally, compensation to consumers and fines are settled. Consider how your risk changes through each step of the process.


If you're looking to merge or acquire a company, the worst scenario for you is to complete the deal when there's been an undiscovered breach. Imagine completing the merger, only to begin analyzing files and your IT team notices something is amiss. You've essentially just bought a lemon.

If a breach has been discovered, but the full extent of it is unknown, it may be best to hold off on the merger. You won't have a clear idea of your potential liability until the breach has been analyzed.


As engineers work to determine how deep the damage goes, you'll be able to get a sharper picture of the potential liability. You may be able to use this to renegotiate the terms of your M&A. Once the dust has settled, you can continue with the process.


At this point, the breach has been quantified and damages are clear. You can make an informed and educated decision as to whether you should continue with your merger or not. You'll then want to take steps to ensure that both your company and your new partner protect their data. Automation will help you keep track of your files, know what data you have, and prevent breaches by limiting access as needed.

If you're looking to complete a merger, ask Aparavi for a data assessment of your target so that you can make sure you're not walking headfirst into trouble.