Hacking Prompts Focus on Target’s IT Security: Data thefts at prominent firms bring to light the need for deeper probing of IT protection systems

In recent months, data thefts have plagued ChoicePoint Inc., LexisNexis Group, Polo Ralph Lauren Corp., BJ’s Wholesale Club Inc., DSW Inc., Wachovia Corp., and Bank of America Corp. Hackers who breached computer systems pulled off the thefts at the retailers. In the case of ChoicePoint, criminals signed up as customers for credit reports and used the data for illegal purposes. LexisNexis cited third-party misuse of I.D.s and passwords from legitimate customers. And it appears that bank employees pilfered financial records at both Wachovia and Bank of America. The security breaches call attention to a vulnerability that needs to be addressed, and force would-be buyers to add yet another item to their diligence to-do list. Richard Fisher, a Partner at Morrison & Foerster and an expert in privacy and identity theft issues, recalls a phone call he received about seven or eight years ago in which someone asked for help with a privacy and data security due diligence project. “I thought it was my brother playing a joke on me. It was just so off the wall at the time. But now I assist people in this area all the time,” he says. Dealmakers note that until recently, protection against data theft has been a topic that has been lumped in with myriad other IT issues, and has not been getting the full attention it deserves. Daniel Karson, Executive Managing Director at Kroll Inc., agrees, adding, “Security of a database or potential of abuse has not been a focus area of M&A due diligence. Now all that has changed. Right now it is such a new issue that we haven’t seen deals in which that has been a focus, but I have no question it will emerge as such.” Especially since data thefts increase public concern about the security of their personal information, the reputational damage, not to mention the financial liability, can be considerable, notes Greg Bell, a Partner in the information risk management practice at KPMG LLP. And when a security breach occurs at a newly acquired company, the impact on the target’s market share can change the entire economics of the deal. In his experience, Bell says that most companies have been viewing information technology security as a “secondary concern,” but in the last few months, data protection has become “much more critical.” “We’ve seen a shift from merely looking at IT as a collection of assets to looking at how the company manages its corporate controls in this environment and looking at a company’s entire security and privacy program from a holistic approach, not just the mechanics of how the company manages data theft or how it handles privacy issues, which are just silos of compliance activities.” In addition, companies have come to realize that information technology can be a “strategic enabler,” he asserts. “If you look at how much technology supports today’s business processes and how strategic advantage is derived from optimized processes, it’s difficult to de-couple IT from those processes.” As data theft incidents pile up, firms should take care to fortify their data security standards, but it is incumbent on would-be buyers of companies that house large databases to protect themselves from possible security breaches following a merger or acquisition. According to Karson, acquirers will need to scrutinize the type of data that a potential target is collecting and the substantiality of its data security safeguards and ascertain that the data is being used in compliance with law. (c) 2005 Mergers and Acquisitions Journal and SourceMedia, Inc. All Rights Reserved. http://www.majournal.com http://www.sourcemedia.com