When a very well known Hotel announced it’s acquisition of Starwood Hotels they talked about their “Best-in-Class Loyalty Program”, so you would assume that in addition to the legal and accounting due diligence, there was strong technical assessment undertaken.
But quite possibly not.
The acquisition came in the middle of a 4-year sustained syphoning of 339m customer records from the Starwood membership system. This was not a simple glitch and two world-class companies didn’t find it.
So, on the 9th July, the Information Commissioner’s Office (ICO) flexed its GDPR muscles with an intention to fine the Hotel £99m, they took the unprecedented step of calling out the issue of poor technical due diligence:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
I wouldn’t go so far as to say I feel sympathetic. But I do understand how this happens. I regularly present on the importance of technical due diligence and I genuinely see the fear in people’s eyes as we discuss known security vulnerabilities, the precautions necessary for outsourced development and digital supply chains.
I collect business cards by the dozen and diligently follow-up and then… nothing.
THIS is not a whinge! I honestly get it. Business priorities take precedence – like spending $13bn on a hotel chain. Demands to release are relentless. Feature requests and bug fixes come with irritated users. Who has time to stop and look at what has already shipped?
So, maybe the $99m problem will help to focus the mind. Or, if nothing else maybe the advisors will insist on greater technical due diligence next time around. If not, here are my top 3 tips for technical due diligence:
Written by: Paul McAdam – Director, Source Code Control Limited
If you have any questions for Source Code Control then feel free to request a call via the Whitespace Marketplace.
Source Code control provides software assessment services, including mergers and acquisitions. They have provided consulting, Bill of Materials and detailed analysis of software composition for a range of companies from FTSE 100 to SMB.
© 2019 Source Code Control Ltd