While many are focused on the general headline that the fine stemmed from violations of the General Data Protection Regulation (GDPR), the ICO's statements show that it focused on the company's failures to identify the breach both during due diligence conducted prior to the 2016 acquisition and during the two years of operations following closing. In announcing the fine, the Information Commissioner stated:

"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."

All organizations contemplating any M&A activity must pay heed, as diligence regarding a target's information privacy and cybersecurity practices is no longer optional.

In addition to potential post-closing liability, cyber-related diligence can affect the target's valuation and the viability of a proposed transaction. In 2017, Yahoo lost $350 million in value after breaches were disclosed during Verizon's acquisition of the company.

To ensure an accurate understanding of the risks and vulnerabilities, buyers should want to know as much as possible regarding the target's privacy and cybersecurity practices pre-closing, as the consequences can be significant. Conducting robust diligence in this area can also assist with remediation planning and integrating the target's systems post-close.