Home » Blog » Cybersecurity as a Deal-Breaker: Legal Implications of Data Breaches in Mergers and Acquisitions

Cybersecurity as a Deal-Breaker: Legal Implications of Data Breaches in Mergers and Acquisitions

By /

Authored By: Swati Singh

Abhinav Education Society's Law College, Pune

Abstract 

This article explores how cybersecurity vulnerabilities and data breaches increasingly  influence the outcome of mergers and acquisitions (M&A). In light of rising regulatory scrutiny  and high-profile data-leak incidents, buyers must treat cyber risk as a core component of due  diligence. The article examines relevant statutes in India and the United States, evaluates  seminal judicial decisions, identifies recurring challenges in cyber-due diligence, and outlines  best practices and recommendations for minimizing legal and financial risk in M&A deals. 

Introduction 

Data has grown to be one of businesses’ most valuable and most vulnerable assets in recent  years. Any persistent cybersecurity flaws in a target firm can provide significant financial, legal,  and reputational threats as businesses depend more and more on digital infrastructure.  Ignoring or undervaluing these risks can lead to significant losses in M&A transactions, ranging  from post-acquisition liabilities to deal devaluation. Cybersecurity due diligence is increasingly  an essential part of M&A strategy due to the increase in data breaches and the tightening of  privacy regulations worldwide. This article makes the case that data breaches and inadequate  cyber hygiene should be viewed as deal-breaking legal and corporate-governance issues  rather than merely operational or IT hazards. 

Research Methodology: A Doctrinal and Analytical Study of Cyber Risks in M&A 

Using statute law, court rulings, regulatory frameworks, and current legal practitioner  commentary, this essay employs a doctrinal and analytical technique. Sources include U.S.  legal precedents under the Computer Fraud and Abuse Act (CFAA) and U.S. corporate and  securities law doctrine, as well as Indian cyber-law statutes like the Information Technology  Act, 2000 (IT Act) and the recently passed Digital Personal Data Protection Act, 2023 (DPDP  Act). Along with best-practice advice from industry and compliance experts, the paper also  examines recent M&A transactions that were negatively impacted by cyber incidents.

Legal Analysis and Discussion 

Regulatory Framework Governing Cybersecurity in Mergers and  Acquisition 

India 

  • Section 43A of the IT Act of 2000 imposes legal liability on corporations that  handle sensitive personal data and fail to maintain “reasonable security  practices and procedures,” which can result in unjust gain or loss.  
  • The IT Act’s Section 72A makes it illegal for individuals with legitimate  access to the data—such as workers or intermediaries—to divulge personal  information in violation of a contract or consent.  
  • More recently, corporate liability has been greatly strengthened by the  DPDP Act, 2023, India’s first comprehensive data-protection law. This Act  requires “data fiduciaries” handling digital personal data to adhere to  security, consent, breach reporting, data governance, and transparency  requirements. There may be severe penalties for noncompliance or  breaches of personal data. 
  • Data privacy is no longer a peripheral IT risk under the DPDP framework,  but rather a fundamental company governance and compliance issue. Cyber due diligence is therefore required for any M&A transaction involving a  business that handles or keeps personal data. 

United States 

  • Unauthorized access to computer systems and data is illegal under the  CFAA. 
  • When a target firm is acquired in an M&A, the buyer frequently inherits all  outstanding or latent liabilities, including cybersecurity liabilities related to  the target’s prior operations. 
  • Recent enforcement efforts by U.S. authorities have strengthened this: in  2025, the U.S. Department of Justice (DOJ) held an acquiring corporation  accountable for the acquired company’s cybersecurity non-compliance  under “successor liability.”
  • Review of National Law Furthermore, privacy and cyber-security reviews,  breach history audits, and cyber-risk assessments are becoming standard compliance activities in M&A. Gowling WLG Therefore, despite their  structural differences, both Indian and American regulatory regimes  emphasize that cyber-risk exposure in M&A is a legal and compliance  concern in addition to an operational risk. 

Judicial Treatment of Cybersecurity Failures in High-Value M&A Deals U.S. — The Yahoo! Inc. v. Verizon Communications Inc. saga 

Verizon Communications Inc.’s acquisition of Yahoo! Inc. is one of the most  frequently cited instances of cyber liabilities impacting M&A. During the post merger due diligence, Verizon found that Yahoo had experienced undisclosed  data breaches affecting over a billion accounts. Bradley.com As a result, Yahoo  faced significant liability, including from securities-fraud claims and  shareholder lawsuits. This case highlights how even undisclosed historical  cyber incidents can significantly impact deal value and result in liability after  closing. 

U.S. — Acquisition Liability Under DOJ Settlement 

In a 2025 settlement, DOJ held a buyer accountable for the company’s pre acquisition cybersecurity non-compliance. This demonstrates how authorities  view cyber compliance as ongoing responsibilities rather than something that  vanishes after a merger. 

Critical U.S. Corporate Law Precedent: Smith v. Van Gorkom 

Smith v. Van Gorkom (488 A.2d 858 (Del. 1985)) is fundamental to M&A-related  responsibility analysis even though it is not a cyber-case. The Delaware  Supreme Court ruled in that case that a board of directors had violated its duty  of care by allowing a sale without sufficient information; in particular, they had  acted hastily, failed to get fair value, and had inadequate information.  Implication: Before authorizing a purchase, directors and acquirers are  required by U.S. corporate law to perform informed due diligence. 

Cybersecurity and data privacy checks should be part of that “informed”  diligence in a digital-age transaction. 

India — Corporate Cyber-Liability under the IT & DPDP Regime 

About 17 million customers’ personal information was compromised in a  significant data breach at Zomato in 2017. Zomato claimed to be in conformity  with ISO standards, but the hack revealed a flaw in their application of  “reasonable security practices. “Companies (and possibly their acquirers) are  now subject to harsher liability for data breaches under the new DPDP Act,  which includes significant financial penalties and regulatory consequences.  The developing statutory framework indicates that purchasing a firm may  potentially entail inheriting its data-protection liabilities, even if Indian courts  have not yet rendered significant rulings directly connecting M&A with cyber liability. Analysts recommend that cyber-due diligence be routinely included in  M&A transactions to ensure compliance. 

Challenges and Loopholes in Cyber Due Diligence During M&A Transactions 

Despite regulatory and judicial developments, several persistent challenges  make cyber-due diligence in M&A difficult: 

Hidden or undisclosed breaches: In the past, breaches may go unnoticed. This  can only become apparent after the acquisition, as demonstrated by the Yahoo  deal, and could result in liability or price renegotiation. 

ack of standardization in cyber-due diligence: There is no universally accepted  standard or checklist; practices vary widely across firms and jurisdictions.  

Legacy IT systems & integration risk: Many targets rely on outdated or  unpatched infrastructure; merging systems post-deal can expand the attack  surface. 

Regulatory and jurisdictional mismatch: In cross-border M&A, compliance  obligations may come from multiple laws (national/international), 

complicating reconciliation of data-privacy standards — a problem especially  acute if target and acquirer are in different countries. 

Corporate-governance & liability transfer ambiguity: In India, even though the  DPDP Act elevates data-protection obligations, it remains unclear how  successor liability will be treated in M&A unless explicitly addressed in  agreements. 

Emerging Trends and Recent Regulatory Developments in Cyber-M&A  Compliance 

  • With severe fines for data breaches, obligatory breach reporting, the  creation of a regulatory agency (the Data Protection Board), and  stringent requirements on data fiduciaries, the DPDP Act, 2023 in India  signifies a paradigm leap. 
  • Enforcement agencies in the United States have started to view  acquisitions as possible sources of liability; the DOJ’s 2025 settlement  serves as a reminder that M&A does not eliminate cyber-failures. 
  • Comprehensive cyber due diligence, security audits, vendor and third party assessments, and strong representations, warranties, and  indemnities in purchase agreements are increasingly commonly advised  by legal professionals and M&A experts. 
  • Post-deal integration is becoming a major priority. To keep legacy  vulnerabilities from turning into liabilities, it is essential to synchronize  security policies, upgrade systems, consolidate access restrictions, and  conduct ongoing monitoring. 

Strengthening Cyber Due Diligence in Future M&A Deals 

Based on the analysis, the following best practices/recommendations  emerge: 

  • Incorporate cybersecurity as a primary compliance and legal risk  area as well as a separate due-diligence stream, rather than only as a subset of IT or operational review.
  • Demand thorough disclosures from the target firms, including  information about past breaches, security incident logs, vulnerability assessments, compliance posture, data-governance procedures, contracts with third parties or vendors, encryption methods, access control guidelines, disaster recovery plans, etc. 
  • To distribute risk for latent cybersecurity liabilities, utilize strong  representations, warranties, indemnities, and hold-back/escrow provisions. 
  • Before closing, conduct independent security audits and penetration  tests, including vendor due diligence (particularly if the company relies significantly on outside service providers). 
  • Post-merger integration strategy: combining IT systems,  standardizing security guidelines, re-encrypting private information, streamlining access control, keeping an eye on vendor risk, and adhering to pertinent data-protection regulations (such as the DPDP, GDPR, and CCPA). 
  • Explicitly negotiate the transfer of obligation; indicate in the sale  paperwork if the buyer takes on cyber-related liabilities or if they stay with the seller (or are distributed through escrow or indemnity). 
  • Early engagement of legal counsel and cyber professionals will help  you manage overlapping regulatory regimes, evaluate cross-border risks, and create governance structures appropriately. 

Conclusion: 

Cybersecurity due diligence is no longer an option in M&A since data  and its protection may make or destroy a business in this day and age.  Acquiring a firm entails inheriting not only its assets but also its risks,  including latent cyber liabilities, due to changing regulations like the  DPDP Act in India and increasing enforcement in the United States.  Neglecting cyber risk can have serious financial and reputational  repercussions, as demonstrated by high-profile transactions like the  Yahoo-Verizon acquisition. Companies, attorneys, and regulators must  treat cybersecurity as a top priority in M&A going forward,incorporating strict due diligence, contractual protections, and  compliance procedures from the very beginning. It is essential to the  future of corporate law in the digital age. 

Reference(S): 

https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act%2C_2023? https://trai.gov.in/sites/default/files/2024-11/CP_29092023.pdf? 

https://ledroitindia.in/corporate-liability-in-indian-data-breaches-a-clear-analysis-of-the dpdp-act/? 

https://www.india-briefing.com/news/indias-digital-personal-data-protection-act-2023-key provisions-29021.html? 

https://www.mondaq.com/india/data-protection/1543038/enforcement-and-penalties under-the-digital-personal-data-protection-act-2023? 

https://en.wikipedia.org/wiki/Barnes_v._Yahoo%21%2C_Inc.? 

https://www.yahoo.com/news/yahoo-117-5-million-data-123214047.html 

https://www.medianama.com/2023/08/223-summary-india-digital-personal-data protection-bill-2023/? 

https://www.mondaq.com/india/data-protection/1360992/digital-personal-data-protection act-2023-key-highlights? 

https://trai.gov.in/sites/default/files/2024-11/CP_29092023.pdf? 

https://www.yahoo.com/news/yahoo-117-5-million-data-123214047.html?

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top