Gulf Energy and Rubis Energy are battling in court over privacy and security issues that arose after an acquisition. Rubis Energy acquired KenolKobil in 2019, a transaction that enabled it to acquire Gulf Energy. In the transaction, Gulf Energy transferred all its ICT assets including employees’ laptops. Gulf had also gone to an extent of procuring a new server with which all the relevant information relating to the transaction could be relayed to Rubis.

However, after the successful completion of the transaction, Rubis decided to recover data from the servers and retrieved Gulf’s deleted or formatted data. A further analysis of the recovered data was conducted and Rubis deduced that the valuation of the transaction done at the initial stages was higher than the actual value of the transaction.

The dispute points to emerging areas in Mergers and acquisitions (M&A) in Kenya that companies should not ignore when getting into such transactions. The nature of M&A transactions calls for companies to conduct thorough due diligence. Traditionally, technology, privacy and cyber security risks did not form part of major due diligence in an M&A transaction. However, the increasing use of technological systems, not forgetting the value and volume of data today requires parties to include in their due diligence checklist data protection and technology concerns.

In terms of privacy and data protection concerns, it is vital for companies to develop a strategy in the initial stage of an M&A that takes into account the privacy and security issues that may arise. Although, parties should be cognizant of the fact that data privacy is not only important during the due diligence phase, but also issues can arise even after the transaction is completed. Nevertheless, due diligence should also be conducted and examined on the target’s IT and data security policies including how data is gathered, used, stored and destroyed. This includes determining the information required to carry on the business objectives post the acquisition, use of information, data protection policies, security controls and significance of the personal data in the transaction among other things.

Failure to adequately identify data and privacy issues could lead to potential reputation damage that could happen where there has been an undisclosed breach long after the M&A transaction has been completed. It could also expose the parties in a transaction to adverse consequences that include but are not limited to reputational damage, lawsuits and fines from government authorities. For instance, other than the current law suit and reputational damage, Gulf Energy also risks being fined by the Competition Authority of Kenya for over-valuing its business.

In addition, technology due diligence should be conducted by auditing the target’s IT systems in order to help in the determination of its strengths and weaknesses and consequently determine the value of the business. This due diligence also assists in warranting a better valuation, financial modelling and risk mitigation. Basically, the main objective is to evaluate if there are any risks that may affect integration. Furthermore, it also assists companies in obtaining information concerning future synergies, vulnerabilities and review of IT structures.

Finally, parties should consider the allocation of risks, warranties and representations concerning data privacy, data transfers, compliance with the laws as well as how to deal with potential disputes that may arise.