Pressure to protect sensitive information as part of an acquisition

Finally, you’ve completed the acquisition. As you move forward, don’t forget about this potential vulnerability: employees’ personally identifiable information.

Otherwise, you may run into legal trouble.

Here’s what happened to one employer:

After the acquisition

After it acquired a company, it became a victim of a ransomware attack. Cybercriminals hacked into the employer’s internal, administrative system and obtained current and former employees’ Social Security numbers (SSNs). That occurred in 2020.

The employer didn’t communicate with employees about the breach until 2021. In the meantime, an employee who’d worked for the original company found out pandemic unemployment assistance claims had been filed in his name, using his SSN.

That’s when he learned the data breach linked back to the employer that’d acquired the company where he’d previously been on the payroll and where he’d long ago shared his confidential information.

The acquiring company should have done more to protect his SSN and other personally identifiable information, he claimed in a lawsuit he filed.

Initially, in Ramirez v. The Paradies Shops, LLC, a federal district court dismissed the case. However, the Eleventh Circuit Court of Appeals recently reversed that decision.

The former employee accused the employer of negligence. While the employer argued that, under Georgia law, it didn’t owe him a duty to safeguard his data, the federal appeals court disagreed.

Action step: Make sure sensitive data you may obtain during an acquisition is protected through encryption or other means.