Publications

In the context of modern business acquisitions, increased reliance on data and complex digital systems call for prospective purchasers to rethink how they navigate due diligence and assess risk.

Data and technology practices are fundamentally altering the way businesses operate, with many becoming increasingly reliant on data and digital infrastructure to operate or create value.

This means that acquiring a business today often involves inheriting not just the business’s data and technology systems, but any embedded vulnerabilities, latent risks, or compliance issues. These risks may not materialise until post-acquisition.

For the purposes of conducting due diligence, the challenge for purchasers is two-fold – purchasers must: (a) assess the current and historical state of the target business’s data practices and technology systems; while also (b) keeping in mind how expected regulatory change may expose the business to new or changing compliance risks after acquisition.

In the acquisition of data-heavy and data or technology-reliant businesses, purchasers should take a forward-thinking approach, taking into account:

• how data and technology operate within the target business;
• where future legal and/or operational risks may emerge; and
• what responsibilities they will ultimately bear post-acquisition.

Understanding due diligence for data and IT risks

What constitutes reasonable due diligence in the context of data-driven and technology-enabled businesses is both contextual and evolving.

There are an increasing number of modern businesses deriving their revenue, efficiency, and competitive advantage from their data and digital ecosystems. In some business, for example, data collection and analysis might underpin their entire business model, or the use of automated systems and AI tools might play a central role in their day-to-day operations.

In either context, a traditional due diligence exercise focusing primarily on financials, contracts, and high-level compliance representations may no longer be sufficient. Today purchasers should enquire into and meaningfully engage with critical issues such as data governance, privacy compliance, and cybersecurity resilience as part of their due reasonable diligence.

The importance of this due diligence process is not to eliminate data and technology-related risks entirely, but rather to adequately identify and understand those risks, and allocate them appropriately between themselves and the vendor.

Risks for purchasers who fail to meaningfully engage with data and technology due diligence

A failure to adequately enquire and understand a target business’s cybersecurity position may expose a purchaser to vigorous regulatory action and significant reputation damage and other loss after acquisition.

The significance of post-acquisition responsibility was recently highlighted by the Federal Court of Australia in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (“AIC v ACL”):

• In this case, ACL (one of Australia’s largest private hospital pathology businesses) had acquired the assets of Medlab Pathology Pty Ltd (“Medlab”), taking ownership and control of Medlab’s IT systems which were to be integrated with ACL’s own systems a few months later.
• After acquisition but prior to this integration occurring, a cybersecurity attack was initiated against Medlab’s IT systems resulting in 86GB of data (including the personal and sensitive information of over 223,000 individuals) being published on the dark web.
• Proceedings were subsequently commenced by the Australian Information Commissioner against ACL for various breaches of the Privacy Act 1988 (Cth), including failing to take reasonable steps to protect personal information in accordance with Australian Privacy Principle 11.1.
• While various matters were considered by the court in determining these contraventions, a key issue that was raised was ACL’s ‘failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems’ which they ultimately had control of.
• Prior to acquiring Medlab, ACL had conducted a ‘Cybersecurity and Privacy Questionnaire’ early on as part of their due diligence efforts which was intended to assist them in understanding Medlab’s cyber risk environment and consider ways to mitigate concerns moving forward.
• From this questionnaire, ACL were made aware that Medlab:
  • had not conducted an IT penetration test, vulnerability assessment, or IT security audit in the preceding three years;
  • did not have sophisticated IT and cybersecurity processes in place;
  • did not have any documents or reports identifying threats to the security of personal or sensitive information they handled; and
  • had not been the subject of any cybersecurity incidents or complaints or investigations into any of its data practices.
• ACL was alleged to have failed to adequately identify various vulnerabilities and cybersecurity deficiencies in Medlab’s IT systems (including poor antivirus software and authentication measures, as well as outdated systems) prior to the acquisition.

One takeaway from this decision is that a purchaser may be taken to have control over a vendor’s data and technology systems as soon as completion occurs, meaning responsibility for all data and privacy compliance obligations may be assumed from that point, regardless of whether certain issues or deficiencies existed prior to acquisition.

Assessing the depth of data privacy due diligence

The extent to which this is appropriate (beyond preliminary inquiries and warranties) will depend heavily on the context of the transaction.

For instance, if a target’s business model relies heavily on the collection, processing, or monetisation of data, or AI systems play a meaningful role in their operational or customer-facing decision-making, then it is very likely that silence or surface-level enquiry by a purchaser may fall below the threshold of reasonable due diligence.

Purchasers may be expected to ask specific questions and seek supporting documents and expert review concerning matters such as the business’s data practices, cybersecurity measures, or use of AI or other automated systems, and critically assess whether they align with current standards and obligations, as well as foreseeable regulatory developments.

When data and technology due diligence is likely to matter, and what to look for

Taking this a step further, purchasers should also consider the extent to which data and technology enables (or is integral to) the business. In practice, this might involve considering a number of issues, including:

• The role of data in the business – Does it serve a primary function of the business or is it merely incidental to operations?
• The nature and volume of data – What types of data does the business handle, and to who does that data relate to?
• The data lifecycle and data flow – How is the data collected, stored, used, shared, retained and/or destroyed?
• The reliance on technology and/or automated systems – To what extent do operations, decision-making, customer interactions, or other business functions rely on digital systems, software, or AI-enabled tools?
• The use of any third-party providers or systems – To what extent does the business rely on third-party cloud services, software vendors, data processors. or AI-tools? How much control does the business retain?

This article was published on 27 February, 2026 by Carroll & O’Dea Lawyers and is based on the relevant state of the law (legislation, regulations and case law) at that date for the jurisdiction in which it is published. Please note this article does not constitute legal advice. If you ever need legal advice or want to discuss a legal problem, please contact us to see if we can help. You can reach us on 1800 301 601 or via the Contact us page on our website. (www.codea.com.au). If you or a loved one has been injured, use our Personal injury Claim Check now.