What You Inherit When You Buy a Business
When you acquire a business, you inherit more than its brand, customers, and revenue. You also inherit its IT equipment and every byte of data stored on it. Servers, workstations, laptops, networking gear, and storage systems all come with the acquisition, often containing years of accumulated data that you now own and are responsible for. Understanding what is on this inherited equipment, and what risks it presents, is a critical but frequently overlooked part of the acquisition process.
Many acquirers focus their due diligence on financials, contracts, and customer relationships. The IT infrastructure is assessed for functionality and adequacy, but the data stored on that infrastructure is rarely examined with the same scrutiny. This oversight can result in the new owner inheriting data liabilities, security vulnerabilities, and compliance gaps that were not reflected in the purchase price.
Data Risks in Inherited IT Equipment
The most immediate risk is data that should not exist. The previous business may have retained personal information beyond its required retention period, stored data without appropriate consent, or accumulated records that create regulatory liability. As the new owner, you inherit this liability along with the equipment.
Legacy systems from the acquired business may contain data in formats or structures that the new owner’s IT team does not understand. Proprietary databases, outdated applications, and custom-built systems can hold significant volumes of data that is invisible to standard IT assessment tools. Without expert analysis, this data can persist on inherited equipment without anyone knowing it is there.
Security vulnerabilities on inherited equipment are another concern. The previous owner may not have maintained current security patches, may have used weak or shared passwords, or may have had inadequate access controls. Equipment that was secure enough for the previous operation may not meet the acquiring organisation’s security standards.
Former employee data presents a specific challenge. The inherited equipment may contain HR records, payroll data, performance reviews, and personal information for employees who worked for the previous owner. The new owner has obligations under the Australian Privacy Act regarding this data, even though they were not the entity that originally collected it.
Conducting a Post-Acquisition IT Assessment
As soon as practical after the acquisition completes, a comprehensive IT assessment should be conducted. This assessment goes beyond the standard IT infrastructure review to specifically examine the data stored across all inherited equipment.
Start with a complete hardware inventory. Document every device, its age, its condition, and its role in the business. Include servers, desktops, laptops, mobile devices, networking equipment, printers with internal storage, external drives, backup media, and any other data-bearing devices.
For each system, identify what data it stores, what applications run on it, and who had access to it under the previous ownership. This data mapping exercise reveals the full scope of inherited data and helps identify any immediate risks or compliance concerns.
Assess the security posture of inherited equipment. Check for current operating system and application patches, review user accounts and access permissions, verify that antivirus and endpoint protection is current, and check for any signs of prior compromise or unauthorised access.
Review any existing data destruction records from the previous owner. If the acquired business disposed of IT equipment before the acquisition, certificates of destruction should be available. Gaps in this documentation may indicate past disposal practices that could create latent liabilities.
Deciding What to Keep, Migrate, and Destroy
Not all inherited data needs to be retained. Working with legal and compliance advisors, categorise the inherited data into three groups: data that is needed for ongoing business operations and should be migrated to your systems, data that must be retained for regulatory or legal reasons but is not actively needed, and data that should be destroyed.
Data in the first category should be migrated to your organisation’s IT infrastructure, where it can be managed under your data governance policies and security standards. During migration, verify data integrity and apply your own access controls and security measures.
Data in the second category, such as historical financial records or employee records subject to retention requirements, should be archived securely. Consider whether this data needs to remain on the original hardware or can be migrated to your archive systems.
Data in the third category should be destroyed following NIST 800-88 standards. This includes personal information that has exceeded its retention period, duplicate or redundant data, and any data that poses more risk than value to the acquiring organisation.
Handling Equipment You Will Not Keep
Acquisitions frequently result in surplus IT equipment as systems are consolidated. Equipment from the acquired business that will not be retained should undergo the same secure disposal process as any other end-of-life equipment in your organisation.
Engaging a certified IT asset disposition provider for the disposal of inherited equipment ensures professional handling, verified data destruction, and proper documentation. The ITAD provider can also help recover residual value from equipment that is still functional after data sanitisation.
For equipment containing the most sensitive inherited data, such as servers that held financial databases, customer records, or HR systems, physical destruction of storage media provides the highest level of assurance. This is particularly appropriate when the full scope of data on the equipment cannot be determined with confidence.
Establishing Clean Data Governance Going Forward
A business acquisition is an opportunity to establish clean data governance from a defined starting point. Once inherited data has been assessed, migrated or destroyed, and equipment has been consolidated, the acquiring organisation can apply its own data management and disposal policies consistently across the combined operation.
Documenting the post-acquisition data assessment and the decisions made about inherited data creates a record that protects the organisation if questions arise later. This documentation demonstrates that the acquirer took reasonable steps to understand and manage the data risks inherited through the transaction, which is essential for compliance with privacy obligations that now rest with the new owner.