Palkon v. Holmes, No. 2:14-cv-01234, 2014 WL 5341880 (D.N.J. Oct. 20, 2014). 

As Wyndham Worldwide Corp. escalates its fight over the FTC’s power to regulate data security practices to the Third Circuit (see our July issue), its directors, at least, can breathe a sigh of relief.  On October 20, the U.S. District Court for the District of New Jersey dismissed a shareholder derivative suit against the directors and Wyndham.  As we and our colleagues previously reported, Wyndham allegedly experienced three data breaches between 2008 and 2010, compromising the credit card information of more than 619,000 consumers and allegedly leading to fraud on those accounts of more than $10.6 million.

The shareholder derivative suit charged that the directors failed to ensure adequate data security measures were in place, failed to timely report the breach, and had wrongly refused a shareholder demand that the board bring a lawsuit based on the breach.  Applying Delaware law, the court found that the board’s decision to refuse the shareholder demand fell under the business judgment rule and that the plaintiff had failed to plead facts that the board had acted either in bad faith or based on an unreasonable investigation.  The court therefore dismissed the suit with prejudice.