There were two Director and Officer (D&O) cyber-breach related lawsuits at the end of 2016 which are important in the context of D&O liability. First, a shareholder derivative lawsuit against Home Depot is the latest of a data-breach related suit against D&O’s dismissed early on in the litigation process based on the plaintiff failing to meet pleading requirements. Second, in December 2016, plaintiffs filed a derivative lawsuit against Wendy’s D&O’s in the latest litigation against the fast-food retailer as a result of a 2015 credit card breach.
The Home Depot (consolidated) shareholder derivative litigation followed a 2014 data breach affecting more than 56 million cardholders. The shareholders sued Home Depot’s D&O’s alleging, for example, that defendants failed to ensure that Home Depot safeguarded customers’ personal and financial information.
The defendants filed a Motion to Dismiss, arguing that the plaintiffs failed to make a pre-suit demand on the Board. Where no pre-suit demand is made, the shareholder has the burden of demonstrating that the demand was excused because it would have been futile. The court explained that “In situations like this case where the Plaintiffs complain of Board inaction and do not challenge a specific decision of the Board, a finding of demand futility is authorized only where ‘particularized factual allegations of the derivative stockholder complaint creates a reasonable doubt that, as of the time the complaint is filed, the board of directors could have properly exercised its independent and disinterested business judgment in responding to a demand.” Ultimately, the court found that the plaintiffs failed to show that demand was futile on any of the claims alleged, and granted the defendants’ Motion to Dismiss.
The Home Depot case is significant in that it is yet another breach lawsuit against D&O’s dismissed early on in the litigation stage for failing to meet either pleading or procedural requirements. For example, shareholder lawsuits resulting from breaches in Wyndham and Target were also dismissed early on in the litigation process.
The Wyndham derivative action was a shareholder derivative suit against Wyndham’s D&O’s for breach of fiduciary duty in connection with a series of hacker attacks that exposed the personal information of over 619,000 customers between April 2008 and January 2010. A derivative shareholder lawsuit followed a Federal Trade Commission action in 2014. Like in Home Depot, the court applied Delaware’s business judgment rule and held that the Wyndham Board had “a firm grasp on Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.” Thus, the court granted the defendants’ Motion to Dismiss, with prejudice.
Similarly, the Target derivative action (consolidated shareholder derivative suit as a result of Target’s 2013 Data breach affecting more than 70 million customers), was also dismissed on a Motion to Dismiss. The derivative litigation was stayed pending a 21-month investigation by a Special Litigation Committee (SLC) which made the ultimate determination that it was not in Target’s best interests to pursue derivative claims arising out of the breach against the named officers and directors. The SLC filed a Motion for Dismissal, and the Defendants filed several Motions to Dismiss. The plaintiffs did not oppose the Motions to Dismiss, and thus, the court granted the Motions to Dismiss in July 2016.
While the Home Depot lawsuit and its predecessors appear to indicate that shareholder derivative suits against D&O’s resulting from data breaches will be unsuccessful, we anticipate that there will be a shareholder derivative suit against D&O’s resulting from a data breach which will survive the Motion to Dismiss stage.
For example, in December 2016, Wendy’s was hit with a shareholder derivative suit after a data breach from 2015 to 2016 which affected over 1000 customers’ personal and financial information. The Complaint sets forth causes of action for: 1) breach of fiduciary duty; 2) waste of corporate assets; 3) unjust Enrichment; and 4) corporate waste against D&O’s.
Wendy’s is now defending itself on three fronts. First, there is a consolidated class action litigation pending in Pennsylvania on behalf of financial institutions alleging claims for negligence, negligence per se, violation of the Ohio Deceptive Trade Practices Act, and declaratory and injunctive relief. Second, Wendy’s is defending a consolidated class action lawsuit in Florida on behalf of Wendy’s customers alleging claims for breach of implied contract, negligence, violations of state consumer protection laws and violations of state data breach statutes. And lastly, as discussed above, Wendy’s is now defending the shareholder derivative suit. This recent lawsuit is an example of the potential litigation which follows a cyber data breach incident. We anticipate that the defendants will attempt to dismiss this latest suit on a Motion to Dismiss as was the case in Home Depot and its predecessors.
Written by Anjali C. Das, James K. Thurston and Judith Soto from Wilson Elser Moskowitz Edelman & Dicker LLP Chicago