U.S. District Judge Stanley R. Chesler of the District of New Jersey recently provided much needed guidance to directors and officers on their duties and responsibilities with regard to cybersecurity. In Palkon v. Holmes, et al., Civil Action No. 2:14-CV-01234, Judge Chesler dismissed with prejudice a Wyndham Worldwide Corporation shareholder derivative action arising out of three data breaches that took place between April 2008 and January 2010.

In November 2012, following the discovery of the data breaches and Wyndham’s alleged failure to take appropriate action, a Wyndham shareholder sent a letter to the board demanding that it bring a lawsuit against the directors and officers responsible for overseeing the company’s IT functions and internal controls. The letter claimed the directors and officers were liable to Wyndham for, at least, breach of fiduciary duty and indemnification and contribution. In response to the letter, the board’s Audit Committee retained a law firm to evaluate the demand and recommend a course of action. The law firm investigated the allegations and ultimately found that the shareholder demand letter was not well grounded. Based on the Audit Committee’s recommendation, disinterested members of the Wyndham Board determined there was no basis to bring suit.

Following that determination, in June 2013, plaintiff shareholder Dennis Palkon, who was represented by the same law firm as the shareholder who prepared the November 2012 demand, sent a “virtually identical” demand letter to the board. The board rejected the demand for the same reasons as the first demand. A lawsuit followed, wherein plaintiff brought claims for breach of the fiduciary duties of care and loyalty, corporate waste, and unjust enrichment on a derivative basis against certain Wyndham directors and officers who were allegedly responsible for failing to implement a system of internal controls to protect customer personal and financial information, causing or allowing the company to conceal the data breaches from investors, failing to conduct a reasonable investigation, disregarding their duties upon receipt of a litigation demand, and wrongfully refusing the litigation demand.

The crux of the complaint was that Wyndham and its subsidiaries routinely collected customer personal and financial information, including payment card account numbers, expiration dates and security codes, but failed to take reasonable steps to maintain that information in a secure manner, which resulted in the theft of sensitive personal and financial data from the company’s customers. With regard to the derivative claim, plaintiff alleged that Wyndham officers and directors failed to “implement adequate internal controls designed to detect and prevent repetitive data breaches,” which led to an enforcement action by the FTC, exposing the company to “the risk of tens of millions of dollars in further damages” and “damaged its reputation with its customer base.”

Defendants moved to dismiss based primarily on the fact that the complaint failed to allege that the board wrongfully refused plaintiff’s litigation demand. More specifically, defendants argued that plaintiff failed to plead any particularized facts: (a) sufficient to overcome the business judgment rule; (b) to show the board’s decision to refuse his demand was based on an unreasonable investigation; or (c) that the board acted in bad faith in denying the demand. Plaintiff opposed the motion on the basis that the decision not to bring suit was not protected by the business judgment rule because: (1) the investigation into the demand was performed by conflicted outside counsel who also represented Wyndham in the FTC action; (2) the board wrongfully refused the demand by relying on the advice of Wyndham’s general counsel because he faced personal liability as a result of the cyber-attacks; and (3) the board’s decision was predetermined.

Following briefing, the court granted Wyndham’s motion and dismissed plaintiff’s claims with prejudice, ruling that the board’s refusal to pursue plaintiff’s demand was a “good-faith exercise of business judgment, made after a reasonable investigation.” The court concluded that plaintiff failed to demonstrate any conflict with outside counsel or Wyndham’s general counsel. As to outside counsel, the court found that the firm did not have multiple conflicting duties as it was always obligated to act in Wyndham’s best interest. In reaching this conclusion, the court distinguished this matter from Stepak v. Addison, 20 F.3d 398 (11th Cir. 1994), where the firm was found to have lingering and divided loyalties based on its representation of the company’s directors in separately instituted criminal matters. The court found that outside counsel never represented any of the individual directors and was always duty bound to advocate for Wyndham.

With regard to Wyndham’s general counsel, the court found that plaintiff provided no indication that his demand exposed Wyndham’s general counsel to any liability because the demand letter failed to name him as a responsible party. Additionally, the court noted that the subject matter of the demand was not an area with which the general counsel would likely be associated as he served as a legal advisor, not as a technology or security official. Finally, the court found that the general counsel was nonetheless indemnified by Wyndham against any such liability and “the fear of personal liability alone does not render a corporate director conflicted.”

As to whether the board’s investigation was reasonable, the court noted that prior to its receipt of plaintiff’s demand letter, the board had already discussed the cyber-attacks at 14 meetings, its audit committee discussed the issues in at least 16 meetings, the board’s understanding previously had been developed as a result of the FTC action and was also guided by its receipt and subsequent investigation of the “virtually identical” earlier demand letter. Thus, the court stated that “[t]hese earlier investigations, standing alone, would indicate that the Board had enough information when it assessed Plaintiff’s claim.” Nonetheless, the board took the additional step of specifically discussing plaintiff’s demand and unanimously voting not to pursue it. As a result, the court held that Wyndham’s board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.”

In responding to a data breach or cyber-attack, corporate officers and directors should heed the considerations noted in Judge Chesler’s opinion, including holding meetings to address the breaches or attacks, engaging forensic technology consultants to assess the issue, engaging outside counsel to advise regarding legal exposure, and taking necessary remedial measures to address the breach and minimize exposure. In addition, if a demand is made on the board to pursue claims against corporate officers, a committee should be tasked with investigating the demand and making a fully informed recommendation to the board. When these steps are taken, the risk of exposure to a derivative suit is minimized.

Although not mentioned in the Wyndham decision, the time for addressing a data breach or cyber-attack is before the breach occurs. By having robust policies and procedures in place, together with a response team and appropriate training, corporations will be armed for data breaches and cyber-attacks that are now commonplace. If you would like assistance or have questions about responding to shareholder demands or developing policies and procedures to address a data breach or cyber-attack, Pepper Hamilton’s Privacy, Security and Data Protection Group attorneys have the skills and practical experience necessary to minimizing risk.