The assessment of a corporation’s cyber risks is part of a board of directors’ general risk oversight responsibilities. Since lawsuits, including class actions, are often commenced soon after a data breach, directors and officers should now consider that the board’s oversight of cyber risks may also be closely and thoroughly scrutinized in future litigation and regulatory investigations.
On October 20, 2014, a New Jersey Court dismissed a shareholder derivative suit that sought damages notably from the directors and officers of Wyndham Worldwide Corp. (“WWC”) for several data breaches. This decision is the first decision issued in the US in a shareholder derivative claim arising out of data breaches. The decision is important and instructive for board members since it provides examples of approaches to cyber risk oversight which directors and officers may implement to help shield them from liability in the context of data breaches.
The relevant facts and the claim
In the course of its business, WWC collects the personal and financial information of clients, including payment card account numbers, expiration dates and security codes. Between 2008 and 2010, WWC suffered several data breaches that resulted in the theft of credit card information of more than half million of its clients. In April 2010, the Federal Trade Commission began investigating the data breaches and commenced legal action against WWC for its security practices.
In November 2012, a shareholder sent a letter to WWC’s board requesting that WWC commence a lawsuit against the members of the board. The shareholder alleged that the directors and officers were liable to WWC for breach of fiduciary duty. The board’s audit committee mandated external lawyers to assess the shareholder’s demand. Counsel investigated the allegations and concluded that they were not founded. WWC therefore decided not to commence any proceedings against the board members.
In June 2013, shareholder Dennis Palkon (“Palkon”) provided WWC with another letter reiterating the demand. This second demand was also dismissed as unfounded, based on the investigation that had been done previously. Palkon then commenced a derivative action on behalf of WWC against the board members for breach of the fiduciary duties of care and loyalty, corporate waste and unjust enrichment. It was alleged that the directors and officers were responsible for the following:
- failing to oversee and implement the proper internal controls to protect the personal and financial information of clients;
- allowing WWC to conceal the data breaches from investors and clients;
- failing to conduct a reasonable investigation;
- and negligently refusing to commence proceedings against the board members.
On October 20, 2014, Justice Stanley R. Chesler dismissed Palkon’s derivative action with prejudice, based on the finding that WWC had done a reasonable investigation into the data breaches following the initial demand to commence proceedings against the board members. Therefore, the decision not to commence proceedings was protected by the business judgment rule.
The investigation that led to this decision demonstrated that prior to the data breaches, WWC had cybersecurity policies and internal controls in place. These had been discussed numerous times at the board level. After the data breaches, more than 10 board meetings took place where WWC’s security policies, internal controls and security enhancements were discussed. The audit committee also held more than 15 meetings in the context of its investigation of the data breaches to review the policies, procedures and internal controls related to cybersecurity. WWC’s Board had therefore based its decision not to commence proceedings against the board members on a thorough investigation of their conduct prior to and after the data breaches.
This decision by Justice Chesler to dismiss the action underlines the importance of direct board involvement in addressing cybersecurity, both before and after a data breach occurs.
In light of the decision rendered in the WWC case, the following are examples of steps that could now be considered by management and board in identifying and assessing the corporation’s cybersecurity risks by management and the board identifying and assessing the corporation’s cybersecurity risks:
- Adopting written cybersecurity policies, procedures and internal controls:
- The incident plans and protocols should consider whether and how cyber-attacks should be disclosed to customers, to investors, regulators, law enforcement, etc.; and
- An incident response team should be identified and clear responsibilities given to each member.
- Implementing methods to detect the occurrence of a cybersecurity event.
- Management and board members could discuss the appointment of a chief information officer or a chief information security officer with the expertise to meet regularly with and advise the board.
- Consideration could be given to appointing a board member with cybersecurity expertise and experience (or the board should seek out an expert who can provide presentation(s) to the board in this regard).
- The board should review annual budgets for privacy and IT security programs.
- The board should receive regular reports on breaches and cyber risks.
- The board should have a clear understanding of who in management has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.