A federal district court in New Jersey has dismissed with prejudice a shareholder derivative suit, Palkon v. Holmes, No. 14-CV-01234 (SRC) (D.N.J.), that tried to blame the directors and officers at hospitality company Wyndham Worldwide Corporation (“Wyndham”) for a series of data breaches. The court’s decision dismissing the case is notable because it illustrates some of the steps that directors and officers can take to shield themselves from liability in cybersecurity litigation.
Between April 2008 and January 2010, Wyndham suffered three data breaches that resulted in the theft of over 600,000 customers’ credit-card information. Plaintiff Palkon alleged, on behalf of a purported shareholder class, that the directors, the President/CEO, and the General Counsel of Wyndham had breached their fiduciary duties of care and loyalty to the company, and wasted corporate assets, by (i) failing to implement a system of internal controls to protect customers’ personal and financial information, and (ii) causing or allowing the company to conceal the data breaches from investors. To satisfy a threshold requirement for a derivative action, the plaintiff had sent a letter to the Wyndham board demanding that the company investigate the breaches and sue the company personnel responsible. The board unanimously refused that demand, and Judge Stanley Chesler dismissed the action with prejudice because plaintiff failed to plead with particularity that the refusal of the demand was made in bad faith or based on an unreasonable investigation, as required by governing Delaware law.
The court concluded that the board’s demand refusal was protected by the business judgment rule because of the board’s responses to the plaintiff’s demand letter, to an earlier demand letter from another shareholder, and to an earlier investigation and litigation by the FTC. The board held 14 quarterly meetings in which it discussed the cyberattacks, company security policies, and proposed security enhancements. The board appointed the Audit Committee to investigate the breaches, and that committee met at least 16 times to review cybersecurity. The company also hired a technology firm to recommend security enhancements, which the company had begun to implement. Even before the first security breach, the company had cybersecurity measures in place that had been discussed numerous times by the board. Thus the board was well versed in the issues when it rejected the plaintiff’s demand, and the plaintiff could not plead facts suggesting gross negligence by the board. Nor could the plaintiff plead that outside counsel (who represented the board in the FTC action) and General Counsel (who was named as a defendant) suffered from any conflict of interest that tainted their advice to the board.
The Palkon decision underscores the importance of direct board involvement in addressing cybersecurity, both before and after a data breach occurs. Because of the FTC investigation and litigation, the Wyndham board took protective actions that made it very difficult for the plaintiff to plead an uninformed demand refusal. Those same actions – including regular meetings on cybersecurity, appointing qualified personnel to manage and report on cybersecurity, and hiring well-qualified outside counsel and technical experts – can and should be taken by boards before any data breach occurs. Indeed, in Palkon the court noted in a footnote that, although it did not need to reach the merits of the plaintiff’s claims, they were potentially weak, since the company had already installed security measures before the first breach occurred, and the board had addressed such concerns numerous times.