Cyber security breaches will impact director and officer litigation in 2016. As we have discussed in a number of our recent reports, potential liability for data breaches emerged as a major concern for corporations last year, with massive cyber attacks cropping up regularly. The recent litigation trend on how lawyers seek to capitalize on these breaches has been derivative actions on behalf of shareholders against directors and officers. Two examples are Target Corp. and Wyndham Worldwide Corp.
The majority of director and officer liability insurance policies don’t contain cyber or data breach exclusions and may therefore likely provide coverage for cyber attack-related derivative litigation. We therefore see shareholder derivative suits in connection with cyber-incidents as a probable litigation consequence of cyber attacks. The viability of derivative litigation against executives over cyber attacks is still unclear as industry standards remain ill-defined, however cyber security response policies appear to help.
Last October the Wyndham case referenced above was dismissed against Wyndham’s directors and officers, saying that the plaintiff shareholder didn’t show that the Wyndham board’s refusal to investigate and address the company’s security protocols was actionable because the letter sent to the board demanding that the company investigate the breaches, which was refused, and the subsequent pleadings, failed to plead the refusal to investigate was in bad faith or was based on an unreasonable investigation. The judge found that the board’s demand refusal was protected by the business judgment rule primarily because the company had implemented cyber security measures before the first breach which were followed, preventing the plaintiff from pleading facts suggesting gross negligence. Meanwhile, a pair of derivative suits over Target’s data breach remain pending.
Companies should be thinking about these issues both in terms of establishing industry standards for response and proactively reviewing policies to negotiate out or curtail potentially applicable exclusions.