A shareholder of a major public hotel corporation recently filed a derivative suit against several of the company’s officers and directors alleging they violated their fiduciary duties, wasted corporate assets, and were unjustly enriched in connection with three separate data breaches between 2008 and 2010. The plaintiff alleges in a recently unsealed complaint that the defendants failed to take reasonable steps to secure customers’ personal and financial information and failed to timely disclose the breaches of payment card data in the company’s financial filings. The lawsuit is unlike the derivative suit filed by a Target investor following that company’s payment card breach which claimed the Target directors could not fairly consider a litigation demand. Here, a shareholder claims the defendant directors failed to independently and in good faith consider a pre-suit demand that they investigate the data breaches and cause the company to file a lawsuit against company personnel allegedly responsible for allowing the breaches. Notably, the plaintiff is relying on documents produced by the company in response to a books-and-records demand in an effort to show that the directors’ investigation was inadequate. The details of those documents and the plaintiff’s criticisms of the Board’s process have been redacted from the public version of the complaint.
The same company has also been sued by the Federal Trade Commission for allegedly unfair and deceptive practices regarding the security of consumers’ payment card data (see our coverage of that lawsuit here). The shareholder derivative suit is the latest in a flurry of claims being asserted for the first time in the context of a data security incident. A copy of the complaint can be found here.