In what is the latest example of the potential cybersecurity-related liability of corporate boards, a shareholder for Wyndham Worldwide Corporation has initiated a derivative lawsuit against certain directors and officers of the company, as well as against the company itself as nominal defendant, related to the three data breaches the company the company and its operating units sustained during the period April 2008 to January 2010. As discussed here, the company is already the target of a Federal Trade Commission enforcement action in connection with the breaches.
According to a May 6, 2014 Law 360 article (here, subscription required), the derivative lawsuit plaintiff, a Wyndham shareholder, first filed the action in the District of New Jersey in February 2014, but a redacted version of the complaint was only just made public on May 2, 2014 “shortly after a magistrate judge ruled that certain confidential business information contained in the complaint would cause irreparable harm to Wyndham if it were fully unsealed.” The public version of the complaint, which is extensively redacted, can be found here.
As discussed in my prior post concerning the FTC regulatory action, the company’s three data breaches allegedly resulted in the compromise of more that 619,000 consumer payment card account numbers, many of which were subsequently exported to a domain registered in Russia, allegedly causing fraudulent charges and more than $10.6 million in fraud loss.
In its enforcement action, the FTC alleges that “alleged failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information” violated the prohibition in Section 5(a) of the Federal Trade Commission Act of “acts or practices in or affecting commerce” that are “unfair” or “deceptive.” The FTC’s lawsuit seeks to compel the company to improve its security measures and to remedy any harm its customers have suffered. In an April 7, 2014, District of New Jersey Judge Ester Salas denied the defendants’ action to dismiss the FTC complaint upheld the FTC’s authority to bring the action.
In the derivative lawsuit complaint, which was originally filed in February 2014, before the recent ruling upholding the FTC’s authority, the plaintiff alleges that “in violation of their express promise to do so, and contrary to reasonable expectations,” the company and its subsidiaries “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.” The complaint alleges further that the individual defendants “failed to ensure that the Company and its subsidiaries implemented adequate information security policies,” and that the Company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.”
The complaint goes on to allege that the individual defendants “aggravated” the damage to the company by “failing to timely disclose the breaches in the Company’s financial filings.” The complaint notes that the company did not first disclose the breaches until July 25, 2012, over two-and-a-half years after the third breach occurred.
The complaint alleges that the defendants’ failure to implement appropriate internal controls designed to detect and protect repetitive data breaches “severely damaged” the company and resulted in the FTC enforcement action noted above. The FTC action, the complaint notes, “poses the risk of tens of millions of dollars in further damages.” The company’s failure to protect its customers’ personal information “has damaged its reputation with its customer base.” The complaint alleges that the plaintiff has brought the action “to rectify the conduct of the individuals bearing ultimate responsibility for the Company’s misconduct – the directors and senior management.”
The complaint asserts substantive claims against the individual defendants for breach of fiduciary duty; corporate waste; and unjust enrichment. The complaint seeks recovery of the damages the company allegedly has suffered; remedial action with respect to corporate governance and internal procedures; and disgorgement of profits and compensation.
As I noted earlier this year when Target Corp.’s board was hit with two derivative lawsuits relating to that company’s massive data breach at the end of 2013, the risks and exposures companies face in connection with cybersecurity issues include potential liability exposures for companies’ corporate boards. And in my earlier post about the FTC’s enforcement action against Wyndham, I noted that exposures a company faces in the wake of a cyber breach include the risk of a regulatory enforcement action. As this latest derivative lawsuit filings shows, the risk of a regulatory enforcement action also includes the possibility of a follow-on civil action filed it the regulatory action’s wake.
The action against the Target board and this action against the Wyndham directors and officers are of course similar in that they both relate to cyber breaches the companies sustained. The actions are also similar in that both actions referred to the ways that the respective companies publicly disclosed information relating to the breaches. This feature of these lawsuits underscores that the potential liability exposures facing corporate boards includes not only the risks associated with cyber breaches themselves, but also includes potential exposures based on the way that the company reacts to the breach and manages its affairs after the breach.
In my discussion of the FTC’s enforcement action against Wyndham, I noted some of the potential coverage issues under a variety of types of policies that might limit the amount of insurance potentially available to protect the company with respect to the type of enforcement action the FTC filed. However, the derivative lawsuit represents a more conventional D&O claim, and is the kind of lawsuit that the traditional D&O insurance policy is designed to protect against. Certainly, all else equal, the directors and officers would expect to have their fees incurred in defending against this claim to be funded under their D&O insurance policy.
There potentially could be some issues relating to the claims made date, as the question will arise whether this claim was first made in February 2014 when the derivative complaint was first filed, or whether it relates back to the earlier date when the FTC action was first filed.
It remains to be seen how the plaintiffs in this action and in the Target action fare. These cases may or may not prove to be successful for the plaintiffs. However, I think it is highly likely that we will continue to see more lawsuit of this type filed, particularly in connection with higher profile data breaches.
As these types of cases become more common, it will be interesting to see how the D&O insurance marketplace responds. At a minimum, it can be anticipated that carriers increasingly will include cybersecurity and cyber breach issues in the D&O insurance underwriting. Some carriers may even take more active steps to try to limit their exposures to cyber-related D&O exposures. At least one leading carrier has already started including privacy and network security exclusions on its management liability insurance policies issued to health care service companies. Other carriers may start to try to take defensive measures of this type.
I am going to go out on a limb here and say that I think cyber breach-related issues are going to represent an increasingly important liability exposure for corporate directors and officers – and for their insurers.