Along with the separate derivative lawsuit filed against Target Corporation’s board, the cyber breach-related derivate action filed against Wyndham Worldwide Corporation’s board has been closely watched as representative of a potential new area liability exposure for corporate directors and officers. However, in an October 20, 2014 opinion, District of New Jersey Judge Stanley Chesler, applying Delaware law, granted the defendants’ motion to dismiss the plaintiff’s complaint. A copy of Judge Chesler’s opinion can be found here.
As discussed here, the derivative lawsuit filed against the Wyndham officials relates to the three data breaches the company the company and its operating units sustained during the period April 2008 to January 2010. As discussed here, the company is already the target of a Federal Trade Commission enforcement action in connection with the breaches. A prior ruling that the FTC action can proceed is currently on appeal; to the Third Circuit.
Judge Chesler’s opinion recites that after the breaches occurred, the board and its audit committee met multiple times to discuss the company’s cyber security. The company hired a technology company to investigate the breaches and to make recommendations. Between the time of the second and third breach the company began implementing the recommendations.
In November 2012, the plaintiff sent the Wyndham board a letter demanding that it bring a lawsuit based on the breaches. The board hired the law firm of Kirkland & Ellis to investigate the plaintiff’s demand. The law firm found after investigation that the demand was not well grounded. In March 2013, the board voted not to pursue the demanded lawsuit. In June 2013 the plaintiff presented a second demand letter, which the board rejected in August 2013 for the same reasons it had rejected the initial demand. The plaintiff filed his lawsuit in February 2014.
In the derivative lawsuit complaint, the plaintiff alleges that “in violation of their express promise to do so, and contrary to reasonable expectations,” the company and its subsidiaries “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.” The complaint goes on to allege that the individual defendants “aggravated” the damage to the company by “failing to timely disclose the breaches in the Company’s financial filings.” The complaint notes that the company did not first disclose the breaches until July 25, 2012, over two-and-a-half years after the third breach occurred.
The complaint alleges that the defendants’ failure to implement appropriate internal controls designed to detect and protect repetitive data breaches “severely damaged” the company and resulted in the FTC enforcement action. The FTC action, the complaint notes, “poses the risk of tens of millions of dollars in further damages.” The company’s failure to protect its customers’ personal information “has damaged its reputation with its customer base.”
The complaint asserts substantive claims against the individual defendants for breach of fiduciary duty; corporate waste; and unjust enrichment. The defendants moved to dismiss the plaintiff’s complaint.
The October 20 Opinion
In his October 20 Opinion, Judge Chesler granted the defendants’ motion to dismiss with prejudice. The defendants had argued that the board’s refusal to pursue the plaintiff’s demand was a good-faith exercise of business judgment, made after a reasonable investigation. Judge Chesler agreed.
The plaintiff had tried to argue that the board’s decision to reject the demand was not in good faith because it was based on the advice of the Kirkland & Ellis law firm, the same firm that represents the company in the FTC action. Judge Chesler rejected the plaintiff’s argument that the law firm’s representation of the company in the FTC action put them in a conflict of interest since the firm’s obligation in the two matters were identical. Judge Chesler also rejected the plaintiff’s argument that the demand put the company’s general counsel in a conflict of interest, finding that there was nothing in the demand to suggest that it exposed the general counsel to liability, and indeed did not even mention the general counsel. Judge Chesler also found that the plaintiff had failed to allege any facts to support the allegations that the general counsel’s role included responsibility for the company’s cyber security program.
Judge Chesler also rejected the plaintiff’s argument that the board’s decision to reject the shareholder demand was based on inadequate investigation. The Court said that “in light of the ample information the Board had at its disposal when it rejected Plaintiff’s demand, and considering the numerous steps the Board took to familiarize itself with the subject matter of the demand, Plaintiff has also failed to make this showing.” Based on their various actions after the breaches occurred, the board’s members were “well versed on the allegations,” but they did not merely reject the allegations in the plaintiff’s demand. Instead, the board and audit committee hired outside counsel to investigate and they met separately to discuss the results of the investigation.
Judge Chesler concluded by observing that “given the business judgment’s rule’s strong presumption, court uphold even cursory investigations by boards refusing shareholder demands.” Here, Judge Chesler said, “the Court finds that the WWC’s Board had a firm grasp on Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.”
When this lawsuit and the derivative lawsuits against the Target board were filed, there was a great deal of speculation about whether cyber risk represented an emerging area of exposure for the directors and offices of companies that experience cyber breaches. Cyber risk may yet emerge as a significant area of D&O liability exposure. But Judge Chesler’s opinion is a reminder of just how difficult it is for plaintiffs to survive the initial pleading hurdles in derivative lawsuits like the one the plaintiff filed here.
With the demand requirement and with the protections of the business judgment rule, plaintiffs face some difficult obstacles in just trying to overcome the preliminary motions. The outcome of this case may or may not discourage plaintiffs in other cases from trying to pursue claims against the boards of companies that experience cyber breaches, but this case hardly suggests that the potential liability of boards of cyber breach companies is a promising new area for plaintiffs’ lawyers.
It is probably worth noting that the derivative lawsuit that was filed several years ago against Heartland Payment Systems following that company’s cyber breach was also dismissed. Unless and until the plaintiffs’ lawyers score some successes in these kinds of cases, the outlook would have to be — based on the evidence so far – that this does not appear to be a particularly promising area for plaintiffs’ lawyers.
This case does provide some interesting insight into steps that companies that experience a cyber breach can take to try to protect their boards from potential liability related to the breach. Judge Chesler appeared to consider it significant that the board and the audit committee had met multiple times to discuss the breaches, to try to find out what had happened and to try to take remedial steps. By the time the demand latter arrived, the board could argue that its decision making about the demand was well-informed. Obviously, the board’s reliance on the investigation of outside counsel also helped them make the argument that their decision not to pursue the lawsuit was made in good faith.
There will much more to be told on the question of whether or not cyber liability represents a significant exposure for the boards of companies that experience a data breach. The lawsuit here does indeed suggest that boards can get sued following a cyber breach. Judge Chesler’s opinion highlights the fact that boards that are sued in these kinds of cases have substantial defenses that will difficult for plaintiffs to overcome.