The derivative lawsuit filed against the board of Wyndham Worldwide Corporation in connection with the series of cyber breaches the company had experienced was being closely watched as possibly representative of a potential new area liability exposure for corporate directors and officers. However, as I discussed in a prior post (here), on October 20, 2014, the Court granted the defendants’ motion to dismiss the complaint.
In the following guest post, Rick Bortnick of the Traub Lieberman law firm takes a look at the court’s dismissal of the Wyndham Worldwide derivative suit. This post previously appeared on the CyberInquirer blog (here). I would like to thank Rick for his willingness to publish his post on this site. I welcome guest post contributions from responsible authors on topics of interest to this blog’s readers. If you think you would like to submit a guest post, please contact me directly. Here is RIck’s guest post.
In the first of what is certain to become a cottage industry of derivative lawsuits involving alleged inadequate cybersecurity and deficient public disclosures, on October 20, 2014, a New Jersey federal court granted a motion to dismiss filed by Wyndham Worldwide Corporation’s directors and officers based on its finding that Wyndham’s Board has duly considered and dismissed the plaintiff’s demand that the company sue its directors and officers. Palkon v. Holmes, et al, Case 2:14-cv-01234-SRC-CLW.
In Palkon, plaintiff presented the demand following a series of three security breaches through which hackers obtained personal information of over 600,000 Wyndham customers. (This is the same series of events that gave rise to the well-known lawsuit where Wyndham is challenging the FTC’s jurisdiction).
Wyndham’s Board met to discuss plaintiff’s demand as well as the status of the FTC action. At that time, the Board voted unanimously not to pursue a fiduciary duty lawsuit and thereby rejected plaintiff’s demand.
Plaintiff thereafter sued, alleging that the security breaches, together with the Board’s and management’s inadequate handling, damaged Wyndham’s reputation and cost it significant fees.
In moving to dismiss, defendants relied on the business judgment rule. They also asserted that plaintiff had failed to state a claim and that the damages alleged were speculative in any event.
Ruling on Delaware law, the court granted Wyndham’s motion, finding that plaintiff had failed to meet his burden of rebutting the business judgment rule. In other words, plaintiff was unable to raise a reasonable doubt as to whether Wyndham’s D&Os had acted (1) in good faith, or (2) based on a reasonable investigation.
In so doing, the court identified the following facts as relevant to its determination that Wyndham’s D&Os’ investigation had been reasonable:
The Board discussed cyber-related issues, including the company’s security policies and proposed enhancements, at fourteen meetings between October 2008 and August 2012 (the breaches occurred between April 2008 and January 2010):
- The Board’s Audit Committee reviewed the same matters in at least sixteen meetings during the relevant period;
- During its series of ongoing meetings, Wyndham’s Board addressed and affirmed the implementation of recommendations from the company’s retained technology firms;
- Wyndham’s Board was well-versed in the substance of both the FTC litigation and plaintiff’s demand;
- There was “ample information” that that Board had at its disposal when it rejected plaintiff’s demand; and
- The Board already had investigated the issues presented by plaintiff’s demand, as his attorney himself had presented an identical demand which had been rejected for the same reasons.
From the inside looking out, there is nothing special or unique about Palkon. It affirms the business judgment rule’s presumption of propriety and enumerates the types of facts that one court found relevant as to whether an internal investigation was reasonable.
From the outside looking in, however, the decision sets precedent as to the types of activities of which a Board should be mindful when evaluating and implementing information governance and cybersecurity regimes as well as in responding to a cyber breach (including through public disclosures). We regularly hear from clients asking about pre-breach avoidance strategies. Now there is court guidance ratifying the value of a proactive approach in the context of a derivative litigation.
As we’ve said before, you can pay now or pay more later And as should now be self-evident, whether or not you’re the director or officer of a private company or a public company, it will be far more costly to postpone and/or delay the employment of a robust cybersecurity regime. There no longer is an excuse for waiting. Unless, of course, you like to pay lawyers and other vendors more to be reactive as opposed to what it would have cost had management been proactive.