Cyber-breach related D&O lawsuits have not fared particularly well. Indeed, after the shareholder derivative lawsuit against the board of Home Depot was recently dismissed, it was unclear what the future direction for cybersecurity litigation against corporate officials might be. But though the future direction of this type of litigation is unclear, it seemed unlikely despite the poor track record that we had seen the last of these cases. Among other things, it seemed likely that entrepreneurial plaintiffs’ lawyers would continue to try to identify their litigation opportunity for these kinds of cases. As it has now turned out, we didn’t have to wait long for confirmation that despite the dismissals we had not seen the last of the cyber breach-related D&O lawsuits.
On December 16, 2016, a plaintiff shareholder filed a derivative lawsuit in the Southern District of Ohio against The Wendy’s Company, as nominal defendant, as well as against certain current and former directors and officers of the company, related to a data breach that took place at the company between October 2015 and June 2016 and that affected well over 1,000 Wendy’s franchise locations. A copy of the plaintiffs’ complaint can be found here.
Wendy’s is a fast-food restaurant company. In January 2016, the company began investigating a potential data breach after noting unusual activity at certain restaurant locations, following a report by an online cybersecurity blogger. In February 2016, the company announced that its experts had found malware on some of its systems. In its May 11, 2016 filing on Form 10-Q the company disclosed additional details about the data breach, stating that the malware, which had been installed through the use of compromised third-party credentials, affected one particular point of sale system at fewer than 300 of its more than 5,500 franchise locations.
In a subsequent June 9, 2016 press release (here), the company disclosed that an additional variant of the malware had been discovered, affecting a different POS system and involving substantially more than the 300 restaurants previously implicated in the data breach. The press release also stated that the data breach had been in place from October 2015 to June 2016. In a July 7, 2016 press release (here), the company identified the specific locations that were associated with the data breach, and provided a detailed information release for the benefit of customers that may have been affected by the release.
In the wake of the data breach revelations, Wendy’s was hit with two distinct groups of class action lawsuits, one filed by financial institutions seeking recovery for costs they incurred and other damages as a result of Wendy’s data breach, and the other filed on behalf of Wendy’s customers who claimed to have been harmed by the data breach at Wendy’s.
On December 16, 2016, a plaintiff shareholder filed a derivate lawsuit in the Southern District of Ohio against Wendy’s, as nominal defendant, and against 19 of its current and former directors and officers, including Nelson Peltz, the famed investor and company Chairman. The complaint asserts claims for breach of fiduciary duty; waste of corporate assets; unjust enrichment; and gross mismanagement. The complaint seeks to recover damages; corporate governance reforms; and restitution of benefits and compensation.
The complaint specifically alleges that the individual defendants “breached their duties of loyalty, care and good faith” by “failing to implement and enforce a system of effective internal controls and procedures with respect to data security”; “failed to exercise oversight duties by not monitoring the Company and its franchisees’ compliance with federal and state laws [and] payment card industry regulations”; failing to make full disclosure of the effectiveness of the company’s data security policies and procedures, as well as of the scope of the data breach; and permitting the company to violate payment card industry data security standards, particularly with respect to the company’s Aloha point-of-sale system. The complaint also alleges that the defendants failed to exercise their oversight duties commensurate with the risk given the recognition of senior management and the Board that a security breach could adversely affect the company’s business and operations.
In a clear recognition that prior data breach derivative lawsuits have foundered because of the plaintiffs’ failure to make a pre-suit demand on the company’s board of directors and failure to establish demand futility, the Wendy’s complaint contains detailed allegations attempting to substantiate the futility of a demand on the board. Among other things, in support of the demand futility argument, the complaint cites the fact that several of the defendants own a substantial amount of Company stock giving them a controlling interest in the company. The controlling shareholder defendants, the complaint alleges, have familial ties with others of the individual defendants, worked with the other individual defendants at other companies, or previously were Wendy’s management employees and “now are directors beholden to the controlling shareholder defendants.”
As I noted at the outset, the various prior high-profile data breach-related shareholder derivative lawsuits have not fared well. Specifically, the prior lawsuits against Wyndham Worldwide (about which refer here), Target (here), and Home Depot (here) were all dismissed, failing to overcome the initial procedural and pleading hurdles. Perhaps because the prior cases proved to be unsuccessful, there have not been more of these kinds of cases filed for some time. The last of the high profile data breach-related D&O lawsuit to be filed was the one launched against the board of Home Depot, which was first filed in September 2015.
Though there have been numerous high profile data breaches in the interim, there have been no additional data breach D&O lawsuit filed since that time – that is, until now, with the filing of the Wendy’s shareholder derivative lawsuit. (There have of course been numerous consumer class actions filed in the interim; for purposes of this post, I am referring only to data breach-related lawsuits filed against company management and seeking to recover not damages for privacy violations but damages for mismanagement.)
The Home Depot lawsuit was the last of the three high-profile data breach related D&O lawsuit to be dismissed. I said at the time that though these kinds of cases had fared poorly, it was far too early to conclude that companies faced no risk of a D&O lawsuit following a data breach. Plaintiffs’ lawyers have not been successful with these kinds of cases so far, but they had and have substantial incentives to continue to find the ways they might be able to capitalize on a data breach incident lawsuit by seeking to recover damages from company management.
It remains to be seen whether the plaintiff in the Wendy’s lawsuit will be any more successful in pursuing these claims than were the claimants in the prior data breach-related D&O lawsuits. If nothing else, the recent filing of the Wendy’s lawsuit underscores the fact that enterprising plaintiffs’ lawyers are going to continue to try to find a way to establish data breach-claims against company management. For now at least, it is clear that company officials continue to face a potential liability exposure in claims filed against them in the wake of a significant data breach incident.
In any event, company officials continue to face the risk regulator claims. As I noted in a recent post (here), there is a growing list of federal regulatory agencies jockeying to join the regulatory data security bandwagon, and state authorities are not far behind.
The recent filing of the Wendy’s data breach-related derivative lawsuit and the allegations in the Wendy’s complaint are a reminder that though prior high-profile data breach-related D&O lawsuits were dismissed, the possibility for these kinds of cases to be filed continues. Accordingly, it remains indispensable for companies and their senior officials to continue to take steps to ensure that if their actions and decisions are questioned that they can show that they were proceeding responsibly with reasonable efforts appropriately designed to try to meet security threats.