More recent data breach-related D&O lawsuits have been filed in the form of securities class actions, one of which, the Yahoo securities class action lawsuit, recently resulted in a sizable settlement. Before that though, during the period 2014 to 2016, there was a series of data breach related suits filed in the form of shareholder derivative actions. By and large, these cases did not fare particularly well, largely resulting in dismissals. The last of these data breach-related derivative lawsuits that remained pending is the one filed against fast-food company Wendy’s. Now the Wendy’s case has also settled, albeit for a combination of cybersecurity and governance therapeutics and agreement to pay the plaintiffs’ attorneys fees. The resolution of this last remaining shareholder derivative suit again raises a question that has been much discussed, of the extent to which data breach-related issues will lead to more D&O litigation.
Wendy’s is a fast-food restaurant company. In January 2016, the company began investigating a potential data breach after noting unusual activity at certain restaurant locations, following a report by an online cybersecurity blogger. In February 2016, the company announced that its experts had found malware on some of its systems. In its May 11, 2016 filing on Form 10-Q the company disclosed additional details about the data breach, stating that the malware, which had been installed through the use of compromised third-party credentials, affected one particular point of sale system at fewer than 300 of its more than 5,500 franchise locations.
In a subsequent June 9, 2016 press release (here), the company disclosed that an additional variant of the malware had been discovered, affecting a different POS system and involving substantially more than the 300 restaurants previously implicated in the data breach. The press release also stated that the data breach had been in place from October 2015 to June 2016. In a July 7, 2016 press release (here), the company identified the specific locations that were associated with the data breach, and provided a detailed information release for the benefit of customers that may have been affected by the breach. The company concluded that more that 1,000 locations may have been affected.
On December 16, 2016, a plaintiff shareholder filed a derivate lawsuit in the Southern District of Ohio against Wendy’s, as nominal defendant, and against 19 of its current and former directors and officers, including Nelson Peltz, the famed investor and company Chairman. The complaint asserts claims for breach of fiduciary duty; waste of corporate assets; unjust enrichment; and gross mismanagement. The complaint sought to recover damages; corporate governance reforms; and restitution of benefits and compensation. A copy of the plaintiffs’ complaint can be found here.
The complaint specifically alleges that the individual defendants “breached their duties of loyalty, care and good faith” by “failing to implement and enforce a system of effective internal controls and procedures with respect to data security”; “failed to exercise oversight duties by not monitoring the Company and its franchisees’ compliance with federal and state laws [and] payment card industry regulations”; failing to make full disclosure of the effectiveness of the company’s data security policies and procedures, as well as of the scope of the data breach; and permitting the company to violate payment card industry data security standards, particularly with respect to the company’s Aloha point-of-sale system. The complaint also alleges that the defendants failed to exercise their oversight duties commensurate with the risk given the recognition of senior management and the Board that a security breach could adversely affect the company’s business and operations.
In March 2017, the defendants filed a motion to dismiss. While the dismissal motion was pending, the court consolidated the initial complaint with another complaint that had been after the first complaint. Thereafter the parties entered settlement negotiations. The negotiations ultimately resulted in a settlement agreement.
On May 6, 2018, the plaintiff in the initial action filed a motion with the court for preliminary approval of a settlement of the shareholder derivative action. A copy of the motion and memorandum of law in support can be found here. The proposed settlement does not involve the payment of any funds to the company itself. Rather the settlement consists of the agreements of the company to adopt certain remedial and prophylactic technology and cybersecurity measure, including the establishment of a separate board-level committee to oversee the company’s technology and cybersecurity, as well at the creation of a number of data security protocols involving the company’s franchisees.
As part of the settlement, the defendants’ also agreed to pay the plaintiffs’ attorneys’ fees of $950,000, the payment of which is to be funded by the company’s D&O insurance.
As I noted above, during the period 2014 through 2016, a number of shareholder derivative lawsuits were filed against companies that had experienced high profile data breaches, including the derivative lawsuit filed against Wendy’s. The other derivative suits, filed against Wyndham Worldwide, Target and Home Depot, were all dismissed, as noted respectively, here, here and here. The Home Depot case ultimately settled for an agreement to adopt certain remedial measures and an agreement to pay plaintiffs’ attorneys’ fees of up to $1.25 million . Now the Wendy’s case has been settled, also for the agreement to adopt remedial measures and the payment of relatively modest plaintiffs’ attorneys’ fees.
Even with the settlement of the Wendy’s case, the plaintiffs’ track record in the derivative suits is at best mixed. There would seem to be little here to provide significant incentives to other prospective claimants (and more importantly to their attorneys) o pursue these kinds of claims. The plaintiffs’ track record in data breach related securities class action lawsuits arguably shows more promise, as there has been one sizeable securities suit settlement; as noted here, in January, Yahoo settled its data breach related securities suit for $80 million.
Given this history, it arguably comes as no surprise that since December 2016, plaintiffs’ lawyers have not filed any further data breach related shareholder derivative lawsuits. Plaintiffs’ lawyers have continued to file data breach related lawsuits but in the form of securities class action lawsuits.
There is of course no guarantee that there might not be further data breach derivative lawsuits filed. One of the reason there have been relatively few data breach related securities class action lawsuits is that news that a company has suffered a data breach often does not affect the company’s share price. In the absence of a share price decline, plaintiff shareholders are likelier to pursue a derivative suit than a securities suit, although that logic has not been enough to encourage other claimants to file data breach related derivative suits in recent months. For now, the plaintiffs lawyers seem to be interested in pursuing claims only in those cases in which the data breach was accompanied by a share price decline, and then to pursue the claim as a securities suit rather than as a derivative suit.
The possibility that there might be more data breach related D&O suits has been a discussion topic for years. The fact is that there just haven’t been all that many data breach D&O lawsuits filed overall, whether in the form of derivative suits or in the form of class action lawsuits. While I continue to believe that we will see more data breach-related D&O lawsuits to be filed, it just doesn’t seem that there are going to be that many of them. High profile data breaches such as the one experienced at Yahoo and Equifax may draw D&O lawsuits, but, it seems, other data breaches may not.