Hogan Lovells 2024 Election Impact and Congressional Outlook Report
News headlines about data breaches are becoming more and more common. During the last year alone, major retailers, restaurants, and financial institutions have all reported data breaches.
The traditional aftermath of a data breach can involve regulatory investigations and lawsuits against the company by consumers or financial institutions claiming to have been harmed by the data breach. In recent years, a new trend also is emerging: shareholder derivative cases and securities class actions filed against directors and officers alleging claims for breach of fiduciary duty, or even securities fraud, relating to the data breach. The recent dismissal of one such lawsuit against the directors and officers of Wyndham Worldwide Corporation (Wyndham) provides insight on steps directors and officers can take to protect themselves from claims of breach of fiduciary duty in these lawsuits.
Last year, four shareholder derivative lawsuits were filed in the District of Minnesota against the directors and officers of Target following a large data breach at the company in November 2013. These lawsuits named 13 of Target’s directors and officers as defendants and asserted claims for breach of fiduciary duty and waste of corporate assets, among others. The shareholders challenge not only the directors’ and officers’ conduct before the data breach, alleging their misconduct allowed the data breach to happen, but also challenge their conduct following discovery of the data breach, asserting the directors and officers acted improperly in the way they disclosed, investigated, and remediated the data breach. The cases have been consolidated and remain pending.
Last May, a similar lawsuit against Wyndham’s directors and officers, which had been filed under seal in February, was unsealed in the District of New Jersey. This case was dismissed by the court on October 20, 2014. It is described in more detail below.
The shareholder lawsuits against these two companies have garnered attention recently, but they are not the first shareholder suits arising out of data breaches. In 2010, a similar lawsuit was filed by a shareholder of TJX Companies, Inc., the owner of TJ Maxx. Prior to that, securities-fraud lawsuits under Sections 10(b) and 20(a) of the Securities Exchange Act were filed by shareholders of Heartland Payment Systems, Inc. (Heartland) and Choicepoint, Inc. These securities-fraud lawsuits, like the derivative cases above, arose out of data breaches at the companies and challenged conduct (i.e., disclosures) both before and after the data breaches.
The Wyndham lawsuit, Palkon v. Holmes, Case No. 2:14-cv-01234 (D.N.J.), named 10 of Wyndham’s directors and officers as defendants and asserted claims for breach of fiduciary duty, waste of corporate assets, and unjust enrichment. Like the Target lawsuits, the lawsuit challenged both the conduct that allegedly caused the breach and conduct relating to the investigation, disclosure, and remediation of the data breach.
According to the complaint, Wyndham suffered three data breaches between April 2008 and January 2010, which resulted in the disclosure of personal information relating to more than 600,000 customers. The shareholder plaintiff wrote a letter to Wyndham’s board of directors in June 2011, demanding that the board investigate the data breaches and sue the named directors and officers to remedy the harm suffered by Wyndham as a result of the data breaches. Wyndham’s board refused the demand, and the plaintiff filed a derivative lawsuit.
The defendants moved to dismiss the lawsuit, arguing among other things that the plaintiff lacked standing to bring the derivative lawsuit under applicable Delaware law because his demand was considered and refused by Wyndham’s board of directors. Under Delaware’s well-established business judgment rule, such a decision is entitled to deference and deprives a shareholder of standing to file the demanded derivative lawsuit, unless it is made in bad faith or based on an unreasonable investigation.
In dismissing the lawsuit, the court rejected the plaintiff’s arguments both that the board acted in bad faith in evaluating his demand and that the board conducted an unreasonable investigation into the demand. It is the latter analysis that provides guidance for companies concerned about these types of claims. In holding that the plaintiff had failed to allege facts showing an unreasonable investigation, the court noted that Wyndham’s board of directors had discussed the cyber-attacks at 14 meetings during the relevant time frame and that the company’s general counsel gave a presentation regarding the data breaches or data security at each meeting. The court also noted that the board’s audit committee discussed these issues during at least 16 meetings over that time. In addition, the Federal Trade Commission was investigating the data breaches, which the court stated further developed the board’s understanding on the issues raised in the demand, as did a prior shareholder demand that was “identical” to the plaintiff’s demand. Finally, the opinion noted that the company had retained third-party technology firms to investigate each breach and recommend enhancements to Wyndham’s systems.
There is no case law outlining the extent of a director’s duty of care with respect to data security, and the development and maintenance of a robust data-security program likely will primarily be the task of management. The board in its oversight role cannot be expected to become the company’s IT experts. However, the Wyndham case suggests several things that both directors and officers can do in advance of a data-security event. Although the Wyndham decision focused on the board’s investigation into and refusal of the plaintiff’s demand, not the board’s pre-breach activities, the factors considered by the Wyndham court may also be useful to a court asked to evaluate whether board members fulfilled their responsibilities with respect to data security.
Accordingly, directors and officers concerned about a potential data breach could consider the following initiatives:
make data privacy and data security, and the resources devoted to those areas, a regular topic of discussion at board meetings, including regular presentations on these topics by officers of the company knowledgeable about them, e.g., the general counsel, chief information officer, or chief technology officer;
consider, in light of the company’s specific risk profile and circumstances, designating one of the board’s committees, whether it is the audit committee as in the Wyndham case or another committee, to have primary oversight on data security and ensure that the company’s data-protection measures, and any noted issues, are discussed regularly at meetings of the relevant committee;
periodically retain third-party consultants to assess the company’s data-protection systems and to suggest areas for improvement;
consider thoroughly any deficiencies identified in these assessments, and document the steps taken to remediate them, if necessary;
establish a cross-functional incident response team, comprising legal, IT, customer service, public relations, and other personnel, which will have primary responsibility for investigating and responding to any eventual data breach; and investigate thoroughly any allegations of a data breach, including meeting with incident-response personnel or senior executives as appropriate, documenting the company’s efforts to address the cause of any such breach, and taking other remediation efforts and steps to address security vulnerabilities, if any, identified in the investigation.
Additional support for taking these measures can be found in an opinion dismissing the earlier securities-fraud lawsuit against Heartland mentioned above, In re Heartland Payment Systems, Inc. Security Litigation, Case No. 09-1043. 2009 WL 4798148 (D.N.J. Dec. 7, 2009). That case arose out of a data breach in 2008 in which hackers attacked Heartland’s computer network and stole 130 million credit and debit card numbers. Plaintiffs brought a securities-fraud suit against Heartland, its CEO, and its CFO. Plaintiffs alleged, for example, that defendants falsely stated in Heartland’s Form 10-K that Heartland “place[d] significant emphasis on maintaining a high level of security” and maintained a network that “provide[d] multiple layers of security to isolate [its] databases from unauthorized access.” In dismissing the lawsuit for failure to state a claim, the court noted that the fact that Heartland suffered a data breach did not necessarily mean the statements above were false. Rather, to evaluate the truth or falsity of the statements, the court examined the actions Heartland took relating to data security before and after the breach. Plaintiffs alleged the company spent significant sums on data security before the attack and made significant efforts to fix the security issues after the attack. In light of these allegations, the court concluded it was more likely that “Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome.” Thus, Heartland reinforces the importance of demonstrating that the company takes data protection seriously through commitment of monetary and human resources (e.g., the routine board and committee involvement discussed above).
* * *
As the volume of recent announcements make clear, it is becoming increasingly more difficult for companies to prevent data breaches and cyber-attacks. Directors and officers should take concrete actions, both prior to a breach and in the aftermath of one, in order to demonstrate their diligence and good faith in addressing this growing area of risk. Such attention will benefit the companies they serve, and – in the event of a major breach – will help protect the directors and officers from allegations that they did not do enough to prevent the breach or to investigate it.
This article was first published as a Hogan Lovells Client Alert. To access the client alert, click here.
Authored by Jon Talotta, Michelle Kisloff and Christopher Pickens