Wyndham Decision Provides Guidance to Corporate Directors and Officers in Responding to a Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/wyndham-decision-provides-guidance-to-co-54776/

U.S. District Judge Stanley R. Chesler of the District of New Jersey
recently provided much needed guidance to directors and officers on their
duties and responsibilities with regard to cybersecurity. In Palkon v.
Holmes, et al., Civil Action No. 2:14-CV-01234, Judge Chesler dismissed
with prejudice a Wyndham Worldwide Corporation shareholder derivative
action arising out of three data breaches that took place between April
2008 and January 2010.

In November 2012, following the discovery of the data breaches and
Wyndham’s alleged failure to take appropriate action, a Wyndham shareholder
sent a letter to the board demanding that it bring a lawsuit against the
directors and officers responsible for overseeing the company’s IT
functions and internal controls. The letter claimed the directors and
officers were liable to Wyndham for, at least, breach of fiduciary duty and
indemnification and contribution. In response to the letter, the board’s
Audit Committee retained a law firm to evaluate the demand and recommend a
course of action. The law firm investigated the allegations and ultimately
found that the shareholder demand letter was not well grounded. Based on
the Audit Committee’s recommendation, disinterested members of the Wyndham
Board determined there was no basis to bring suit.

Following that determination, in June 2013, plaintiff shareholder Dennis
Palkon, who was represented by the same law firm as the shareholder who
prepared the November 2012 demand, sent a “virtually identical” demand
letter to the board. The board rejected the demand for the same reasons as
the first demand. A lawsuit followed, wherein plaintiff brought claims for
breach of the fiduciary duties of care and loyalty, corporate waste, and
unjust enrichment on a derivative basis against certain Wyndham directors
and officers who were allegedly responsible for failing to implement a
system of internal controls to protect customer personal and financial
information, causing or allowing the company to conceal the data breaches
from investors, failing to conduct a reasonable investigation, disregarding
their duties upon receipt of a litigation demand, and wrongfully refusing
the litigation demand.

The crux of the complaint was that Wyndham and its subsidiaries routinely
collected customer personal and financial information, including payment
card account numbers, expiration dates and security codes, but failed to
take reasonable steps to maintain that information in a secure manner,
which resulted in the theft of sensitive personal and financial data from
the company’s customers. With regard to the derivative claim, plaintiff
alleged that Wyndham officers and directors failed to “implement adequate
internal controls designed to detect and prevent repetitive data breaches,”
which led to an enforcement action by the FTC, exposing the company to “the
risk of tens of millions of dollars in further damages” and “damaged its
reputation with its customer base.”

Defendants moved to dismiss based primarily on the fact that the complaint
failed to allege that the board wrongfully refused plaintiff’s litigation
demand. More specifically, defendants argued that plaintiff failed to plead
any particularized facts: (a) sufficient to overcome the business judgment
rule; (b) to show the board’s decision to refuse his demand was based on an
unreasonable investigation; or (c) that the board acted in bad faith in
denying the demand. Plaintiff opposed the motion on the basis that the
decision not to bring suit was not protected by the business judgment rule
because: (1) the investigation into the demand was performed by conflicted
outside counsel who also represented Wyndham in the FTC action; (2) the
board wrongfully refused the demand by relying on the advice of Wyndham’s
general counsel because he faced personal liability as a result of the
cyber-attacks; and (3) the board’s decision was predetermined.

Following briefing, the court granted Wyndham’s motion and dismissed
plaintiff’s claims with prejudice, ruling that the board’s refusal to
pursue plaintiff’s demand was a “good-faith exercise of business judgment,
made after a reasonable investigation.” The court concluded that plaintiff
failed to demonstrate any conflict with outside counsel or Wyndham’s
general counsel. As to outside counsel, the court found that the firm did
not have multiple conflicting duties as it was always obligated to act in
Wyndham’s best interest. In reaching this conclusion, the court
distinguished this matter from Stepak v. Addison, 20 F.3d 398 (11th Cir.
1994), where the firm was found to have lingering and divided loyalties
based on its representation of the company’s directors in separately
instituted criminal matters. The court found that outside counsel never
represented any of the individual directors and was always duty bound to
advocate for Wyndham.

With regard to Wyndham’s general counsel, the court found that plaintiff
provided no indication that his demand exposed Wyndham’s general counsel to
any liability because the demand letter failed to name him as a responsible
party. Additionally, the court noted that the subject matter of the demand
was not an area with which the general counsel would likely be associated
as he served as a legal advisor, not as a technology or security official.
Finally, the court found that the general counsel was nonetheless
indemnified by Wyndham against any such liability and “the fear of personal
liability alone does not render a corporate director conflicted.”

As to whether the board’s investigation was reasonable, the court noted
that prior to its receipt of plaintiff’s demand letter, the board had
already discussed the cyber-attacks at 14 meetings, its audit committee
discussed the issues in at least 16 meetings, the board’s understanding
previously had been developed as a result of the FTC action and was also
guided by its receipt and subsequent investigation of the “virtually
identical” earlier demand letter. Thus, the court stated that “[t]hese
earlier investigations, standing alone, would indicate that the Board had
enough information when it assessed Plaintiff’s claim.” Nonetheless, the
board took the additional step of specifically discussing plaintiff’s
demand and unanimously voting not to pursue it. As a result, the court held
that Wyndham’s board “had a firm grasp of Plaintiff’s demand when it
determined that pursuing it was not in the corporation’s best interest.”

In responding to a data breach or cyber-attack, corporate officers and
directors should heed the considerations noted in Judge Chesler’s opinion,
including holding meetings to address the breaches or attacks, engaging
forensic technology consultants to assess the issue, engaging outside
counsel to advise regarding legal exposure, and taking necessary remedial
measures to address the breach and minimize exposure. In addition, if a
demand is made on the board to pursue claims against corporate officers, a
committee should be tasked with investigating the demand and making a fully
informed recommendation to the board. When these steps are taken, the risk
of exposure to a derivative suit is minimized.

Although not mentioned in the Wyndham decision, the time for addressing a
data breach or cyber-attack is before the breach occurs. By having robust
policies and procedures in place, together with a response team and
appropriate training, corporations will be armed for data breaches and
cyber-attacks that are now commonplace.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!