At a London Market presentation on January 22, 2014, I addressed the potential exposure for shareholder derivative actions. I specifically noted as follows:

  • Shareholders might allege, for example, that the directors of a company that experienced a cybersecurity breach breached their fiduciary duties to the company by failing to ensure adequate security measures.
  • If any defendants sold shares before the attack occurred or before the risk was fully disclosed to the corporation, plaintiffs could allege they violated the duty of loyalty by profiting from the sale of those shares.
  • A Caremark duty of care claim could be based on a decision made by the board or the failure of the board to exercise proper oversight, allowing vulnerabilities to go unfixed and ultimately exploited.
  • Caremark claims require shareholders to demonstrate 1) that the directors knew or should have known that violations of the law were occurring, 2) that the directors did not make a good faith effort to prevent or remedy the situation, and 3) that such failure proximately caused damage to the company.
  • A challenge to the sufficiency of a board action (i.e., decision) would be unlikely to prevail. Absent a finding of bad faith or failure to act rationally, decisions of the board no matter how questionable with the aid of hindsight - will generally be protected by the business judgment rule.
  • Even if one were to establish gross negligence necessary to overcome the presumption granted by the business judgment rule, most companies have adopted charter provisions under the Delaware Code, Title 8 § 102(b)(7), insulating directors from personal liability resulting from a breach of their duty of care.

A recent opinion corroborated these observations. Specifically, in an October 20, 2014 opinion applying Delaware law, a motion to dismiss filed by Wyndham Worldwide Corporation's board of directors was granted in the context of the cyber breach related derivative action. Palkon, etc. v. Holmes, et al., United States District Court, District of New Jersey, Civil Action No. 2:14-CV-01234 (SRC).

Before filing the complaint, the plaintiff had sent the Wyndham board a letter demanding it bring a lawsuit based on breaches of the company's online networks, during which hackers accessed the personal and financial information of a number of large customers. The board hired Kirkland & Ellis to investigate the plaintiff's demand. After an investigation, Kirkland & Ellis concluded the demand was "not well grounded." In March 2013, the board then voted to adopt the Audit Committee's recommendation that Wyndham not bring the lawsuit.The plaintiff reiterated his demand in June 2013, and the board rejected the second demand in
August 2013 for the same reasons.

The lawsuit was filed in February 2014. The complaint alleged that the defendants' failure to implement appropriate internal controls to detect and protect repetitive data breaches "severely damaged" the company and resulted in an FTC enforcement action which, according to the complaint, posed the risk of tens of millions of dollars in further damages. The complaint also alleged reputational damage.

Defendants moved to dismiss on June 2, 2014. Defendants argued that the refusal to pursue the demand was a good-faith exercise of business judgment, made after a reasonable investigation. The defendants then argued that even if the board's refusal had been wrongful, the complaint failed to state a claim upon which relief could be granted. Finally, the defendants asserted that the plaintiff's alleged damages were speculative and unripe.

The plaintiff opposed the motion for three corresponding reasons. First, the plaintiff contended that the board wrongfully refused his demand by relying on an investigation dominated by conflicted counsel. Plaintiff next urged that he had adequately pleaded his legal claims, as Wyndham had failed to institute reasonable security protections. Lastly, plaintiff asserted that the shareholders already had suffered damages due to the costs of defending against the FTC investigation.

In his opinion, Judge Stanley Chesler rejected the plaintiff's argument that Kirkland & Ellis had a conflict of interest, based on its representation of the company in the FTC action. Judge Chesler stated that it did not pose any conflict of interest because Kirkland's obligation in both matters was identical.

Judge Chesler also rejected the argument that Wyndham's General Counsel had a conflict of interest on the basis there was nothing in the demand to suggest the General Counsel was exposed to personal liability.

In considering the plaintiff's argument that the board's decision to reject the demand was based on an inadequate investigation, Judge Chesler concluded that the plaintiff had failed to make this showing in light of the information at the board's disposal when it rejected the demand. Judge Chesler also considered the numerous steps taken by the board to become educated about the issues presented by the demand.

Finally, Judge Chesler observed that "[G]iven the business judgment rule's strong presumption, courts uphold even cursory investigations by board refusing shareholder demands. (citation omitted). Here, the court finds that WWC's Board had a firm grasp of plaintiff's demand when it determined that pursuing it was not in the corporation's best interest."

Whether cyber liability represents a significant exposure to boards of companies that experience a data breach still remains to be seen. The early returns are not promising, but derivative actions undoubtedly will be brought once a major corporation sustains a cyber breach. Still, substantial defenses are available and will present serious obstacles for the plaintiffs to hurdle.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.