• New Jersey District Court Rejects Shareholder Derivative Action Based on Cybersecurity Breach
  • December 8, 2014 | Authors: Kyle Evans Gay; Lewis H. Lazarus
  • Law Firm: Morris James LLP - Wilmington Office
  • In Palkon v. Holmes, C.A. No. 2:14-CV-01234 (SRC) (October 20, 2014), the United States District Court for the District of New Jersey dismissed with prejudice a shareholder derivative action arising from three distinct breaches of Wyndham Worldwide Corporation (“Wyndham”). The Court granted the Defendant Directors’ Motion to Dismiss pursuant to Rules 23.1(b) and 12(b)(6) of the Federal Rules of Civil Procedure. The matter was resolved on demand-refusal grounds, but the opinion provides fresh guidance to corporate boards in how to address their exposure to risk based on cybersecurity breaches and shareholder actions arising from those breaches. Specifically, the decision highlights the importance of independent advice and of making a record of board review of policies and procedures to address the threat of a cyber-security breach. As this decision illustrates, boards who seek independent legal and other advice and who make an appropriate record of reviewing policies for addressing the risk of cyber-security breaches are more likely to be able to withstand a shareholder derivative claim for breach of fiduciary duty.

    Background Facts

    Wyndham is a Delaware corporation headquartered in Parsippany, New Jersey. Between April 2008 and January 2010, hackers breached Wyndham’s networks on three separate occasions. Hackers stole information from Wyndham’s subsidiaries, which themselves collect customers’ personal and financial data, particularly credit card information used to reserve hotel rooms. The security breaches affected over six hundred thousand customers. In April 2010, the Federal Trade Commission (“FTC”) began to investigate the three attacks. The FTC filed an action against Wyndham in June 2012, and Kirkland & Ellis, LLP (“Kirkland”) represented Wyndham in that action. In November 2012, a shareholder demanded in a letter to Wyndham’s Board of Directors (the “Board”) that Wyndham bring suit based on the network breaches. In response, the Board instructed the Audit Committee to review the demand. The Audit Committee, guided by Kirkland, advised against bringing suit, and the Board voted in favor of the Audit Committee’s recommendation on March 11, 2013.

    In June 2013, Plaintiff Dennis Palkon sent Wyndham a similar demand letter which Wyndham’s General Counsel then submitted to the Board. On August 8, 2013, the Board voted unanimously not to pursue an action in part because Plaintiff’s demand was “virtually identical” to the 2012 demand. Moreover, the record demonstrated that the Board discussed cybersecurity issues, including the attacks, Wyndham’s policies, and proposed enhancements, at fourteen meetings between October 2008 and August 2012. During the same period, the Audit Committee reviewed the same topics in at least sixteen meetings. Wyndham hired technology companies to investigate each breach and implemented new security policies after the second and third breaches.

    Plaintiff’s Claim

    Plaintiff filed the Complaint on February 25, 2014, claiming that the Defendant directors failed to implement adequate cybersecurity protections, which left Wyndham vulnerable to hackers and put customers’ personal and financial information at risk. He also alleged that Defendants failed timely to disclose the attacks, thus damaging Wyndham’s reputation and bottom line, and wrongfully refused his June 2013 demand. Defendants countered that their demand refusal was a good-faith exercise of business judgment, that the Plaintiff failed to state a claim upon which relief could be granted, and that the alleged damages are speculative and unripe.

    Court Rejects Plaintiff’s Claim that the Board Wrongfully Refused his Demand

    The Court determined under Delaware law that Plaintiff failed to raise any reasonable doubt that the Board acted in good faith and based upon reasonable investigation. Although Plaintiff alleged that Kirkland was conflicted because it also represented Wyndham in the FTC action, the Court found no conflict because the record reflected that Kirkland’s obligation was at all times to act in Wyndham’s best interests. Similarly, the Court found no support for Plaintiff’s claim that Wyndham’s general counsel was intimately involved in Wyndham’s data security initiatives. It therefore concluded that claims that the general counsel’s role raised an issue as to his independence, as well as any claim that Wyndham’s general counsel improperly affected Kirkland’s neutrality, were conclusory allegations insufficient to justify denying the motion to dismiss. Finally, the Court found that the Board’s investigation of Plaintiff’s demand was reasonable considering Plaintiff’s demand was “virtually identical” to the November 2013 demand. Thus the Court found that the Board reasonably exercised its business judgment when it refused Plaintiff’s demand.

    Lessons Learned

    One of the Board’s bases for refusing Plaintiff’s demand was the “significant legal barriers to the claims contemplated” by the letter. The Court noted in dicta that although it did not need to reach the merits of Plaintiff’s proposed action, Plaintiff’s “novel theory” under Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996) and Stone v. Ritter, 911 A.2d 362 (Del. 2006) would require Plaintiff to demonstrate that Wyndham’s “directors utterly failed to implement any reporting or information system . . . [or] consciously failed to monitor or oversee its operations thus disabling themselves from being informed.” Stone, 911 A.2d at 370. Because the record demonstrated that the Board actively addressed Wyndham’s cybersecurity challenges, the Court suggested that the Board was also free to consider the weakness of Plaintiff’s Caremark claim in its deliberations and in refusing Plaintiff’s demand. Absent well-pleaded allegations of a conflicted board or conflicted advisors, a board which implements and reviews a reporting and information system for cybersecurity challenges is more likely to succeed in dismissing derivative clams under Caremark and Stone.