Important cyber D&O court precendent set in recent Wyndham ruling

By Richard Bortnick on November 20, 2014

wyndhamIn the first of what is certain to become a cottage industry of derivative lawsuits involving alleged inadequate cybersecurity and deficient public disclosures, a New Jersey federal court granted a motion to dismiss filed by Wyndham Worldwide Corporation’s directors and officers based on its finding that Wyndham’s Board has duly considered and dismissed the plaintiff’s demand that the company sue its directors and officers.

In Palkon v. Holmes, et al, Case 2:14-cv-01234-SRC-CLW, plaintiff presented the demand following a series of three security breaches through which hackers obtained personal information of over 600,000 Wyndham customers. (This is the same series of events that gave rise to the well-known lawsuit where Wyndham is challenging the FTC’s jurisdiction).

Wyndham’s board met to discuss plaintiff’s demand as well as the status of the FTC action. At that time, the board voted unanimously not to pursue a fiduciary duty lawsuit and thereby rejected plaintiff’s demand.

Plaintiff thereafter sued, alleging that the security breaches, together with the board’s and management’s inadequate handling, damaged Wyndham’s reputation and cost it significant fees.

In moving to dismiss, defendants relied on the business-judgment rule. They also asserted that plaintiff had failed to state a claim and that the damages alleged were speculative.

Ruling on Delaware law, the court on October 20 granted Wyndham’s motion, finding that plaintiff had failed to meet his burden of rebutting the business-judgment rule. In other words, plaintiff was unable to raise a reasonable doubt as to whether Wyndham’s D&Os had acted (1) in good faith, or (2) based on a reasonable investigation.

In so doing, the court identified the following facts as relevant to its determination that Wyndham’s D&Os’ investigation had been reasonable: The board discussed cyber-related issues, including the company’s security policies and proposed enhancements, at 14 meetings between October 2008 and August 2012 (the breaches occurred between April 2008 and January 2010):

  • The Board’s Audit Committee reviewed the same matters in at least sixteen meetings during the relevant period;
  • During its series of ongoing meetings, Wyndham’s Board addressed and affirmed the implementation of recommendations from the company’s retained technology firms;
  • Wyndham’s Board was well-versed in the substance of both the FTC litigation and plaintiff’s demand;
  • There was “ample information” that that Board had at its disposal when it rejected plaintiff’s demand; and
  • The Board already had investigated the issues presented by plaintiff’s demand, as his attorney himself had presented an identical demand which had been rejected for the same reasons.

From the inside looking out, there is nothing special or unique about Palkon. It affirms the business judgment rule’s presumption of propriety and enumerates the types of facts that one court found relevant as to whether an internal investigation was reasonable.

From the outside looking in, however, the decision sets precedent as to the types of activities of which a board should be mindful when evaluating and implementing information governance and cybersecurity regimes as well as in responding to a cyber breach (including through public disclosures). We regularly hear from clients asking about pre-breach avoidance strategies. Now there is court guidance ratifying the value of a proactive approach in the context of a derivative litigation.

As we’ve said before, you can pay now or pay more later. And as should now be self-evident, whether or not you’re the director or officer of a private company or a public company, it will be far more costly to postpone and/or delay the employment of a robust cybersecurity regime. There no longer is an excuse for waiting. Unless, of course, you like to pay lawyers and other vendors more to be reactive as opposed to what it would have cost had management been proactive.

Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog,