In the first of what is certain to become a cottage industry of derivative lawsuits involving alleged inadequate cybersecurity and deficient public disclosures, a New Jersey federal court granted a motion to dismiss filed by Wyndham Worldwide Corporation’s directors and officers based on its finding that Wyndham’s Board has duly considered and dismissed the plaintiff’s demand that the company sue its directors and officers.
In Palkon v. Holmes, et al, Case 2:14-cv-01234-SRC-CLW, plaintiff presented the demand following a series of three security breaches through which hackers obtained personal information of over 600,000 Wyndham customers. (This is the same series of events that gave rise to the well-known lawsuit where Wyndham is challenging the FTC’s jurisdiction).
Wyndham’s board met to discuss plaintiff’s demand as well as the status of the FTC action. At that time, the board voted unanimously not to pursue a fiduciary duty lawsuit and thereby rejected plaintiff’s demand.
Plaintiff thereafter sued, alleging that the security breaches, together with the board’s and management’s inadequate handling, damaged Wyndham’s reputation and cost it significant fees.
In moving to dismiss, defendants relied on the business-judgment rule. They also asserted that plaintiff had failed to state a claim and that the damages alleged were speculative.
Ruling on Delaware law, the court on October 20 granted Wyndham’s motion, finding that plaintiff had failed to meet his burden of rebutting the business-judgment rule. In other words, plaintiff was unable to raise a reasonable doubt as to whether Wyndham’s D&Os had acted (1) in good faith, or (2) based on a reasonable investigation.
In so doing, the court identified the following facts as relevant to its determination that Wyndham’s D&Os’ investigation had been reasonable: The board discussed cyber-related issues, including the company’s security policies and proposed enhancements, at 14 meetings between October 2008 and August 2012 (the breaches occurred between April 2008 and January 2010):
From the inside looking out, there is nothing special or unique about Palkon. It affirms the business judgment rule’s presumption of propriety and enumerates the types of facts that one court found relevant as to whether an internal investigation was reasonable.
From the outside looking in, however, the decision sets precedent as to the types of activities of which a board should be mindful when evaluating and implementing information governance and cybersecurity regimes as well as in responding to a cyber breach (including through public disclosures). We regularly hear from clients asking about pre-breach avoidance strategies. Now there is court guidance ratifying the value of a proactive approach in the context of a derivative litigation.
As we’ve said before, you can pay now or pay more later. And as should now be self-evident, whether or not you’re the director or officer of a private company or a public company, it will be far more costly to postpone and/or delay the employment of a robust cybersecurity regime. There no longer is an excuse for waiting. Unless, of course, you like to pay lawyers and other vendors more to be reactive as opposed to what it would have cost had management been proactive.