A New Jersey federal court recently dismissed a shareholder derivative action, Palkon ex rel. Wyndham Worldwide Corp. v. Holmes,1 against various directors and officers of Wyndham Worldwide Corp. ("Wyndham") alleging breach of fiduciary duty in connection with three data breaches.2 While several shareholder derivative actions have arisen out of data breaches, this is the first substantive decision in such a case, and it illustrates some of the steps that directors and officers should consider in meeting their fiduciary obligations and reducing their cyber-related liability risk.
I. Directors' and Officers' Fiduciary Duties and Cybersecurity
The duty of care or oversight requires directors and officers to make informed, deliberate decisions based on available and material information. Courts apply the business judgment rule and presume that directors and officers "acted on an informed basis, in good faith and in the honest belief that the action was in the best interests of the company."3 Thus, "its important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility."4 Thus, in the context of cybersecurity, directors and officers should establish and maintain sufficient internal controls and reporting systems regarding potential cybersecurity risks, and once such systems are in place, they should adequately monitor the operations of such systems.5
Additionally, public companies may be required to disclose certain "information regarding cybersecurity risks and cyber incidents" when such disclosure is "necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading." The Securities and Exchange Commission ("SEC") has noted that, "with other op"rational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents."6
In a June 10, 2014 speech titled "Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus," delivered at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar highlighted the critical importance of the involvement of boards of directors in cybersecurity oversight. In his speech, Aguilar stressed that "ensuring the adequacy of a company's cybersecurity measures needs to be a part of a board of directors' risk oversight responsibilities." He added the warning that "boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril."
II. The Dismissal of the Palkon Shareholder Derivative Action
April 2008 to January 2010, Wyndham sustained three data breaches that resulted in the theft of credit card and other personal information of over 600,000 customers. In April 2010, the Federal Trade Commission ("FTC") began to investigate the incidents, and in June 2012, the FTC brought an action against Wyndham related to its data security practices. Separately, to satisfy a threshold requirement for a derivative action, shareholder Palkon sent a letter to the Wyndham board demanding that the company "investigate, address and promptly remedy the harm inflicted" on the company and bring a lawsuit against the responsible personnel. The Wyndham board unanimously refused the demand.
Thereafter, on February 24, 2014, the plaintiff filed a derivative action alleging that Wyndham’s board of directors, president/CEO and general counsel breached their fiduciary duties of care and loyalty to the company, and wasted corporate assets, by (1) failing to implement adequate data security mechanisms and internal controls to protect customers' personal and financial information and (2) failing to timely disclose the breaches and causing the company to conceal the breaches from investors.
The New Jersey district court dismissed the action with prejudice because the board's refusal to pursue the plaintiff's lawsuit was a good-faith exercise of business judgment, as required by Delaware law. The district court reached this conclusion primarily based on the board response to (1) the plaintiff's demand letter, (2) a similar demand letter received earlier from another shareholder, and (3) the FTC's investigation and resulting litigation.
The district court's opinion further noted that the Wyndham board had discussed the data breaches and the company's data security policies at numerous board meetings and had proposed security enhancements to prevent future attacks. The board appointed the audit committee to investigate the breaches in response to the initial shareholder demand. That committee met regularly to address the company's cybersecurity risks and investigate the claims set forth in the demand. The Committee conducted its investigation with the assistance of outside counsel and a technology firm hired to investigate the breaches and to recommend security enhancements. In a footnote, the court noted that, although it did not need to consider the merits of the proposed action, the claims were potentially weak because the company had installed cybersecurity measures before the first data breach, and the board had addressed such concerns numerous times.
III. Implications for Directors and Officers
From a timing perspective, the Palkon case is somewhat unique. Three data breaches occurring over almost two years provided the Wyndham board ample time to investigate and respond to the incidents before being faced with the Palkon plaintiff's demand. However, as illustrated in the recent Target and Home Depot breaches, derivative and class actions are more typically brought shortly after an allegedly harmful event occurs, rather than years afterward.
Also, the dismissal in Palkon may have limited precedential value in future shareholder derivative actions because the decision focused only on the board’s demand refusal without reaching the merits of the case. Nevertheless, the decision offers important proactive steps for directors and officers to take in order to minimize the risk and potential harm from data breaches and to position themselves and their companies in a strong defensive position in any subsequent litigation. Those steps may include the following:
Understand Cybersecurity Policies and Practices. To fulfill their fiduciary duties, directors and officers must understand and make well-informed decisions about cybersecurity as an enterprise-wide risk management issue (and not just an IT issue). This requires a basic knowledge of the technical issues in order to be able to ask the right questions and assess the adequacy of the responses. To do so, directors and officers must develop an understanding of the company's practices concerning data security and breach response protocols. They should also stay abreast of evolving industry best practices and cybersecurity recommendations (such as the National Institute of Standards and Technology's cybersecurity framework) and periodically evaluate the company's current cybersecurity procedures and protective measures in light of those standards. Directors and officers can bridge the potential technical knowledge gap through cybersecurity training, and they can supplement their knowledge by engaging outside technical and legal advisors to advise them on the potential implications of cybersecurity risks, taking into consideration the company's specific circumstances and risk profile.
Develop Cybersecurity Reporting and Control Systems. Directors and officers must take an active role to ensure that sufficient cybersecurity safeguards and internal controls exist and that they are being followed. To do so, they should consider appointing a chief information officer (CIO), chief information security officer (CISO) and/or chief privacy officer (CPO) with expertise on cybersecurity who can meet with and periodically advise the board. The board may also consider appointing a special committee tasked with privacy and cybersecurity that includes the above officer(s) in addition to key stakeholders. The committee should meet regularly and report to the board to ensure that the board is adequately briefed and engaged on cybersecurity issues. Directors should set the expectation that management will establish an enterprise-wide cyber risk framework with adequate staffing and budget.
Identify Sensitive Data and Systematically Delete Obsolete Information. Numerous states, including Massachusetts, Texas and California, have adopted laws mandating the protection and disposal of personal information.7 Under those laws, businesses are required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect personal information from unauthorized access, destruction, use, modification or disclosure. Additionally, other states, including Oregon and Nevada, impose an affirmative obligation on businesses to dispose of records (both physical and electronic) containing personal information after such records are "no longer needed for business purposes."8 The scope of these state laws may be broad, imposing a duty not only on a business that is physically located in one of those states, but also on any business located outside of these states that obtains personal information from residents of those states. Accordingly, to comply with these laws, senior management should ensure that the company identifies its sensitive data, including personal identifying information, protected health information and customer financial information, and implements sufficient safeguards and access controls to protect the information, as well as protocols to systematically delete or dispose of the information when it is no longer needed for business purposes.
Develop and Test a Data Breach Response Plan. Given the increasing frequency and sophistication of cyber-attacks, even the most robust safeguards and internal controls cannot guarantee that a data breach will not occur. Thus, businesses must be prepared to promptly investigate and respond to such incidents by developing and regularly testing a data breach response plan.
Assess Corporate Indemnification and Cyber Insurance. The board should review the company's formation documents to ensure that they limit personal liability and provide indemnification to the fullest extent permitted under applicable law. Delaware law, for example, permits corporations to include, in the certificate of incorporation, a provision eliminating director personal liability for monetary damages arising from a breach of the duty of care. Delaware further permits corporations to indemnify directors for liability arising from breaches of the duty of care. The board should also make sure that the company and its members are insured against cyber-related claims and liabilities. General liability policies may be insufficient to address the unique circumstances of a data breach and other related cybersecurity claims, and many such policies have specific exclusions for data breaches.9 Cyber insurance is tailored to cover first-party expenses such as forensic investigation costs and credit monitoring as well as traditional defense of third-party claims arising out of a breach. Directors and officers should also review their existing D&O policy to determine whether it is sufficient to cover the risk of derivative claims and shareholder class actions following a data breach.
IV. Conclusion
The Palkon case marks an initial step as courts begin to grapple with the issue of director and officer liability, if any, for data breaches. However, the case should not be read to induce complacency or overconfidence in the ranks of potentially exposed directors and senior management. Rather, as explained above, it is imperative to understand and engage with this volatile new area of exposure now and to manage it in a manner that is consistent with the duties and expectations imposed on directors and officers under current law.
1 Palkon ex rel. Wyndham Worldwide Corp. v. Holmes, No. 2:14-cv-01234 (D.N.J. Oct. 20, 2014).
2 See, e.g., La. Mun. Police Emp.’s Ret. Sys. ex rel. The TJX Cos., Inc. v. Alvarez et al., C.A. No. 5620-VCN, 2010 WL 2709960 (Del. Ch. filed July 2, 2010), and In re Target Corporate S’holder Derivative Litig., No. 0:14-cv-00203-PAM-JJK (D. Minn. Jan. 21, 2014). The TJX case settled in July 2010, and the Target case is in the early stages of litigation.
3 Smith v. Van Gorkam, 488 A.2d 858, 872 (Del. 1985).
4 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996); Stone v. Ritter, 911 A.2d 363, 369 (Del. 2006).
5 See Stone, 911 A.2d at 370-72 (affirming dismissal of shareholders derivative action where the directors discharged their oversight responsibilities by establishing an information and reporting system that permitted the directors to periodically monitor the company’s compliance with relevant law).
6 See Securities and Exchange Commission, CF Disclosure Guidance, Topic No. 2: Cybersecurity (Oct. 13, 2011), available at www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
7 See Selected State Laws Governing the Safeguarding and Disposing of Personal Information, available at: http://www.vedderprice.com/selected-state-laws-governing-safeguarding-and-disposing-of-personal-information/
8 See, e.g., Oregon Consumer Identity Theft Protection Act, ORS § 646A.622(2)(d)(C)(iv).
9 See, e.g., Zurich Am. Ins. Co. v. Sony Corp. of America et al., Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014), wherein the New York trial court ruled that, based on a CGL policy, Zurich had no duty to defend Sony in litigation stemming from a 2011 attack on Sony’s PlayStation Network. That attack exposed the account data of approximately 100 million individuals and compromised more than 12 million credit and debit cards, resulting in the filing of more than 60 nationwide class actions against Sony.