This decision addressed Delaware law regarding three
cyberattacks against Wyndham involving the personal information
of over 600,000 customers between 2008 and 2010. The Federal
Trade Commission began to investigate the cyberattacks in 2010
and commenced enforcement action against Wyndham regarding its
security practices in 2012.
In 2014, a plaintiff shareholder filed a derivative lawsuit
on behalf of Wyndham against Wyndham and its individual
directors and officers regarding the cyberattacks. The plaintiff
alleged that the defendants failed to implement adequate data
security mechanisms (e.g., firewalls and strong passwords),
which allowed hackers to steal customers' data, and failed to
timely disclose the data breaches after they occurred, which
damaged Wyndham's reputation and cost Wyndham significant legal
fees. To bring the lawsuit on behalf of Wyndham, the plaintiff
was required to plead with particularity that the board's
decision to refuse his demand to bring lawsuit regarding the
cyberattacks was in bad faith or not based on a reasonable
investigation.
The Wyndham board's decision to refuse the demand is under
the purview of the business judgment rule. Under the business
judgment rule, there is a presumption that the board refused the
demand on an informed basis, in good faith, and in the honest
belief that the action taken was in the best interests of the
company. Defendants argued, among other things, that the board's
decision to refuse the demand was a good faith exercise of
business judgment, made after a reasonable investigation.
The court dismissed the lawsuit with prejudice, noting in a
footnote:
Caremark requires that a corporation's
"directors utterly failed to implement any reporting or
information system ... [or] consciously failed to monitor or
oversee its operations thus disabling themselves from being
informed." Stone v. Ritter, 911
A.2d 362, 370 (Del. 2006). Yet Plaintiff concedes that security
measures existed when the first breach occurred, and admits the
Board addressed such concerns numerous times. (Compl. ¶¶ 46, 62,
63). The Board was free to consider such potential weaknesses
when assessing the lawsuit.
Actions Mentioned
The following actions of the board and the audit committee
were mentioned:
- The board discussed the cyberattacks,
Wyndham's security policies, and proposed
security enhancements at 14 meetings (the audit
committee discussed at 16 meetings) between 2008
and 2012.
- Wyndham hired technology firms to
investigate each cyberattack and to issue
recommendations on enhancing Wyndham's security.
- After the second and third data cyberattacks,
Wyndham began to implement those
recommendations.
Also mentioned was that the general counsel gave a
presentation regarding the cyberattacks and/or Wyndham's data
security generally at every quarterly board meeting.
Next Steps
In light of the fact that directors and officers and
companies can and are being sued regarding cyberattacks,
companies should:
- Consider reviewing their organizational
documents, indemnification agreements or
policies, D&O liability
insurance, and cyberliability insurance coverage
- Engage and work together with service
providers and outside advisers regarding
cyberrisks and incidents and management thereof
(e.g., cybersecurity program and data breach
preparation and services)
- Inform the board about cyberrisks and
incidents and management thereof on a regular
basis
- Monitor and address legal, regulatory, and
industry developments regarding cyberrisks and
incidents (including without limitation D&O
litigation) and communicate about them with the
board on a regular basis
Boards should discuss cyberrisks and
incidents and management thereof and related legal, regulatory,
and industry developments on a regular basis.
*Ms. Krasnow thanks Tom Swigert, a trial partner at Dorsey &
Whitney LLP, for his helpful comments.