We recently discussed the increase in data breach litigation which resulted after several high-profile data breaches. You can read those articles here and here. Not surprisingly, several of these suits involve class actions filed by customers whose data was accessed, but recently shareholders have also gotten in on the action. In a big win for corporations, the first of these shareholder derivative suits to be tested in a district court was dismissed. See Palkon ex rel. Wyndham Worldwide Corp. v. Holmes, No. 2:14-cv-01234 (D.N.J. filed Feb. 25, 2014).

Between April 2008 and January 2010, Wyndham experienced a series of data breaches where hackers obtained personal information of over six-hundred thousand customers. These breaches resulted in an alleged $10.6 million in fraud losses. As a result, a Wyndham shareholder, Palkon, sent a series of letters to the Board of Directors demanding that it bring suit based on the breaches. The Board declined to bring the suit, but discussed the attacks at length and implemented security enhancements to prevent future breaches.

Despite these preventative actions, on February 25, 2014, Palkon, filed a derivative lawsuit alleging that Wyndham failed to implement adequate data-security, and timely disclose the breaches. It alleged that as a result of these alleged actions the Board's refusal to file suit was wrongful. To support his claims, Palkon argued that the Board's refusal to bring the claim was in bad faith because 1) it relied on the advice of legal counsel who was also handling a suit by the FTC based upon the same security breaches; 2) because the General Counsel faced personal liability stemming from the breaches; and 3) was intimately involved in setting up the data security. Palkon also argued that the board's investigation was predetermined before he sent the demand letter and was thus, unreasonable.

On a Motion to Dismiss by defendants, the United States District Court for the District of New Jersey held that Palkon failed to plead facts that the Board acted unreasonable or in bad faith. The Court held that although the Board employed the same law firm handling the FTC suit, the law firm was "duty-bound at all times to advocate" for Wyndham. It further held that Palkon failed to plead facts which tended to show that the General Counsel faced any personal liability or was intimately involved in setting up data security.

As to the reasonableness of the investigation, the Court found it significant that the Board's familiarity with the breaches began well before it received a demand letter. It noted that the Board had discussed the breaches at fourteen meetings, the Audit Committee had discussed them at sixteen meetings and was formally charged with review of the matter. The Board had also investigated a virtually identical demand letter just prior to receiving Palkon's. The Court held that the "earlier investigations, standing alone, would indicate that the Board had enough information when it assessed [Palkon's] claim." As a result, the Court granted the Motion to Dismiss.

Although this is a win for corporations, they should take note of Wyndham's post breach actions, which helped get this suit dismissed. Learning from Wyndham, corporations should take proactive measures to discuss security management in corporate meetings, and regularly audit security practices. If a breach should occur, corporations should take immediate and extensive actions to repair and prevent future harm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.