Federal District Court in New Jersey Dismisses Shareholder Derivative Action against Wyndham Relating to Data Breach

On October 20, 2014, the United States District Court in New Jersey granted a 12(b)(6) motion to dismiss in favor of Wyndham Worldwide Corporation’s directors and officers in a shareholder derivative action arising out of the 2008 – 2010 data breach.

In Palkon, plaintiff demanded that Wyndham file an action against its own directors and officers following a series of three security breaches through which hackers obtained personal information of over 600,000 Wyndham customers. Wyndham’s Board met to discuss plaintiff’s demand as well as the status of the related action involving Wyndham’s challenge to the Federal Trade Commission’s authority to regulate data security. At the meeting, the Board voted unanimously not to pursue a fiduciary duty lawsuit and rejected plaintiff Palkon’s demand.

wynd

Plaintiff then filed the subject derivative action alleging that the security breaches, together with the Board’s and management’s inadequate handling, damaged Wyndham’s reputation and cost it significant fees and other damages.  Wyndham’s application cited the business judgment rule and argued that Palkon failed to state a claim for which relief could be granted.  Wyndham also argued that the damages alleged by Plaintiff were unduly speculative.

Using Delaware law, the Court granted Wyndham’s motion, finding that plaintiff had failed to meet his burden of rebutting the business judgment rule.  In particular, the Court found that Palkon was unable to establish Wyndham’s D&Os had not acted (1) in good faith, or (2) based on a reasonable investigation. In so doing, the court identified the following facts as relevant to its determination that Wyndham’s D&Os’ investigation had been reasonable:

The Board discussed cyber-related issues, including the company’s security policies and proposed enhancements, at fourteen meetings between October 2008 and August 2012 (the breaches occurred between April 2008 and January 2010);

The Board’s Audit Committee reviewed the same matters in at least sixteen meetings during the relevant period;

During its series of ongoing meetings, Wyndham’s Board addressed and affirmed the implementation of recommendations from the company’s retained technology firms;

Wyndham’s Board was well-versed in the substance of both the FTC litigation and plaintiff’s demand;

There was “ample information” that that Board had at its disposal when it rejected plaintiff’s demand;

The Board already had investigated the issues presented by plaintiff’s demand, as Palkon’s attorney himself had presented an identical demand which had been rejected for the same reasons.

Palkon is not an unusual decision in that it affirms the business judgment rule’s presumption of propriety and enumerates the types of facts that one court found relevant as to whether an internal investigation was reasonable. For policyholders concerned about data security however, the Palkon decision potentially sets a precedent as to the types of activities of which company Boards should be mindful when evaluating and implementing information governance and cybersecurity policy.  It also potentially impacts the standards Boards may be held to in responding to a cyber breach (including through public disclosures).