Defending Against Director & Officer Litigation

Posted on Feb 19, 2015 in Uncategorized | Comments Off on Defending Against Director & Officer Litigation

One form of ancillary litigation that has arisen out of data breaches is shareholder derivative lawsuits against companies that suffer a data breach. In one recent case, Palkon v. Holmes, No. 2:14-cv-01234-SRC-CLW (D.N.J. Oct. 20, 2014), a court dismissed such a shareholder derivative action.

The claims arose out of a series of data breaches against the Wyndham Worldwide hotel chain. In three separate incidents, hackers obtained customers’ personal and financial information. The FTC investigated the incidents and later initiated legal action against the company. A shareholder sent a letter to the company’s board of directors, demanding it investigate the breaches and sue the persons responsible. The board met to discuss this demand (as well as other issues) and voted not to pursue litigation proposed in the letter.

The shareholder then sued, contending that the board’s decision to refuse his demand was wrongful. On motion to dismiss, the court found that the shareholder had failed to plead with particularity “facts which raise a reasonable doubt that the Board acted (1) in good faith, or (2) based on a reasonable investigation.”

Of particular relevance were the court’s findings about the board’s investigation of the demand. The court noted that board members had discussed the data breaches at fourteen meetings before receiving the shareholder’s demand, and had received presentations on the data breaches or data security generally from legal counsel at each quarterly meeting. The Audit Committee of the board had discussed these issues in at least sixteen meetings. The board had also received, investigated, and discussed a “virtually identical” demand letter from a different shareholder before the one at issue in the case. After it received the demand letter at issue, the board met to discuss the demand and provided numerous reasons for denying it. As a result, the court concluded that the board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest” and dismissed the complaint.

The case is currently on appeal. Regardless of the outcome, however, boards would be well-served to follow the example of the Wyndham board and educate themselves on data breach and data security issues, both before and especially after a breach.

Back to top
TAGS: , , , , , , ,