The duty of a board to monitor and oversee organizational risk includes cyberrisks. As cyberrisks and incidents proliferate, boards are seeking to enhance the information they receive about cyberrisks and incidents. One development boards should be aware of is the decision in the Palkon v. Holmes directors and officers (D&O) litigation (2014 U.S. Dist. LEXIS 148799 (D.N.J. Oct. 20, 2014)).
This decision addressed Delaware law regarding three cyberattacks against Wyndham involving the personal information of over 600,000 customers between 2008 and 2010. The Federal Trade Commission began to investigate the cyberattacks in 2010 and commenced enforcement action against Wyndham regarding its security practices in 2012.
In 2014, a plaintiff shareholder filed a derivative lawsuit on behalf of Wyndham against Wyndham and its individual directors and officers regarding the cyberattacks. The plaintiff alleged that the defendants failed to implement adequate data security mechanisms (e.g., firewalls and strong passwords), which allowed hackers to steal customers’ data, and failed to timely disclose the data breaches after they occurred, which damaged Wyndham’s reputation and cost Wyndham significant legal fees. To bring the lawsuit on behalf of Wyndham, the plaintiff was required to plead with particularity that the board’s decision to refuse his demand to bring lawsuit regarding the cyberattacks was in bad faith or not based on a reasonable investigation.
The Wyndham board’s decision to refuse the demand is under the purview of the business judgment rule. Under the business judgment rule, there is a presumption that the board refused the demand on an informed basis, in good faith, and in the honest belief that the action taken was in the best interests of the company. Defendants argued, among other things, that the board’s decision to refuse the demand was a good faith exercise of business judgment, made after a reasonable investigation.
The court dismissed the lawsuit with prejudice, noting in a footnote:
Caremark requires that a corporation’s “directors utterly failed to implement any reporting or information system … [or] consciously failed to monitor or oversee its operations thus disabling themselves from being informed.” Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). Yet Plaintiff concedes that security measures existed when the first breach occurred, and admits the Board addressed such concerns numerous times. (Compl. ¶¶ 46, 62, 63). The Board was free to consider such potential weaknesses when assessing the lawsuit.
The following actions of the board and the audit committee were mentioned:
- The board discussed the cyberattacks, Wyndham’s security policies, and proposed security enhancements at 14 meetings (the audit committee discussed at 16 meetings) between 2008 and 2012.
- Wyndham hired technology firms to investigate each cyberattack and to issue recommendations on enhancing Wyndham’s security.
- After the second and third data cyberattacks, Wyndham began to implement those recommendations.
Also mentioned was that the general counsel gave a presentation regarding the cyberattacks and/or Wyndham’s data security generally at every quarterly board meeting.
In light of the fact that directors and officers and companies can and are being sued regarding cyberattacks, companies should:
- Consider reviewing their organizational documents, indemnification agreements or policies, D&O liability insurance, and cyberliability insurance coverage
- Engage and work together with service providers and outside advisers regarding cyberrisks and incidents and management thereof (e.g., cybersecurity program and data breach preparation and services)
- Inform the board about cyberrisks and incidents and management thereof on a regular basis
- Monitor and address legal, regulatory, and industry developments regarding cyberrisks and incidents (including without limitation D&O litigation) and communicate about them with the board on a regular basis
Boards should discuss cyberrisks and incidents and management thereof and related legal, regulatory, and industry developments on a regular basis.
This article was first published on IRMI.com and is reproduced with permission. Copyright 2015, International Risk Management Institute, Inc.