Unless you’ve been living under a rock—and even then—you probably know that cyber threats loom large for boards of directors. A data breach at a company can have massive reputational and financial repercussions.
Target’s breach case got a ton of press, but there’s another high-profile company that’s still fighting its cyber security woes in court. Wyndham Worldwide Corporation is the company, and it recently chalked up a big win for itself.
We all know that cyber security is a board-level issue—that’s not news. What’s interesting is how effective Wyndham’s board was in defending itself.
Between the years of 2008 and 2010, Wyndham suffered three separate data breaches. Hackers stole more than 600,000 payment card numbers and racked up more than $10 million in fraud, according to reports.
From the brief:
Wyndham ignored multiple warning signs that its network had been compromised, and it failed to address repeated and obvious security lapses that left its computer networks vulnerable to intruders. As a result, hackers infiltrated Wyndham’s computer network and stole customer credit card information, which was used to make millions of dollars in fraudulent charges on the accounts of Wyndham’s customers. The FTC sued Wyndham for failing to take reasonable steps to protect its customers’ data. That failure, the FTC’s complaint charged in relevant part, violated the prohibition on “unfair … acts or practices” in Section 5 of the FTC Act, 15 ….
This case is still active, and the U.S. Court of Appeals Third Circuit just heard oral arguments from both sides in the beginning of March. As one report at TheHill.com points out, the decision will define the government’s role in protecting online consumer data.
But Wyndham already won a motion to dismiss in another case resulting from the cyber attacks: a shareholder derivative lawsuit. The decision highlighted the importance of the due diligence of any board facing a similar threat.
This particular case, which came to a close in late 2014, began with a shareholder’s sending a letter to the Wyndham board in November 2012 (after the Wyndham hacks were made public), demanding the board bring suit to address the hacks.
The audit committee, a committee of independent directors, evaluated the shareholder’s demand. The audit committee’s evaluation included consulting with its outside counsel. Ultimately, at the recommendation of the audit committee, the board decided in March 2013 not to bring the suit the shareholder demanded.
In June 2013, another shareholder, Dennis Palkon, who later became the plaintiff in the derivative suit, sent a letter to the Wyndham board demanding that it “investigate, address and promptly remedy the harm inflicted” due to the data breach events.
The board met, and decided not to accede to Mr. Palkon’s demands. In its communication to Mr. Palkon, the board noted that his demands were almost identical to demands they had received earlier from another shareholder.
In 2014, Palkon filed a derivative suit against individual board members and Wyndham. The board members won on a motion to dismiss. From the decision:
At the heart of Plaintiff’s Complaint is an assertion that Defendants failed to implement adequate data-security mechanisms, such as firewalls and elaborate passwords, and that this failure allowed hackers to steal customers’ data. He further claims that Defendants failed to timely disclose the data breaches after they occurred. Plaintiff claims that these actions damaged WWC’s reputation and cost it significant legal fees. Most pertinently, given these allegations, Plaintiff contends that the Board’s decision to refuse his demand was wrongful.
The defendants argued that Palkon’s claims were speculative, and that the board’s refusal to pursue his demands were a good-faith exercise in business judgment.
As the decision outlines, this case was a matter of the business judgment rule:
If a board of directors refuses to pursue a shareholder’s demand, that decision falls under the purview of the “business judgment rule” … Under that rule, courts presume that the board refused the demand “on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the company.
Ultimately, the court sided with the defendants, and dismissed the case of Dennis Palkon, et al. v. Stephen P. Holmes, et al. The decision found that Wyndham did its due diligence when considering the initial demands of the plaintiff, and that it was able to show that the issue of cyber security was proactively being addressed.
The court seemed to find very compelling the fact that beginning in 2008 and up to 2012, the Wyndham board had met and discussed “cyber-attacks, WWC’s securities policies, and proposed security enhancements” 14 times, and its audit committee had reviewed the topic at least 16 times.
After the cyber attacks, Wyndham also hired technology companies to assess the situation, and implemented their recommendations following the second and third breaches.
What Wyndham Teaches Us About Boards and Cyber
Wyndham is a perfect illustration of a court’s desire to follow the business judgment rule, which is a presumption of deference given by a court in favor of a board’s decision.
A court is most apt to do this where there is no conflict of interest and the board can demonstrate a reasonable process. Meeting as a board 14 times in two years and as an audit committee an additional 16 times in that same time frame clearly counted as adequate process. As a result, the board won its motion to dismiss the plaintiff’s suit.
Wyndham ultimately stands for the proposition that a board doesn’t have to get everything right, it just has to demonstrate that it tried in a reasonable way. And when it comes to cyber liability issues, a reasonable board is one that takes time to study the issue, meets to discuss it and takes some effort to protect against hackers.
As a reminder, as of 2009, the U.S. Securities and Exchange Commission requires public companies to disclose their boards’ role in risk oversight. And then, of course, we have the FTC’s interest in regulating corporations as it relates to their duty to protect consumer information.
In 2014, in front of the U.S. Senate, the FTC made the following statement in its effort to advocate for stronger laws:
The Commission is here today to reiterate its longstanding, bipartisan call for enactment of a strong federal data security and breach notification law. Never has the need for legislation been greater. With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress must act.
It remains to be seen how the Federal Trade Commission v. Wyndham Hotels & Resorts, LLC, et al. will impact the agency’s role in policing how boards and corporations treat cyber security, but it will no doubt be an important decision.
How Does D&O Insurance Factor into Mitigating Risk?
At this point, we all have come to accept that a cyber breach is an active possibility for most companies. When it comes to board liability, nothing beats the documented process of your board’s due diligence on this topic. But if individual Ds and Os are named in a suit for their failure to protect against a cyber breach, does D&O insurance protect them?
Yes, you can expect a properly brokered D&O insurance program to pay to defend against such a suit. As I pointed out in an earlier post, when it comes to derivative suit settlements, you may want to consider adequate Side A insurance, which responds when a corporation cannot indemnify its directors and officers.
My colleague Lauri Floresca brought to light in a post on cyber as a boardroom issue that there has been some talk that perhaps D&O insurers will attempt to exclude cyber events from policies in the future.
For now, it’s important to ensure that there is no exclusion in your D&O policy for securities claims (including breach of fiduciary duty suits like derivative suits) that arise from or are related to a cyber breach.
Of course, direct coverage for the cyber breach comes from a cyber liability insurance policy—and probably from no other policy in the current insurance market. This is all the more reason to secure cyber insurance as a way to respond to the specificities of cyber events and data breaches, too.
The best plan for mitigating risk as a board is to have processes in place to routinely address cyber risk, have a response plan ready to go should an event occur, and to ensure you have the adequate types of insurance in place to respond should your company ever have to deal with a cyber event.
Want to discuss these and related issues live? Join me at this event hosted by SVDX (Silicon Valley Directors’ Exchange) – the premier networking group for Silicon Valley public company directors:
Lost in Translation: Directors & Cyber-risks
Directors aren’t CTOs: What is the “right” level of inquiry and diligence when it comes to cyber-threats? Where will boards be held responsible for cyber-failures, and what can they do to protect their shareholders and themselves from frivolous suits? What did the Target board fail to do that the Wyndham board did so well? The panel includes active public company board members, a corporate governance expert steeped in the ethos of Silicon Valley, and a renowned cyber-liability insurance expert.
I’ll be moderating this panel. The panelists are:
- Laura Stein, Senior Vice President and General Counsel of The Clorox Company
- Ed Batts, Partner at DLA Piper
- Lauri Floresca, Senior Vice President and E&O/Cyber-Team leader at Woodruff Sawyer
To learn more or to secure a spot at this even, check out the event page at SVDX. Hope to see you there.
The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: firstname.lastname@example.org.