Business Litigation Reporter

Corporate directors and officers may increasingly be targets of shareholder derivative lawsuits in the wake of the surge of regulatory actions and private litigation around data breaches,.  While no individual directors and officers have to date been held liable for the costs of a data breach, such lawsuits have been filed and the signals from plaintiffs’ attorneys indicate that, if they have their way, the wave will break soon.  Corporate leaders need not be caught off guard.  As a recent court decision confirms, the risk of individual liability can be mitigated by taking proactive measures.

Data Breaches on the Rise

2014 was hailed as yet another year of the data breach.  A recent study by the Ponemon Institute estimates that 43% of companies experienced a data breach last year, led by high-profile incidents at Target, eBay, Adobe, Snapchat, Michaels, Home Depot, Neiman Marcus and AOL.  And, of course, 2014 was capped off by the breach of Sony Pictures Entertainment, which splashed celebrity gossip and entertainment industry chatter across the headlines, as well as business-critical, confidential information regarding company financials and projections and employees’ personal information.

Personal Liability for Directors and Officers—Caremark is Alive and Well

A shareholder derivative action is a lawsuit brought by a corporation’s shareholders, ostensibly on behalf of the corporation, and often against the corporation’s directors and officers.  In its 1996 Caremark decision, the Delaware Chancery Court declared that, in such actions, directors can be held personally liable for failing to “appropriately monitor and supervise the enterprise.”  The court emphasized that a company’s board of directors must make a good faith effort to implement an adequate corporate information and reporting system.  Failing to do so can constitute an “unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.” 

The Caremark case has become a beacon across the corporate world for director conduct and now covers officers, including general counsel.  Directors and officers must not demonstrate a “conscious disregard” for their duties or ignore “red flags” – failure to do so can result in a director or officer being held personally liable for a corporation’s losses.  This is because, as the Delaware Supreme Court later clarified in Stone v. Ritter, conduct that evidences a lack of good faith may violate the fiduciary duty of loyalty. And, although Delaware law allows a corporation to waive or limit a director’s liability for violations of the duty of care, such waivers or limits are not allowed for the duty of loyalty.

While the Caremark case did not address information assets and corporate duties to protect them, its reasoning is being readily applied by plaintiffs seeking to capitalize on the cybersecurity issues confronting companies today.  At least one expert, UCLA Professor Stephen Bainbridge, has suggested that no good reason exists to distinguish past Caremark decisions on lax legal compliance and accounting controls from potential widespread failures to implement and maintain appropriate risk management policies. 

Regulators Step up Pressure

Government enforcement of data security standards has proliferated, and regulatory actions often are cited in subsequent shareholder derivative actions.  Such actions are pointed to both as “red flags” that should have led officers and directors to anticipate problems and as measures that reduced corporate value.  Leading the regulatory charge, the Federal Trade Commission recently announced its 53rd data security settlement, while noting that the number is “likely to go up.” 

Other agencies have also staked a claim in the data security regulation gold rush.  Among banking industry regulatory agencies, the Federal Financial Institutions Examination Council recently announced a new regulatory self-assessment for banks’ cybersecurity risks and the Federal Deposit Insurance Corporation has declared cybersecurity a main supervisory focus. Building on its 2011 guidance on corporate disclosure obligations relating to “cybersecurity risks and cyber incidents,” the Securities and Exchange Commission recently released a risk alert on the cybersecurity preparedness of registered broker-dealers and investment advisers.  Subsequently, the frequency with which public companies have reported data breaches has increased dramatically.  Likewise, in October 2014, the Federal Communications Commission fined two companies $10 million each for maintaining “unjust and unreasonable” data security practices in violation of the Communications Act of 1934.  A senior FCC official noted that it was the agency’s first data security enforcement action, “but it will not be the last.”  And state attorneys general have enforced both state and federal statutes against companies doing business within their jurisdictions.  As a result, the risks to enterprises, and therefore the relevance to directors and officers, is increasing dramatically.

The Plaintiffs’ Bar Follows Suit

Those directly affected by data breaches – consumers and businesses alike – have followed the increase in enforcement actions and brought their own suits, often as class actions.  The slew of lawsuits filed against Target Corporation after the 2013 hack of its payment system exposed the financial information of 110 million customers is typical.  A class of consumers is seeking damages for Target’s alleged negligence in exposing their personal financial information, and a group of banks is seeking reimbursement from Target for the cost of reimbursing fraudulent charges and for replacing credit and debit cards.  Last month, a federal judge in Minnesota denied Target’s motion to dismiss both cases. 

Shareholders Seize the Opportunity

In the wake of a data breach, companies can face government enforcement, significant fines, litigation settlements or judgments, and declining share prices, all of which are fodder for shareholder derivate lawsuits brought under Caremark.  A number of such lawsuits have in fact recently been filed.  Although their filing confirms the risks of personal liability that directors and officers face in the event of a data breach, a federal district court’s recent decision in a data breach involving Wyndham provides a roadmap for some appropriate proactive measures to help mitigate risks.    

After hospitality company Wyndham Worldwide Corporation suffered three data breaches between 2008 and 2010, a shareholder brought a derivative action on behalf of the corporation against Wyndham’s board.  Coming after the FTC had initiated an enforcement action (which remains pending on appeal today), the plaintiffs in Palkon v. Holmes alleged that Wyndham had failed to implement adequate data security mechanisms and that this failure allowed hackers to steal the data of over 600,000 customers. They seek to assert claims on behalf of the company against its directors and officers for their alleged role in those failings.

In October 2014, a New Jersey court dismissed the case with prejudice, deferring to the board’s business judgment that the company should not bring such a case against its officers and directors.  In its opinion citing the Delaware case law spawned by the Caremark case, the court highlighted the board’s engaged and thorough response to two demand letters and a prior FTC investigation.  Specifically, the court found that the board had discussed the breaches at 14 meetings between 2008 and 2012, the Wyndham Audit Committee had discussed the breaches in at least 16 meetings during that same period, and the board had engaged an outside technology firm to assess Wyndham’s information security policies.  This record of extensive consultation led the court to conclude that the board “had enough information when it assessed plaintiff’s claim,” and hence that the board’s decision not to bring suit was within its broad discretion under the business judgment rule.

Despite not needing to discuss the merits of the claims that the plaintiffs (because of its ruling that the plaintiffs had no right to pursue those claims on the company’s behalf), the court specifically stated that the plaintiff’s suit fell short of alleging, as Caremark requires, that the board had “utterly failed to implement any reporting or information system [or] consciously failed to monitor or oversee its operations.”  The court noted that “security measures existed when the first breach occurred,” and the board had addressed data security concerns “numerous times.”

The Wyndham case thus shows that the risks of shareholder derivative actions against directors and officers arising from a data breach are very real, but also that strong defenses on both the threshold demand requirement and the underlying merits can be presented if companies take appropriate measures both before and again, if necessary, after any data breach. 

Moving Data Security from the Server Room to the Board Room

Data security and information governance are increasingly part of the board-level communications as the centrality of information to enterprises continues to grow.  But these discussions cannot happen quickly enough—the same Ponemon Institute study that found almost half of U.S. companies experienced a data breach in 2014 also noted that 27% did not have a data breach response plan in place. 

Cybersecurity is becoming ubiquitous in the United States and with that saturation comes the potential for greater liability.  Because of the klieg lights currently trained on data security, corporate defendants will find it difficult to argue that there were no “red flags,” likely opening the door to Caremark just wide enough for waiting plaintiffs to walk right in. 

The good news is that, as the Wyndham case confirms, it is possible for directors and officers to take action that will satisfy their Caremark duties.  Some measures frequently identified that boards may consider include:

• Hire a Chief Information Security Officer and engage outside technical experts to conduct regular assessments and to educate officers and board members on data security.
• Evaluate and/or appoint a board committee to focus on data protection.
• Have the board regularly address and deliberate when deciding issues of data security, and carefully document the deliberations to demonstrate appropriate care.
• Adopt a security plan that is tailored to the company’s specific risk profile (and review and assess those risks systematically on a regular schedule and as needed in response to specific threats).
• Hold information and training sessions to increase awareness at all corporate levels.
• Perform gap analyses and comparative benchmarking with peer organizations that hold similar types of information.
• Learn from experience.  Perfect security doesn’t exist but every organization can learn.
• Ensure open lines of communication.  Often competing pressures may limit IT’s ability to deliver security, but by enabling open and direct communication to and with the board and senior management, security risks have a greater chance of being addressed appropriately.   
• Review D&O insurance and related insurance policies holistically for coverage regarding security incidents and protection of the company’s brand, information assets and other assets.

Just as no perfect security exists, there are no perfect solutions for officers and directors.  Fortunately, the courts have not required perfection.  Rather, by being able to demonstrate attention and care, including some or all of the steps set forth above, officers and directors can both help protect the organizations they serve and mitigate the risk of personal liability in this rapidly emerging and increasingly important area.

Goodwin Procter’s Privacy & Cyber Security Practice

Goodwin Procter has been advising public and private companies of all sizes—and their officers and directors—regarding privacy and data security matters for nearly two decades.  Having counseled on more than 100 data breaches including several landmark cases, our team provides practical, actionable advice on all aspects of information-related management and risk; before, during and after breaches.  Officers and directors routinely rely on our team to assist with these issues in the board room and beyond. 

We offer a cross-disciplinary approach—drawing on our corporate, technology and litigation experience—to help clients navigate the legal landscape, efficiently manage data, and effectively respond to threats. Our practice is designed to cover the life cycle of privacy needs from counseling, to incident response and internal/regulatory investigations, to litigation.

Meet Our Team

Our attorneys are experienced professionals who are well-recognized in the field. They are involved in key leadership positions in national and international groups such as:

• Chair of the American Bar Association’s Business Law Section;
• Co-chair of the ABA’s Criminal Justice Section’s Cybercrime Committee;
• Vice-chair of the ABA’s International Section’s Information Services, Technology & Data Protection Committee;
• Former General Counsel of the Department of Homeland Security; and
• Former Chair, ABA’s Consumer Financial Services Committee.

Members of our Privacy & Cyber Security practice are thought leaders in the field, who are frequent speakers at national and international conferences and events. They are highly sought for media commentary by The Wall Street Journal, CNN and many other news outlets across the country. They have taught “Law of Cyberspace” at a number of law schools and have authored numerous publications on data privacy, including the books Data Privacy in the Information Age, The Legal Guide to e-Business, and Data Security and Privacy Law – Combating Cyber Threats, and The Right to Know: Your Guide to Using and Defending Freedom of Information Laws in the United States.

Goodwin Procter’s Business Litigation Reporter provides timely summaries of key cases and other developments within dedicated Business Litigation sessions and related courts throughout the country – courts within which Goodwin Procter’s Business Litigation attorneys are continually litigating. In addition, each issue of the Business Litigation Reporter provides a more thorough discussion of one topic of particular importance to the business community. In this issue, we explain the impact Caremark could have on the personal liability directors and officers might face in the event of a data security breach, and how to mitigate this risk. We also provide an overview of our Privacy & Cyber Security Practice and key lawyers in this area.

California

Arbitration Waived By Classwide Discovery And Settlement Negotiations. In Bower v. Inter-Con Security Systems Inc., 2014 WL 7447677 (Cal. Ct. App. Dec. 31, 2014), the First District Court of Appeal affirmed the superior court’s denial of Inter-Con’s motion to compel arbitration on the ground of waiver. The plaintiff filed a putative class action in the California Superior Court, and Inter-Con asserted an affirmative defense that the claims were subject to arbitration. Inter-Con then propounded class-wide discovery, and participated in settlement discussions with the plaintiff. The Court of Appeal held that Inter-Con waived its right to arbitrate because both the discovery that it had propounded, and the settlement discussions in which it had engaged, had been class-wide rather than limited to the individual plaintiff’s claim, and hence were broader than the scope of arbitration would have been.

No Arbitration Agreement With Service Provider Following Free Trial Period Provided By Car Dealer. In Knutson v. Sirius XM Radio Inc., 771 F.3d 559 (9th Cir. 2014), a putative class action alleging violations of the Telephone Consumer Protection Act, the Ninth Circuit reversed the district court’s order granting Sirius XM’s motion to compel arbitration pursuant to the Federal Arbitration Act. The plaintiff purchased a Toyota vehicle that came with a trial subscription to Sirius XM satellite radio. When the trial period ended, Sirius XM sent the plaintiff a Welcome Kit that contained a customer agreement with an arbitration provision. The plaintiff argued he did not assent to that agreement because he did not read the documents in the Welcome Kit, believing that his relationship was with Toyota. The Ninth Circuit held that a reasonable person in the plaintiff’s position would not have understood he was entering into a contractual relationship with Sirius XM, and rejected Toyota’s argument that the plaintiff’s continued use of the radio service indicated his acceptance of the agreement.

Claim Challenging “All Natural” Product Label Dismissed Absent Proof Of Consumer Expectations. In Brazil v. Dole Packaged Foods, LLC, 2014 WL 6901867 (N.D. Cal. Dec. 8, 2014), Judge Koh granted Dole’s motion for summary judgment in an action by California consumers of packaged fruit and fruit juice containing allegedly misleading “all-natural” statements. The court held that plaintiffs had failed to adduce expert or otherwise evidence – as opposed to mere assertions – that consumers would not have expected the products to contain citric acid or ascorbic acid. Based on this conclusion, Judge Koh also rejected the claim that the statements were unlawful under California’s Unfair Competition Law. The plaintiff has appealed to the Ninth Circuit.

Delaware

Chancery Court Has Jurisdiction Over Asset Sale Involving Allegedly Unique Property. In Willis v. PCA Pain Center of Virginia, Inc., 2014 WL 5396164 (Del. Ch. Oct. 20, 2014), the Delaware Court of Chancery held that it had jurisdiction over a breach-of-contract action seeking specific performance of the completion of an asset sale where the property in question allegedly was “unique” – that is, constituted “a truly unique opportunity that cannot be adequately monetized.” The court warned, however, that a mere request for specific performance in a case involving personal property typically is not enough to confer jurisdiction on the Court of Chancery. The court also stayed the action pending resolution of an earlier-filed action in Virginia involving many of the same parties and arising from common facts. Although the Court concluded that the specific facts warranted a stay, it noted that the first-filed rule is not strict and that “[w]hen actions are filed within a very narrow time frame, the Court will sometimes consider the actions to have been filed contemporaneously.”

Records Inspection Can Be Conditioned On Limitation Of Forum For Resulting Litigation. In United Technologies Corp. v. Treppel, No. 127, 2014 (Del. Dec. 23, 2014), a corporation requested the court to require, as a precondition to its production of documents in response to a shareholder’s Section 220 books and records demand, that any suit arising from the production be brought in a Delaware court. The Chancery Court held that it lacked authority to impose such a forum restriction as a condition to a Section 220 demand. The Delaware Supreme Court reversed, holding that Section 220 gives the Chancery Court broad power to condition a books and records inspection, including the condition requested here. The Supreme Court remanded the case to the Chancery Court to consider whether, in the exercise of its discretion, to impose a forum restriction in this particular case.

Massachusetts

Acquirer Controls Target Corporation’s Attorney-Client Privilege Under Delaware Law. In Novack v. Raytheon Co., No. 13-2852-BLS1, Judge Billings of the Business Litigation Session of the Massachusetts Superior Court held that after a merger, under Delaware law, the acquiring corporation – not the shareholders of the acquired company – controls the attorney-client privilege applicable to pre-merger communications between the acquired company and its attorneys regarding the merger. The court acknowledged that because disputes arising out of a merger are likely to pit the interests of the acquired corporation against those of the acquirer, courts in some states have refused to pass the attorney-client privilege regarding the merger to the surviving corporation. Nevertheless, the court held that because Delaware law provides that “all property, rights, [and] privileges” vest in the surviving corporation, that includes the target corporation’s attorney-client privilege. The court also noted that “parties to merger agreements can – and have – negotiated special contractual agreements to protect themselves and prevent certain aspects of the privilege from transferring to the surviving corporation,” but that the parties did not do so here.

Systematic Contacts Insufficient For General Personal Jurisdiction. In Fed. Home Loan Bank of Boston v. Ally Fin., Inc., No. 11-10952-GAO (D. Mass.), Judge O’Toole issued the first written opinion within the First Circuit to apply the new, stricter standard for establishing general personal jurisdiction over out-of-state companies announced in Daimler AG v. Bauman, 134 S. Ct. 746 (2014). The case concerned the existence of personal jurisdiction over ratings agencies that were being sued in Massachusetts over certain mortgage-backed securities. The court, prior to Daimler, had held that the defendants’ contacts with Massachusetts “were sufficiently continuous and systematic to justify the exercise of general personal jurisdiction,” even though the defendants were incorporated and had their principal place of business elsewhere. Based on Daimler, however, the court reconsidered its prior decision and dismissed the case against the rating agencies for lack of personal jurisdiction. As the court noted, Daimler rejected “the exercise of general jurisdiction in every State in which a corporation engages in a substantial, continuous, and systematic course of business.”

Violation Of The FDCPA Per Se Violates Chapter 93A. In McDermott v. Marcus, Errico, Emmer & Brooks, P.C., 2014 WL 7373201 (1st Cir. Dec. 29, 2014), the First Circuit held that a violation of the federal Fair Debt Collection Practices Act (“FDCPA”) constitutes a per se violation of Chapter 93A, the Massachusetts consumer protection statute that makes unlawful “unfair or deceptive acts or practices in the conduct of any trade or commerce.” This is so, the court reasoned, because Chapter 93A fully “incorporates” the Federal Trade Commission Act (“FTCA”), and “the FDCPA establishes that an unfair debt collection act in violation of the FDCPA is a per se violation of the FTC Act.”

New York

Commercial Division Rule Changes. The Commercial Division has recently amended several of its rules regarding discovery, effective as of April 1, 2015. The revised Rule 11-d limits parties to taking 10 depositions for up to seven hours per deponent. Rule 8 will require parties to confer prior to the preliminary conference about the need to alter the “presumptive limitation” on depositions in Rule 11-d. Amended Rule 14 establishes a procedure for the submission of letters, instead of motions, to the court over discovery disputes. Additionally, a preamble to the Rules has been added advising that judges will sanction parties who engage in “dilatory tactics, fail to appear for hearings or depositions, undue delay in producing relevant documents, or otherwise cause the other parties in a case to incur unnecessary costs.”