By Katie W. Johnson
May 8 --Wyndham Worldwide Corp.'s officers and board members breached their fiduciary duties and wasted corporate assets by failing to protect customers' information and failing to timely disclose three resulting data breaches in the company's financial filings, according to a shareholder derivative complaint filed May 2 in the U.S. District Court for the District of New Jersey.
Between April 2008 and January 2010, three separate data breaches affected the networks and computers of hotelier Wyndham and its subsidiaries, compromising the personal and financial information of more than 619,000 of the company's customers, according to the complaint.
Security deficiencies at the company and its subsidiaries, such as the storage of payment card information in clear readable text, “unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft,” the complaint said.
“Boards of Directors have significant latitude in their responses to data security incidents,” Edward McNicholas, partner at Sidley Austin LLP in Washington, told Bloomberg BNA May 8. The plaintiff must “demonstrate that the Directors were acting far beyond the bounds of reasonable business judgment--a particularly high standard.”
“It would be surprising if the Court did not find the Directors' actions in retaining outside investigators to analyze the data security incident to be an exercise in reasonable business judgment,” McNicholas, a member of the advisory board for the Privacy & Security Law Report, added. He said it isn't “clear that these shareholders have suffered any legally cognizable harm or damages, particularly at this point.”
BNA INSIGHTS ARCHIVE
The FTC as Data Security Regulator: FTC v. Wyndham and Its Implications--Woodrow Hartzog, Samford University's Cumberland School of Law, and Daniel J. Solove, George Washington University Law School
What's Next in FTC v. Wyndham Worldwide Corp.?--Jeff Kosseff and Stephen Satterfield, Covington & Burling, Washington
“The Individual Defendants aggravated the damage to the Company from the data breaches by failing to timely disclose the breaches in the Company's financial filings,” the complaint alleged. Wyndham first mentioned the data breaches in a financial filing July 25, 2012, more than two years after the third breach, according to the complaint.
“One week after this untimely disclosure, on August 1, 2012, the U.S. Securities and Exchange Commission ('SEC') sent a comment letter demanding that WWC timely disclose such incidents in future filings,” the complaint said.
Although there are no existing cybersecurity incident or data breach disclosure requirements for public companies registering with the SEC, an October 2011 guidance document from the SEC's Division of Corporation Finance recommended disclosing such incidents and their effects .
In addition, Wyndham's board “wrongfully refused” the plaintiff shareholder's pre-litigation demand to investigate and remedy the alleged violations of law, according the complaint.
“The defendants' failures to implement appropriate internal controls at WWC designed to detect and prevent repetitive data breaches have severely damaged WWC,” the complaint said.
For example, the Federal Trade Commission's enforcement action against Wyndham and several of its subsidiaries--which is pending in the same court in which the shareholder derivative lawsuit was filed--“poses the risk of tens of millions of dollars in further damages to the Company,” according to the complaint.
In the FTC enforcement action against Wyndham, Judge Esther Salas April 7 denied Wyndham Hotels and Resorts LLC's motion to dismiss the enforcement action, holding that the FTC has authority under the FTC Act's unfairness prong to bring an enforcement action against the company to remedy its alleged unreasonable data security practices (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887, 2014 BL 94785 (D.N.J. Apr. 7, 2014)) .
The plaintiff shareholder also alleged that Wyndham's failure to protect its customers' information damaged its reputation.
The complaint contains three counts against the individual defendants: breach of fiduciary duty; waste of corporate assets; and unjust enrichment. The shareholder plaintiff requested an award of damages sustained by Wyndham and a judgment directing the company to take actions to protect the company and its shareholders from similar damage.
On May 5, the defendants filed a motion to dismiss. They argued that the shareholder derivative complaint failed to allege that the board wrongfully refused the shareholder's demand. They also contended that the plaintiff failed to adequately plead state law claims, that he didn't plead cognizable damages and that his claims aren't ripe.
Frederick R. Kessler of Wollmuth Maher & Deutsch LLP, in Newark, N.J., and Ryan A. Kane of the firm's New York office represented the plaintiff. Jennifer A. Hradil and Justin T. Quinn of Gibbons PC, in Newark, N.J., and James P. Gillespie and Emily P. Hughes of Kirkland & Ellis LLP, in Washington, represented the defendant Wyndham officers and board members, as well as Wyndham as a nominal defendant in its derivative capacity.
“The Wyndham derivative action highlights that every company needs to take concrete steps to ensure that its Board, often through the Audit Committee, is exercising appropriate governance of information security,” McNicholas told Bloomberg BNA.
“Evaluating cybersecurity protocols and being ready to respond to a cybersecurity incident should be a significant priority for all companies that are entrusted with consumer data,” he said.
“Effective risk management leads to increased shareholder and consumer confidence, but it requires a significant commitment from leadership, and the right tone at the top to signal that the company is serious about its privacy commitments,” McNicholas added.
To contact the reporter on this story: Katie W. Johnson in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Barbara Yuill at email@example.com
Full text of the complaint is available at http://www.bloomberglaw.com/public/document/PALKON_v_HOLMES_et_al_Docket_No_214cv01234_DNJ_Feb_27_2014_Court_.
Full text of the motion to dismiss is available at http://www.bloomberglaw.com/public/document/PALKON_v_HOLMES_et_al_Docket_No_214cv01234_DNJ_Feb_27_2014_Court_/1.
To view additional stories from Privacy & Security Law Report® register for a free trial now