We have previously blogged about Commissioner Aguilar’s recommendations at a NYSE conference, “Cyber Risks and the Boardroom” on what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats. On October 20, 2014, the United States District Court for the District of New Jersey dismissed a derivative lawsuit (Palkon v. Holmes, Case No. 2:14-CV-01234) filed against directors and certain officers, including General Counsel, of Wyndham Worldwide Corporation (WWC). The Court’s opinion can be viewed as a real life validation of the principles outlined in the Commissioner’s speech.
WWC is a hospitality company that operates hotels and resorts globally (it is incorporated in Delaware and headquartered in New Jersey). As part of its business, WWC collects customers’ personal and financial data and lets customers make room reservations online, which requires them to enter their personal credit card information. On three occasions between April 2008 and January 2010, hackers breached WWC’s main network and those of its hotels and obtained the personal information of over six-hundred thousand customers. The Plaintiff filed the derivative lawsuit after the WWC’s Board had refused the Plaintiff’s demand to bring a lawsuit against directors and senior management related to such breaches. The Court found that WWC’s Board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest” and dismissed Plaintiff’s claims with prejudice.
The Court’s opinion includes a detailed description of the Board’s actions related to cyber-security matters, including the following:
- Board members had discussed the cyber-attacks, WWC’s security policies, and proposed security enhancements at fourteen meetings from October 2008 to August 2012 (at every quarterly Board meeting, the General Counsel gave a presentation regarding the breaches, and/or WWC’s data-security generally).
- The Audit Committee discussed the same matters in at least sixteen committee meetings during this same time period.
- WWC hired technology firms to investigate each breach and to issue recommendations on enhancing the company’s security.
The emphasis that the Court put on the Board’s actions underscores the importance of a thorough process and the use of available resources (hopefully, prior to cyber-attacks) in a board’s approach to the oversight over cyber-risk management.