Between April 2008 and January 2010, Wyndham Worldwide Corporation suffered three data breaches that resulted in the theft of credit card information of over 600,000 customers. Plaintiff Dennis Palkon later filed a derivative action entitled Palkon v. Holmes in the U.S. District Court for the District of New Jersey. He alleged that the entire board, president/CEO, and general counsel of Wyndham breached their fiduciary duties of care and loyalty to the company, and wasted corporate assets, by failing to implement a system of internal controls to protect customers’ personal and financial information, and by causing or allowing the company to conceal the data breaches from investors.
On October 20, 2014, the court dismissed the complaint with prejudice. Palkon is the first decision in a shareholder derivative action against directors arising out of a data breach. The decision illustrates some of the steps that directors can take to reduce their risk of cyber-related liability. Our colleague, David Barres, has prepared an analysis of the case and its implications for director liability that you can read here. Palkon underscores the importance of direct board involvement in cybersecurity, both before and after any data breach occurs.