An old saw defines insanity as doing the same thing over and over again and expecting a different result. Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016. Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.
Readers of this space will note our skepticism about the merits of shareholder derivative actions against corporate officers and directors in data breach cases. Claims for corporate mismanagement are subject to the business judgment rule, which protects officers and directors from lawsuits second-guessing their exercise of judgment in the performance of their corporate responsibilities absent self-interested conduct – which is generally not present in data breach cases – or such extreme dereliction of responsibilities as to constitute a breach of their fiduciary duty of care. The difficulty in surmounting that burden is exemplified by dismissals of derivative actions based on data breaches perpetrated against Wyndham, Target, and Home Depot.
The Home Depot dismissal, issued just three weeks ago, apparently did not deter the Wendy’s shareholders from pursuing their derivative claims. But it should have. In both cases the shareholders elected to sue without making demand on the boards of directors, despite the fact that both corporations are incorporated under Delaware law, which makes demand mandatory absent proof that a majority of the board members would be unable to exercise disinterested judgment. The Home Depot shareholders could not do so, and the Wendy’s plaintiffs are unlikely to fare any better. Allegations that a company’s data security practices proved inadequate, standing alone, are generally insufficient to establish that the company’s board cannot exercise independent judgment about whether such inadequacy rises to the level of a fiduciary breach. If past is prologue, the likely result of this shareholder derivative action will be to divert corporate attention from responding to the data breach until such time as the case is dismissed.