The United States District Court for the District of New Jersey dismissed a derivative suit brought by shareholders on behalf of Wyndham Worldwide Corporation following a series of data breaches within the Company. After Wyndham’s Board of Directors unanimously voted to refuse a shareholder’s demand to bring a lawsuit based on the breaches, several shareholders filed the derivative action in an attempt to force the board to bring suit.
In dismissing the shareholders’ derivative action, the Court held that the “business judgment rule” protected the Board’s decision to refrain from litigating claims surrounding the data breaches. It reasoned that, even prior to the shareholder’s demand, the Board had routinely discussed the cyber attacks at Board meetings; previously investigated and rejected the claims from an identical demand letter; and, overall, had developed its understanding of the issues surrounding the cyber attacks. Moreover, the Board and a special Committee specifically considered the shareholder’s demand in this case. Based on this prior knowledge and investigation, the Court found that the Board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.” Accordingly, the Board’s decision not to pursue further action on Wyndham’s behalf was protected by the business judgment rule.
While the board of directors may have escaped liability in this case, the Wyndham Corporation itself may still face liability on several fronts, including an action brought by the FTC. The FTC’s action against Wyndham remains pending before the Third Circuit, which is set to rule on the scope of the FTC’s authority in data breach cases.