Boards Should Put Time and Resources into Cybersecurity Issues – It Is Good for Business and Works as a Defense Strategy

Blank Rome LLP

We have previously blogged about Commissioner Aguilar’s recommendations at a NYSE conference, “Cyber Risks and the Boardroom” on what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats. On October 20, 2014, the United States District Court for the District of New Jersey dismissed a derivative lawsuit (Palkon v. Holmes, Case No. 2:14-CV-01234) filed against directors and certain officers, including General Counsel, of Wyndham Worldwide Corporation (WWC). The Court’s opinion can be viewed as a real life validation of the principles outlined in the Commissioner’s speech.

WWC is a hospitality company that operates hotels and resorts globally (it is incorporated in Delaware and headquartered in New Jersey). As part of its business, WWC collects customers’ personal and financial data and lets customers make room reservations online, which requires them to enter their personal credit card information. On three occasions between April 2008 and January 2010, hackers breached WWC’s main network and those of its hotels and obtained the personal information of over six-hundred thousand customers. The Plaintiff filed the derivative lawsuit after the WWC’s Board had refused the Plaintiff’s demand to bring a lawsuit against directors and senior management related to such breaches. The Court found that WWC’s Board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest” and dismissed Plaintiff’s claims with prejudice.

The Court’s opinion includes a detailed description of the Board’s actions related to cyber-security matters, including the following:

  • Board members had discussed the cyber-attacks, WWC’s security policies, and proposed security enhancements at fourteen meetings from October 2008 to August 2012 (at every quarterly Board meeting, the General Counsel gave a presentation regarding the breaches, and/or WWC’s data-security generally).
  • The Audit Committee discussed the same matters in at least sixteen committee meetings during this same time period.
  • WWC hired technology firms to investigate each breach and to issue recommendations on enhancing the company’s security.

The emphasis that the Court put on the Board’s actions underscores the importance of a thorough process and the use of available resources (hopefully, prior to cyber-attacks) in a board’s approach to the oversight over cyber-risk management.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Blank Rome LLP | Attorney Advertising

Written by:

Blank Rome LLP

Blank Rome LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.