The cyberattack at the core of this case began in 2014 when certain systems of Starwood Hotels and Resorts Worldwide, Inc. (Starwood) were infected with malware. Unbeknownst to Marriott’s board of directors, the attack was ongoing in September 2016 when Marriott closed on its acquisition of Starwood. It remained undetected after the acquisition, even as the board and audit committee received routine updates about cybersecurity issues, including in 2017 when the Board was told about deficiencies in Starwood’s cybersecurity controls. Marriott discovered the malware on Starwood’s system in September 2018. After some initial investigation, Marriott learned in November 2018 that the breach began in 2014 and that the hacker had accessed customers’ personal information. Eleven days later, Marriott publicly announced the incident.
The plaintiff brought a derivative claim for breach of the fiduciary duty of loyalty against several Marriott executives and members of the Marriott board of directors. The defendants moved to dismiss, arguing that demand was not futile. The court agreed and dismissed the complaint in its entirety.
In its analysis, the court applied the new test for demand futility established last year in United Foods & Commercial Works Union v. Zuckerberg, which requires a plaintiff to show, on a director-by-director basis, that a majority of the directors (1) “received a material personal benefit from the alleged misconduct that is the subject of the litigation demand”; (2) “faces a substantial likelihood of liability on any of the claims that would be the subject of the litigation demand”; and (3) “lacks independence from” a director who is not disinterested under prongs (1) or (2).
The plaintiff argued that four members of the board that considered the demand lacked independence and that all of the directors on the board following the acquisition of Starwood faced a substantial likelihood of personal liability for breach of the duty of loyalty based on three theories: (1) the failure to conduct adequate cybersecurity due diligence before the acquisition; (2) the failure to implement adequate internal controls after the acquisition; and (3) the late disclosure of the incident. The court rejected each theory of liability.
The court rejected the first theory as time-barred. The three-year statute of limitations began to run, at the latest, at the time of the acquisition in September 2016, and the complaint failed to allege any acts of concealment. The court also found that the statute was not tolled by the plaintiff’s Section 220 books and records demand, distinguishing a Section 220 demand from a Section 220 lawsuit, which can toll the statute of limitations.
The court rejected the plaintiff’s second theory after an analysis under both prongs of Caremark. On the first prong, it found that the board had not utterly failed to implement a system of reporting and controls regarding cybersecurity risks because the board and audit committee were routinely apprised of cybersecurity issues, provided with annual reports on cyber risks, engaged with outside consultants to audit Marriott’s cybersecurity practices, and were notified when there were red flags suggesting vulnerabilities.
On the second prong, the court found that the board had not known that Starwood’s systems violated any laws or consciously disregarded any red flags. The issues with Starwood’s systems were failures to comply with non-binding industry standards, not violations of any positive laws, and, in any event, there were no allegations that the board knew that these violations were occurring. Moreover, even though the board was aware Starwood’s cybersecurity systems had some issues, the board was told that management was addressing the issues, and thus the board did not ignore the issues.
The court rejected the plaintiff’s third theory premised on late disclosure of the data breach, holding that there was no evidence that the directors were aware of applicable notification laws that the delay allegedly violated. Further, the court noted that the discovery of malware is distinct from the discovery that personal information had been compromised, and the Board waited only ten days between learning that guests’ personal information had been affected and publicly announcing the attack.