A number of claims have been made against companies’ directors and officers alleging a breach of fiduciary duty for failing to adequately oversee data security programs. To date, the defendants’ oversight of the programs and their documentation of that oversight have been sufficient enough so as to allow courts to rule in directors’ and officers’ favor.
The past several years have seen a number of high-profile data breaches involving public companies, including Wyndham Worldwide, Home Depot, Target and, most recently, Yahoo! Each of the earlier cases yielded lawsuits against the companies’ boards of directors and/or officers, and, last week, plaintiffs filed a class action lawsuit against Yahoo! and its CEO, CFO and board member alleging federal securities law violations relating to Yahoo!’s disclosure of the data breach.
The plaintiffs’ claims against directors and officers in previous cases have generally revolved around breaches of fiduciary duty, and, more specifically, the respective boards’ oversight of data security. To date, the cases have been dismissed by motions at various stages. In each of those cases, the courts have examined the nature and extent of boards’ oversight of data security programs. A brief summary of the cases decided to date follows:
- In the Wyndham case (dismissed in October 2014, link to the opinion here), plaintiffs alleged that Wyndham’s directors had breached their fiduciary duties with respect to Wyndham’s data security and the associated risks. In dismissing the lawsuit, among other reasons, the court observed that the cyber-attacks, Wyndham’s security policies, and proposed security enhancements were discussed in 14 board meetings; in at least 16 audit committee meetings; and that Wyndham hired a security consultant and began to implement the consultant’s recommendations.
- In the Target case (dismissed in July 2016, link to the special litigation committee report here), the plaintiffs alleged that Target’s directors and officers breached fiduciary duties by, among other things, failing to implement a system of internal controls to protect customers’ personal and financial information, and failing to oversee and monitor Target’s internal control system. In accordance with Minnesota law, a special litigation committee was established to determine whether it was appropriate to bring a shareholder derivative action against Target’s directors and officers. The special litigation committee determined that the action was not in the best interest of the company or its shareholders, among other reasons, based upon the data security measures in place pre-breach, the changes enacted post-breach and management’s reports to the board’s audit committee and corporate responsibility committee covering the company’s data security measures.
- In the Home Depot case (dismissed in November 2016, link to the opinion here), plaintiffs alleged that certain of Home Depot’s directors and officers, including general counsel, breached their duties of care and loyalty, wasted corporate assets, and violated federal securities laws by, among other things failing to adequately oversee cybersecurity. In dismissing the case, the court observed “numerous instances where the Audit Committee received regular reports from management on the state of Home Depot’s data security, and the Board in turn received briefings from both management and the Audit Committee.”
As the Yahoo! case has been brought based upon securities-based claims instead of fiduciary duty claims, it remains to be seen how that case will be determined. However, in each prior case, the court has reviewed various instances in which the companies’ board of directors (or committees of each board) monitored and evaluated the companies’ data security measures. These cases (and the favorable resolutions for companies) illustrate the protections that are afforded when corporate boards and their committees both oversee data protection measures and document those efforts.