The resilient plaintiff’s bar is not backing down from their quest to hold directors and officers personally liable for corporate misconduct that leads to cybersecurity breaches. Taking guidance from the failures which resulted in a string of dismissals of high-profile cybersecurity-related shareholder derivative lawsuits, a shareholder of the fast food-chain The Wendy’s Company is taking another shot to impose liability on corporate leadership for failing to take precautions against cyber-attacks. To be clear, these derivative cases are trying to hold the directors and officers liable for mismanagement of the company which led to the data breach, not for the liability arising directly from the data breach itself. These types of derivative lawsuits, however, have been largely unsuccessful.
On December 16, 2016, a shareholder of the fast-food chain Wendy’s filed a lawsuit in Southern District of Ohio against a number of Wendy’s current and former directors and officers arising from a cyber breach of Wendy’s customers’ payment card information. A copy of the Complaint can be found here. According to the complaint, a data breach that stretched from October 2015 through June 2016 compromised Wendy’s customer personal and financial information through unauthorized access to stored information from its customers’ payment cards used at more than 1,000 Wendy’s franchise locations. The complaint alleges that the directors and officers breached their duties of loyalty, care, and good faith by, among other things, (1) failing to enforce internal controls related to cybersecurity, (2) failing to oversee compliance with payment card industry standards and regulations, (3) permitting the company to implement its allegedly knowingly-defective POS system, and (4) failing to ensure an adequate firewall and protect the data. Like other derivative lawsuits that came before it, the plaintiff is trying to hold the directors responsible for the adverse effects the data breach on the company’s business and operations, including the negative impact from the other class action lawsuits arising from the breach.
A prominent hurdle for plaintiffs in these derivative lawsuits has been the shareholder’s failure to make a demand on the company to rectify the problem concerning cybersecurity, and subsequent failure in the pleadings to adequately demonstrate demand futility. The November 30, 2016 Home Depot decision from the Northern District of Georgia (In Re Home Depot S’holder Derivative Litig., 2016 U.S. Dist. LEXIS 164841 (N.D. Ga. Nov. 30, 2016)) put another — albeit seemingly justified — nail in the would-be derivative plaintiff’s proverbial coffin by applying long-standing principles of Delaware corporate law in the cybersecurity-related derivative context. For example, when discussing the requirements of establishing demand futility in the context of a director’s duty of loyalty, the Home Depot court noted that Delaware law requires a derivative plaintiff to show that that a majority of the board of directors “faced substantial liability because it consciously failed to act in the face of a known duty to act.” Holding that demand was not excused in that case, the court noted that a director will violate the duty of loyalty “if they knowingly and completely failed to undertake their responsibilities,” but a breach of the duty “cannot be shown by merely showing that the directors failed to do all they should have done under the circumstances.” Thus, the court found that there was not a substantial likelihood of liability on the part of the directors and demand was not excused. The rest of the decision was similarly affirming of the very high standard required to show demand futility.
The court in Home Depot stopped short of saying that a director or officer can merely pay lip service to cybersecurity and avoid personal liability for management failures, but seemed to acknowledge that some cybersecurity plan, even if not perfect, would suffice to defeat liability in a derivative action. The Wendy’s derivative complaint, on its face, seems to be a calculated response to the hurdles that have been imposed by other courts that dismissed similar lawsuits. It is uncertain, however, if the complaint is sufficient to survive summary adjudication. What seems to be certain is that enterprising plaintiffs will continue to pursue lawsuits arising from data breaches against directors and officers using the prior decisions as a roadmap for pleading a case that can survive summary adjudication.