[BreachExchange] Definition of Insanity? Wendy’s Shareholders File Derivative Action Based on 2015-16 Data Breach

[Audrey McNeil]

http://www.natlawreview.com/article/definition-insanity-
wendy-s-shareholders-file-derivative-action-based-2015-16-data

An old saw defines insanity as doing the same thing over and over again and
expecting a different result. Wendy’s shareholders recently flouted that
maxim by filing a derivative action this week against officers and
directors of the fast-food chain seeking recovery on behalf of the
corporation for damages arising from a data breach that affected over 1,000
franchise locations between October 2015 and June 2016.  Based on the
results in prior data breach derivative actions, the prospects for the
Wendy’s derivative claim appear dim.

Readers of this space will note our skepticism about the merits of
shareholder derivative actions against corporate officers and directors in
data breach cases.  Claims for corporate mismanagement are subject to the
business judgment rule, which protects officers and directors from lawsuits
second-guessing their exercise of judgment in the performance of their
corporate responsibilities absent self-interested conduct – which is
generally not present in data breach cases – or such extreme dereliction of
responsibilities as to constitute a breach of their fiduciary duty of
care.  The difficulty in surmounting that burden is exemplified by
dismissals of derivative actions based on data breaches perpetrated against
Wyndham, Target, and Home Depot.

The Home Depot dismissal, issued just three weeks ago, apparently did not
deter the Wendy’s shareholders from pursuing their derivative claims.  But
it should have. In both cases the shareholders elected to sue without
making demand on the boards of directors, despite the fact that both
corporations are incorporated under Delaware law, which makes demand
mandatory absent proof that a majority of the board members would be unable
to exercise disinterested judgment.  The Home Depot shareholders could not
do so, and the Wendy’s plaintiffs are unlikely to fare any better.
Allegations that a company’s data security practices proved inadequate,
standing alone, are generally insufficient to establish that the company’s
board cannot exercise independent judgment about whether such inadequacy
rises to the level of a fiduciary breach.  If past is prologue, the likely
result of this shareholder derivative action will be to divert corporate
attention from responding to the data breach until such time as the case is
dismissed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161223/ff3d6ed2/attachment.html>