[BreachExchange] Yahoo! Data Breach Results in Another Lawsuit Against Corporate Directors and Officers

Wed Feb 1 19:54:56 EST 2017

http://www.jdsupra.com/legalnews/yahoo-data-breach-results-in-another-98783/

A number of claims have been made against companies’ directors and officers
alleging a breach of fiduciary duty for failing to adequately oversee data
security programs.  To date, the defendants’ oversight of the programs and
their documentation of that oversight have been sufficient enough so as to
allow courts to rule in directors’ and officers’ favor.

The past several years have seen a number of high-profile data breaches
involving public companies, including Wyndham Worldwide, Home Depot, Target
and, most recently, Yahoo!  Each of the earlier cases yielded lawsuits
against the companies’ boards of directors and/or officers, and, last week,
plaintiffs filed a class action lawsuit against Yahoo! and its CEO, CFO and
board member alleging federal securities law violations relating to
Yahoo!’s disclosure of the data breach.

The plaintiffs’ claims against directors and officers in previous cases
have generally revolved around breaches of fiduciary duty, and, more
specifically, the respective boards’ oversight of data security.  To date,
the cases have been dismissed on motions for summary judgment at various
stages.  In each of those cases, the courts have examined the nature and
extent of boards’ oversight of data security programs.  A brief summary of
the cases decided to date follows:

 ·       In the Wyndham case (dismissed in October 2014), plaintiffs
alleged that Wyndham’s directors had breached their fiduciary duties with
respect to Wyndham’s data security and the associated risks.  In dismissing
the lawsuit, among other reasons, the court observed that the
cyber-attacks, Wyndham’s security policies, and proposed security
enhancements were discussed in 14 board meetings; in at least 16 audit
committee meetings; and that Wyndham hired a security consultant and began
to implement the consultant’s recommendations.

 ·       In the Target case (dismissed in July 2016), the plaintiffs
alleged that Target’s directors and officers breached fiduciary duties by,
among other things, failing to implement a system of internal controls to
protect customers’ personal and financial information, and failing to
oversee and monitor Target’s internal control system.  In accordance with
Minnesota law, a special litigation committee was established to determine
whether it was appropriate to bring a shareholder derivative action against
Target’s directors and officers. The special litigation committee
determined that the action was not in the best interest of the company or
its shareholders, among other reasons, based upon the data security
measures in place pre-breach, the changes enacted post-breach and
management’s reports to the board’s audit committee and corporate
responsibility committee covering the company’s data security measures.

 ·      In the Home Depot case (dismissed in November 2016), plaintiffs
alleged that certain of Home Depot’s directors and officers, including
general counsel, breached their duties of care and loyalty, wasted
corporate assets, and violated federal securities laws by, among other
things failing to adequately oversee cybersecurity.  In dismissing the
case, the court observed “numerous instances where the Audit Committee
received regular reports from management on the state of Home Depot’s data
security, and the Board in turn received briefings from both management and
the Audit Committee.”

As the Yahoo! case has been brought based upon securities-based claims
instead of fiduciary duty claims, it remains to be seen how that case will
be determined.  However, in each prior case, the court has reviewed various
instances in which the companies’ board of directors (or committees of each
board) monitored and evaluated the companies’ data security measures.
These cases (and the favorable resolutions for companies) illustrate the
protections that are afforded when corporate boards and their committees
both oversee data protection measures and document those efforts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170201/aa909749/attachment.html>