If a corporation is the target of a cyberattack resulting in a data breach, its board may be the target of a shareholder derivative action claiming breach of fiduciary duty. A recent example is Palkon v. Holmes, No. 14-cv-01234 (D.N.J.), in which a shareholder of Wyndham Worldwide Corporation sued its directors and senior officers, claiming that their failure to implement adequate information-security policies allowed three data breaches, resulting in theft of over 600,000 customers’ personal and financial data. Shareholder derivative actions like Palkon allow plaintiffs to avoid one of the major obstacles to a data-breach class action against the corporation: proving that the purported class members suffered common damages resulting from theft of their personal information. In a derivative action against the board, damages are suffered proportionally by all shareholders based on the harm to the corporation through, for example, decreased stock prices. Because damages from privacy breaches often are not covered by directors and officers (D&O) insurance, directors may face significant personal exposure.
This article addresses the potential liability of directors arising from a data breach, and how they can help protect themselves and their company from liability. We focus on Delaware law because, practically speaking, it states the national standard for director fiduciary duty.
