The Other Wyndham Hotel Case

Most of us are aware of the litigation between the FTC and Wyndham Hotels arising out of the data breaches experienced by Wyndham between 2008 and 2010, resulting in hackers stealing the personal information of over 600,000 customers. In a less publicized case arising out of these data breaches, Wyndham was sued by a shareholder in a derivative lawsuit. (Palcon v. Holmes, 214 U.S. Dist. LEXIS 148799).

The shareholder initially demanded that Wyndham’s Board of Directors bring a lawsuit based on the data breaches. When the Board refused, the shareholder brought a lawsuit against Wyndham and its corporate officials asserting that Wyndham failed to implement adequate data security mechanisms, that this failure allowed hackers to steal company data, and Wyndham then failed to timely disclose the data breaches. The shareholder claimed that these actions damaged Wyndham’s reputation and caused it significant legal fees. The shareholder also contended that the Board’s decision to refuse his demand was wrongful.

In good news for Wyndham, on October 20, 2014, the District Court of New Jersey granted Wyndham’s Motion to Dismiss the lawsuit. The Court found that the shareholder’s lawsuit alleged insufficient facts for finding that the Board of Directors did not act in good faith based on a reasonable investigation. Although the result was favorable for Wyndham and its Board, the lesson is clear . . . data breaches are not just the concern of the IT department. Enterprise data security requires the attention of C level executives and the Board of Directors prior to data breaches occurring to make sure the proper security measures are in place. Once a data breach occurs, a thorough investigation and remediation must be conducted as quickly as possible.

Although theories of liability are still developing when there is a data breach, one thing we can count on is more breach of fiduciary duty and D & O liability lawsuits.

By: Richard Sheinis, Esq.