Cyber Attack! Director and Officer Liability Exposure to Investors and Shareholders for Data Breaches

Transcription

1 Cyber Attack! Director and Officer Liability Exposure to Investors and Shareholders for Data Breaches 2018 Pamela S. Palmer Christopher B. Chuff Large-scale data breaches, cyberattacks or data security vulnerabilities can give rise to many problems for a company s directors and officers (Ds&Os), including potential exposure to securities fraud class actions and shareholder derivative suits. That said, the plaintiffs securities bar has been uncharacteristically cautious in filing suit against Ds&Os following corporate disclosures of data breaches and thefts. The torrent of event-driven D&O litigation that many observers expected to flow from corporate announcements of hacks, breaches and compromised data has been a mere trickle. One reason for the relatively slow pace of data breach D&O suits may be that the few cases to reach a judgment have been dismissed at the pleading stage. Shareholder derivative suits (in which shareholders seek to sue Ds&Os for harm to the company) are THIS PUBLICATION MAY CONTAIN ATTORNEY ADVERTISING The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship. Please send address corrections to phinfo@pepperlaw.com Pepper Hamilton LLP. All Rights Reserved.

2 notoriously difficult to plead successfully, and plaintiffs have struck out with dismissals in data breach derivative suits involving Wyndham Worldwide, Home Depot and Target. Securities fraud class actions are also difficult to plead successfully and are viable only when a significant drop in the stock price follows disclosure of a breach. Investors, however, generally have taken news of yet another data breach largely in stride, without engaging in punishing sell-offs of the corporate victim s stock, which drives down the price. To date, no securities class action against Ds&Os based on a data breach has survived the pleading stage. The plaintiffs securities bar, however, is entrepreneurial and persistent, and is continuing to test the waters with a handful of new securities class action suits filed in 2017 arising out of large data breaches suffered by Equifax, Yahoo and PayPal, and a few others. 1 Companies most likely to face a data breach D&O lawsuit are those that receive and store large amounts of consumer data, such as retailers, hospitality businesses, health care companies and financial services firms. For these companies especially, security of consumer personal data is important to their reputations and, therefore, to investors and shareholders. As discussed below, Ds&Os can take proactive steps not only to mitigate the risk of data breaches, but also the risk of personal liability exposure in securities fraud class actions and derivative suits. This article starts with a summary of statutory and contractual protections available to Ds&Os and general standards governing their liability, and follows with an overview of the current D&O litigation landscape involving data breaches. D&O Indemnification, Advancement, Exculpation and Insurance Directors and officers have several layers of protection for out-of-pocket expenses and losses in defending against alleged violations of the securities laws or breach of fiduciary duty claims, including legal costs, settlements and even judgments. First, state corporate laws generally permit or require companies to indemnify directors, officers and employees who are forced to incur costs to defend themselves in lawsuits or proceedings involving their work. Delaware and California law require indemnification of Ds&Os who succeed in defending themselves (in Delaware on the merits or otherwise and in California on the merits. ) 2 Delaware and California law also permit (but do not require) indemnification for defense costs, judgments, fines and settlements incurred by directors, officers and employees who acted in good faith and in a manner reasonably believed to be in and or not opposed to the best interests of the corporation. 3

3 These are known as the minimum standards of conduct for permissive corporate indemnification. A corporation is not legally permitted to indemnify an individual for expenses resulting from conduct that fails to meet these standards. Nor may a corporation indemnify an individual for a judgment of monetary liability to the corporation itself which is the remedy typically sought in a shareholder derivative suit. On the other hand, corporate laws permit companies to advance legal expenses before any final determination of whether an individual met the minimum standards of conduct for indemnification. 4 Companies may commit to indemnification and advancement of their Ds&Os in the articles of incorporation or bylaws to the greatest extent permitted by law, which makes permissive indemnification and advancement mandatory. Second, Ds&Os can strengthen their rights to indemnity and advancement by private agreement with the company regarding the terms of the company s obligation. 5 Private indemnity agreements protect Ds&Os against disadvantageous changes in corporate bylaws, ownership and management. These agreements typically contain presumptions, burdens of proof, timetables and other terms that favor individuals and continue in force after an individual s relationship with the company comes to an end. Third, many states permit companies to limit the personal liability of directors (but not of officers) to the corporation and its stockholders with an exculpation provision in the articles of incorporation. 6 These provisions excuse directors from personal monetary liability to the company and its shareholders for breach of the fiduciary duty of care. Corporate laws do not permit exculpation, however, for breach of the fiduciary duty of loyalty, bad faith, intentional misconduct or knowing violations of law which are the very types of claims asserted in shareholder derivative litigation. Fourth, D&O liability insurance purchased by the company protects corporate assets and provides coverage for Ds&Os when the company cannot or will not indemnify them. D&O liability insurance is designed to pay losses (including legal fees) for defending against allegations of wrongful acts, such as violations of securities laws or breaches of fiduciary duty that result in damages to the company or its stockholders. Although D&O policies exclude coverage for willful or intentional misconduct, which is uninsurable as a matter of public policy, these policies can provide coverage for conduct that would not be indemnifiable by the corporation, such as nonexculpable failure of oversight or forms of bad faith typically alleged in derivative claims that do not rise to

4 the level of intentional misconduct. State corporate laws generally allow companies to buy D&O insurance for nonindemnifiable claims. 7 Securities Fraud Claims Against Ds&Os Arising From Data Breaches Securities fraud class actions based on data breaches and cyberattacks generally assert claims under Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5. 8 A plaintiff must plead that the corporate defendant (typically speaking through defendant officers) (1) made a misstatement or omission of material fact; (2) with scienter (fraudulent intent); (3) in connection with the purchase or sale of securities; (4) upon which plaintiffs relied; (5) resulting in economic loss; (6) that is proximately caused by the fraudulent statement. 9 Securities fraud claims in the context of a data breach typically challenge statements made before and after the data breach. With respect to pre-breach statements, plaintiffs allege that the defendants gave misleading assurances about the company s data security systems and efficacy, later allegedly exposed as false when a breach occurs. With respect to post-breach statements, plaintiffs allege that the defendants misleadingly concealed or minimized the nature and severity of a known breach. The leading data breach securities class action case to date is In re Heartland Payment Systems, Inc. Securities Litigation, 10 decided in 2009, which illustrates the difficulty that plaintiffs face in successfully pleading a securities fraud claim in this context. Heartland is in the credit card processing business, acting as an intermediary in the exchange of information and funds between merchants and cardholders financial institutions. Heartland experienced a cyberattack in December 2007, but believed the attack was limited to its payroll manager application, which did not contain credit card data. As it turned out, the attack extended to the company s payment processing system, from which hackers stole 130 million credit and debit card numbers in Heartland discovered the theft in January 2009 and publicly disclosed it within a few days. Heartland s stock price dropped by approximately 80 percent. The plaintiffs, seeking to represent a class of investors who purchased Heartland stock in 2008 after the breach, asserted securities fraud claims against Heartland and its chief executive officer and chief financial officer. The plaintiffs alleged that the defendants violated Section 10(b) by allegedly concealing the 2007 attack and misrepresenting the state of Heartland s data security systems during earnings calls and in SEC filings. The plaintiffs claimed that statements touting the importance to Heartland of maintaining

5 network security were fraudulent because the defendants allegedly knew that Heartland had poor security systems and that the company had failed to remedy the problem. The court, reviewing the allegations under the heightened pleading standards established by the Private Securities Litigation Reform Act of 1995, dismissed the complaint with prejudice. The court found that the defendant s statements did not paint a misleading picture of Heartland s network security and created no duty in 2008 to disclose the 2007 attack. The existence of a security breach did not make Heartland s statement that it place[d] significant emphasis on maintaining a high level of security false. The court also found that the defendants lacked knowledge of the data theft when making the challenged statements. Accordingly, the plaintiffs failed to plead that the defendants made the 2008 statements with scienter that is, consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns. 11 The plaintiffs inability in Heartland to plead that the defendants made a material misrepresentation or omission with scienter underscores the difficulty of successfully asserting a securities fraud claim based on a data breach. While the facts in Heartland appeared strong on the surface (i.e., public disclosure of a cyberattack more than a year after it occurred, interim positive statements about the company s security systems, and a significant stock drop following disclosure of the breach), the plaintiffs were unable to advance beyond a motion to dismiss. In 2011, after Heartland was decided, the Securities and Exchange Commission issued guidance regarding corporate disclosure of cybersecurity and data breaches. 12 That guidance makes clear that public companies must disclose a company s history of cyberattacks and information to provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant. Despite the SEC s push for companies to make better cybersecurity disclosures, there have been no significant published decisions in data breach securities fraud cases since Heartland. Although 2017 saw an unprecedented rise in the number of new private securities class action filings nationwide, few of those cases involved data breaches, which, as noted, have not typically produced large stock price declines. The three top class action cases to watch from 2017 were filed against Yahoo, Equifax and PayPal. In January 2017, investors filed a securities class action in the Northern District of California against Yahoo and several officers relating to data breaches announced in September and December 2016, which led to small stock price declines

6 of 3 percent and 6 percent, respectively. In re Yahoo! Inc. Securities Litigation, No. 5:17-cv (N.D. Cal. Jan. 24, 2017). The hackers attacked in 2013 and 2014 and obtained personal data from more than 1.5 billion accounts. The plaintiffs allege that the defendants made fraudulently misleading statements by failing to disclose Yahoo s failure to securely encrypt its users personal information. In September 2017, investors filed a securities class action in the Northern District of Georgia against Equifax and two executive officers. The initial suit, Kuhns v. Equifax, No. 1:17-cv TWT (N.D. Ga. Sept. 8, 2017), was followed by several others filed in the wake of some interesting announcements. 13 Equifax reported a cybersecurity breach on July 29, 2017 that potentially compromised personally identifiable information of more than 143 million consumers. On the same day, Bloomberg reported that Equifax s SEC filings showed that company executives sold shares after the cybersecurity breach was discovered (but before it was disclosed). 14 The complaints allege that Equifax s disclosures in 2016 and 2017, before discovering and reporting the breach, fraudulently touted its focus on data security while failing to disclose the inadequacy of its systems to detect and monitor security breaches. Following disclosure of the breach, the company s stock price fell by nearly 17 percent. In December 2017, investors filed a securities class action in the Northern District of California against PayPal Holdings Inc. and three officers. The initial suit, Sgarlata v. PayPal Holdings, Inc., No. 3:17-cv EMC (N.D. Cal. Dec. 6, 2017), was filed in the wake of PayPal s announcements that it had suspended operations of a recently acquired subsidiary after finding security vulnerabilities there, and a subsequent announcement that its investigation revealed a potential compromise of personally identifiable information of 1.6 million of the subsidiaries users. Although PayPal s stock price declined less than 6 percent on these announcements and PayPal s disclosures suggest nothing but candor the plaintiffs bar took an interest. Again, time will tell if the plaintiffs can state a viable securities fraud claim. As these securities cases show, a key risk factor for companies in the data security business is the unknown i.e., companies do not know when they have been hacked or the full scope of the damage even after an attack is discovered. In light of this perennial uncertainty, Ds&Os should consider taking special care to avoid personal liability exposure due to awkward timing in the sale of stock by using preplanned timing under an SEC 10b5-1 trading plan, which provides a safe harbor against insider trading claims. 15 Companies and their Ds&Os should also take care that corporate disclosures about

7 the company s data security systems and technology include appropriate cautionary language and do not oversell safety and reliability. Derivative Actions Against Ds&Os Arising From Data Breaches Plaintiffs have not yet succeeded in mounting a viable shareholder derivative action based on cyberattacks and data breaches which is not to say that the plaintiffs bar will give up. Derivative claims are, by design, very difficult to plead and maintain. These are suits by shareholders who seek to stand in the shoes of the company and assert against the Ds&Os for failing to implement and monitor systems sufficient to detect or prevent cyberattacks and data theft, resulting in loss and damage to the company. As with most derivative suits, plaintiffs efforts to mount claims based on data breaches have failed on the threshold requirement to plead facts sufficient to allege the plaintiffs standing to sue on behalf of the company. As a matter of basic corporate governance law, a shareholder plaintiff generally must make a pre-suit demand on the board of directors to take appropriate action. Therefore, under Federal Rule of Civil Procedure 23.1 and state procedural rules, a derivative complaint must plead with particularity that a demand was made on the board and wrongfully refused or that a demand on the board is excused as futile because the board is incapable of making a valid business judgment on the demand. 16 The common pleading tactic of alleging futility by naming all of the board members as defendants does not excuse a demand. Rather, a plaintiff must allege director conduct that is so egregious on its face that... a substantial likelihood of director liability exists. 17 To plead that demand on the board would be futile, a plaintiff must allege facts sufficient to demonstrate that the board s oversight of cybersecurity was so deficient as to amount to nonexculpable bad faith or a breach of loyalty. As the Delaware Supreme Court confirmed in Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006), director liability for failure of oversight is possibly the most difficult theory in corporation law to plead and prove. A plaintiff must allege that (a) the directors utterly failed to implement any reporting or information systems or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. 18 Only a sustained or systematic failure of oversight... will establish the lack of good faith that is a necessary condition to liability. 19 Given the rigorous standards for pleading shareholder derivative standing and director liability, it is not surprising that plaintiffs are scoring losses at the pleading stage in data

8 breach cases. The first major derivative case in this area was Palkon v. Holmes, 2014 U.S. Dist. LEXIS (D.N.J. Oct. 20, 2014), filed on behalf of Wyndham Worldwide Corporation following the announcement of data breaches that took place over a threeyear period between April 2008 and January The crux of the complaint was that Wyndham routinely collected customers personal and financial information, but failed to implement adequate internal controls designed to detect and prevent repetitive data breaches, which resulted in the theft of customers sensitive personal and financial data and exposure to a Federal Trade Commission (FTC) enforcement action arising out of the data breaches. The plaintiff made a demand on the Wyndham board to file suit, which it delegated to the audit committee for consideration. After four months of consideration, the audit committee recommended, and the full board agreed, to refuse the demand. The plaintiff was left to allege that the demand was wrongfully refused and an invalid exercise of business judgment. The plaintiff alleged that the audit committee s outside counsel was conflicted because it represented Wyndham in parallel FTC proceedings, and that the general counsel s involvement tainted the board s business judgment. The court disagreed, finding that Wyndham s refusal to bring suit against its Ds&Os was a good-faith exercise of business judgment, made after a reasonable investigation. 20 The plaintiff failed to demonstrate any conflicts of interest with respect to the audit committee s outside counsel, which was obligated in all matters to act in Wyndham s best interests, and there were no allegations that Wyndham s general counsel was conflicted by any personal exposure to liability. 21 The court noted that even before receiving the plaintiffs demand letter, the board had discussed the cyberattacks at 14 separate meetings, its audit committee discussed the issues in at least 16 meetings, and the board s understanding previously had been developed as a result of the FTC action and investigation of a prior virtually identical demand letter. 22 While [t]hese earlier investigations, standing alone, would indicate that the Board had enough information when it assessed Plaintiff s claim, the board took the additional step of specifically discussing the plaintiff s demand. As a result, Wyndham s board had a firm grasp of Plaintiff s demand when it determined that pursuing it was not in the corporation s best interest. Further, the board was free to consider the potential weaknesses of the underlying failure of oversight claims when assessing whether to pursue the lawsuit. 23 Wyndham is a textbook example of how sound board procedures all but guarantee defeat of a demand refusal derivative case.

9 Plaintiffs have also filed several derivative actions arising out of data breaches without making a pre-suit demand, but with little success. Plaintiffs filed multiple derivative actions both with and without pre-suit demands following the announcement of a massive data breach at Target in 2013, which led to theft of credit card information affecting as many as 70 million customers. In response to the complaints, Target formed a special litigation committee (SLC) under Minnesota law, which conducted an extensive 21-month investigation, assisted by outside counsel, encompassing extensive document review and witness interviews, and culminating in a 91-page report concluding that it was not in Target s best interest to pursue the claims against the company s directors and officers. 24 In July 2016, the federal district court granted the SLC s motion to dismiss in a two-page order. 25 Plaintiffs claims met the same fate in In re Home Depot Shareholder Derivative Litigation, 223 F. Supp. 3d 1317 (N.D. Ga. 2016). A federal court in the Northern District of Georgia dismissed a derivative suit brought by shareholders of Home Depot after the company announced that it was a victim of a cyberattack. The company reported a data breach of its payment card processing systems that enabled hackers to steal data of 56 million customers. The hack occurred through the use of a third-party vendor s credentials, similar to well-publicized earlier cyberattacks involving Target and Neiman Marcus. Approximately one year after the breach, Home Depot reported that its net costs associated with the breach were $152 million. 26 Shareholder plaintiffs claimed that demand was excused as futile because the board members breached their duty of loyalty by failing to institute sufficient internal controls to address the risks of a breach and by disbanding a board committee tasked with oversight of data security. The court found these allegations insufficient to show that the directors knew they were not discharging their fiduciary obligations or had a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act. 27 The act of disbanding a board committee with oversight of data security failed to support a claim of a breach of loyalty, especially when the complaint detailed numerous instances when the board s audit committee received regular reports on Home Depot s data security and briefings, thus demonstrating that the board was fulfilling its duty to ensure a reasonable system of oversight over data security. Likewise, allegations that the defendants failed to institute internal controls were insufficient to state a claim. 28 Home Depot had a plan in place to remedy data security deficiencies; although the plan was not implemented as speedily as the plaintiffs desired, this did not constitute a breach of the duty of loyalty.

10 The Home Depot, Target and Wyndham decisions illustrate that, when boards have made and documented efforts to ensure that data security systems are in place, and to obtain regular reports reflecting oversight, Ds&Os face little risk of personal liability exposure, even in the event of large breaches and corporate losses. Measures to Mitigate Risk Associated With Data Breaches While Ds&Os cannot prevent corporate data breaches or fully insulate themselves from lawsuits, they can take steps to mitigate both corporate risk and personal liability: Require Corporate Data Security Plans, Policies and Procedures. Develop and periodically evaluate data security policies and procedures. Ensure that the company has plans and procedures for responding to data breaches, including when breaches must be brought to the attention of the board of directors or disclosed to investors or regulators. Ensure that the plans and procedures delineate oversight responsibilities and include employee training. Consider establishing a board-level data security committee and engaging a data security firm to audit and provide advice regarding the company s data security protocols. Review Data Security Disclosures. Review how the company s data security is described in public disclosures, and determine whether disclosures should be revised, updated or supplemented to better reflect the status of the company s current systems. Consider improving or augmenting public disclosures regarding data security through greater specificity and additional cautionary language. Review and Upgrade Insurance Coverage. Ensure that the company s insurance coverage is adequate to protect the company from excessive loss and to protect the Ds&Os from personal liability resulting from a data breach. Assess insurance coverage as data security changes or additional risks arise. Endnotes 1 See Kuhns v. Equifax Inc., No. 1:17-cv TWT (N.D. Ga.) (filed Sept. 8, 2017); Sgarlata v. PayPal Holdings, Inc., No. 3:17-cv (N.D. Cal.) (filed Dec. 6, 2017); Alvira v. Intel Corp., No. 2:18-cv (C.D. Cal.) (filed Jan. 10, 2018); Davis v. Steinhafel, No. 14-cv PAM-JJK (D. Minn.) (lead case in Target litigation, filed Jan. 28, 2014).

11 2 Del. Gen. Corp. Law 145(c) (emphasis added); Cal. Corp. Code 317(d) (emphasis added); Cal. Lab. Code 2802 (mandating indemnification of employees for expenses incurred in the discharge of lawful duties). 3 Del. Gen. Corp. Law 145(a) and (b); Cal. Corp. Code 317(b). 4 Del. Gen. Corp. Law 145(e); Cal. Corp. Code 317(f). 5 Del. Gen. Corp. Law 145(f); Cal. Corp. Code 317(g) and (i). 6 Del. Gen. Corp. Law 102(b)(7); Cal. Corp. Code Del. Gen. Corp. Law 145(g); Cal. Corp. Code 317(i) U.S.C. 78j(b); 17 C.F.R b-5. 9 Dura Pharmaceuticals, Inc. v. Broudo, 544 U.S. 336, (2005) U.S. Dist. LEXIS (D.N.J. Dec. 7, 2009). 11 Id. at * See 13 Kuhns v. Equifax Inc. was consolidated with several other related suits, including Brock v. Equifax, Inc., No. 1:17-cv (N.D. Ga.), and Groover v. Equifax, Inc., No. 1:17-cv (N.D. Ga.), which were transferred from the Southern District of New York. The consolidated cases are In Re Equifax Inc. Securities Litigation, No. 1:17-cv (N.D. Ga. 2017). 14 See See Rule 10b5-1 implementation discussion at answersinsiderhtm.html.

12 16 See, e.g., Spiegel v. Buntrock, 571 A.2d 767, (Del. 1990) (pre-suit demand is a bedrock principal of corporate governance in derivative suits; demand places control of the derivative litigation in the hands of the board of directors). 17 In re Home Depot S holder Derivative Litig., 223 F. Supp. 3d 1317, 1325 (N.D. Ga. 2016) (quoting Aronson v. Lewis, 473 A.2d 805, 815 (Del. 1984)). 18 Id. at In re Caremark Int l, 698 A.2d 959, 971 (Del. Ch. 1996) (emphasis added). 20 Palkon v. Holmes, 2014 U.S. Dist. LEXIS , at *13-*14 (D.N.J. Oct. 20, 1014). 21 Id. at *10-* Id. at *13-* Id. at *15, n See Davis v. Steinhafel, No. 14-cv PAM-JJK (D. Minn.) (lead case). 25 The plaintiffs received a modest encouragement in that the parties settled pending appeal based on nonmonetary, prophylactic measures and an agreement to pay the plaintiffs attorney a $1.125 million fee. 26 In re Home Depot Shareholder Derivative Litigation, 223 F. Supp. 3d 1317, 1321 (N.D. Ga. 2016) 27 Id. at Id. at , Berwyn Boston Detroit Harrisburg Los Angeles New York Orange County Philadelphia Pittsburgh Princeton Silicon Valley Washington Wilmington pepper.law