Welcome to the Reuters.com BETA. Read our Editor's note on how we're helping professionals make smart decisions.
Skip to main content

SEC’s stepped-up cyber scrutiny won’t save shareholder data breach suits

5 minute read

REUTERS/Andrew Kelly

The company and law firm names shown above are generated automatically based on the text of the article. We are improving this feature as we continue to test and develop in beta. We welcome feedback, which you can provide using the feedback tab on the right of the page.

(Reuters) - This week's Delaware Chancery Court decision dismissing a shareholder derivative lawsuit that arose from a gigantic data breach at Marriott International Inc encapsulates why data breach securities cases have been a frustration for plaintiffs' lawyers. It also pinpoints why I think these suits will continue to be a challenge for shareholders, despite the U.S. Securities and Exchange Commission’s recent crackdown on companies with inadequate cyber risk reporting procedures.

In the Chancery Court case before Vice Chancellor Lori Will, shareholders alleged that Marriott’s board breached its duty of loyalty by failing to respond to red flags that Starwood Hotels and Resorts, which Marriott acquired in 2016, was susceptible to hackers.

Two years after the acquisition, Marriott learned that cyber thieves had used malware to penetrate the Starwood reservation database all the way back in 2014. Ultimately, the Marriott hack exposed personal information from as many as 500 million customers of the hotel chain, in one of the biggest-ever data breaches in the U.S.

Plaintiffs' lawyers at Robbins and Prickett, Jones & Elliott contended that the Marriott board was on notice that Starwood’s data system didn’t meet industry standards yet failed to push for enhanced security protocols. Shareholders argued, moreover, that Marriott directors couldn’t be trusted to decide whether to pursue breach-of-loyalty claims on behalf of the company because most of them faced personal liability for putting the company at risk of violating cyber-protection laws.

Will found that plaintiffs hadn’t shown that it would have been futile for shareholders to demand action from the board. (Her ruling, incidentally, marks an early application of the Delaware Supreme Court’s newly established test for demand futility in shareholder derivative suits.)

Cyber risk, she said, is an ever-expanding headache for corporate boards as “regulators in the United States and abroad have become more active in issuing cybersecurity guidance and undertaking enforcement activities. As the regulatory consequences of lax cybersecurity compliance deepen, Will said, “corporate governance must evolve to address them.” Directors, she said, must “ensure that companies have appropriate oversight systems in place.”

That’s exactly the message that the SEC sent this summer in a pair of cases alleging that companies failed to come clean about cyber incidents. I’ve told you about the agency’s $490,000 settlement with the title insurer First American Financial Corporation in July. In August, the SEC announced a $1 million settlement with the educational publisher Pearson plc. A plethora of law firm client alerts about the First American and Pearson cases warned companies that the SEC clearly wants them to get serious about cybersecurity protocols, internal reporting chains and external communications with investors.

Will’s admonition about increased regulatory risk for cyber lapses seems to refer obliquely to the SEC’s recent cases. But her following paragraphs show why the enhanced SEC scrutiny doesn’t guarantee additional liability in private shareholder lawsuits.

Delaware’s test for breaches of directors’ duties of loyalty has not changed even as regulators have stepped up cyber enforcement, Will noted. Delaware precedent from 1996's In re: Caremark requires shareholders to allege that a breach of the duty of loyalty to show board members acted in bad faith, not just that they were negligent or exercised bad business judgment. Caremark claims, the vice chancellor said, must still meet that extremely high threshold, despite “the growing risk posed by cybersecurity threats.”

Gregory Del Gaizo of the Robbins firm, who argued for shareholders at a Sept. 16 hearing on Marriott’s dismissal motion, declined via email to comment on Will’s ruling.

You can also see the effect of different pleading standards for regulators and private plaintiffs in two cases involving First American. As I mentioned, the SEC settled a case against the title insurer in July, resolving the commission’s allegations that the company didn’t have adequate systems in place to assure that board members were apprised of the risk of leaks from its real estate database.

First American, which did not admit or deny the SEC’s allegations, was simultaneously facing a securities fraud class action in federal court in Los Angeles, where shareholders alleged that the company misrepresented the risk of data intrusions and then failed to provide investors with the full story when hackers got into its system. In September, U.S. District Judge Dale Fischer dismissed the class action, holding that shareholders failed to meet the high pleading standard for fraud claims.

As it happens, Jason Mendro of Gibson, Dunn & Crutcher represented both Marriott in the Chancery Court derivative suit and First American in the Los Angeles securities class action. He declined to provide a statement on the rulings.

I’m not saying that shareholders have no shot in fraud class actions or derivative suits arising from data breaches. It’s true that Marriott has managed to dispose of all of the securities claims arising from its data breach, with Will’s derivative decision following a June ruling in which U.S. District Judge Paul Grimm of Greenbelt, Maryland, tossed a shareholder class action against the hotel chain.

But plaintiffs obtained better results in cases against two other companies that experienced vast data breaches. In 2018, for instance, shareholders secured an $80 million securities class action settlement with Yahoo! Inc. The next year, Yahoo settled a parallel derivative suit for $29 million. Similarly, the credit reporting agency Equifax Inc agreed in 2020 to a $149 million securities class action settlement and a $32.5 million derivative settlement.

My point is just that shareholders can’t count on actions by the SEC and other regulators to boost their securities class actions and derivative suits. As the recent Marriott and First American decisions make clear, shareholders have to get over that higher bar on their own.

Read more:

SEC’s First American settlement signals new corporate cyber disclosure risk

Dela. Supreme Court tightens test for demand futility in derivative lawsuits

Opinions expressed here are those of the author. Reuters News, under the Trust Principles, is committed to integrity, independence and freedom from bias.

Our Standards: The Thomson Reuters Trust Principles.

Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias.

Alison Frankel has covered high-stakes commercial litigation as a columnist for Reuters since 2011. A Dartmouth college graduate, she has worked as a journalist in New York covering the legal industry and the law for more than three decades. Before joining Reuters, she was a writer and editor at The American Lawyer. Frankel is the author of Double Eagle: The Epic Story of the World’s Most Valuable Coin. Reach her at alison.frankel@thomsonreuters.com

More from Reuters