After disclosure of a recent cyber breach, the company’s board of directors was sued by shareholders in two separate legal actions–derivative lawsuits to be precise.
In the world of D&O litigation, shareholder derivative suits occupy a very special niche. One key reason why for this is true is that resulting settlements and/or court awards are generally understood to be non-indemnifiable. This means that the individual defendants, the directors and officers, cannot be held harmless by the company but instead would have to pay these amounts out of their own pockets—n the absence of insurance. D&O insurance, to be specific.
This raises the question of just what the recent derivative suits alleged and what they sought.
They Did Us Wrong
Allegations included charges that:
- The individual board members knew or should have known that the company’s customers were vulnerable to attack and yet failed to implement appropriate security measures [count 56].
- The individual defendants knew or should have known that the company’s less-than-industry-standard security systems and unreasonably vulnerable technologies would render its customers an aim of attacks by third-parties. The individual defendants, however, failed to take corrective measures to update its systems and technologies [count 59].
- Officer defendants specifically breached their duty of loyalty by knowingly, recklessly, or with gross negligence failed to implement a system of internal controls to protect customers’ personal and financial information; and for causing or allowing the company to conceal the full scope of the data breach, which ultimately affected at least 70 million customers [count 75].
Let Me Count the Ways…
As a result of these alleged breaches of duty to the organization, the plaintiffs are seeking:
The impact of the breach on the company’s bottom line including the “weaker-than-expected sales since the announcement,” [which the plaintiffs contend has lead the company to cut its fourth quarter 2013 adjusted earnings per share (“EPS”) of $1.20 to $1.30, compared to previous guidance of $1.50 to $1.60] [count 60] along with the lost net profit resulting from the firm’s 10% discount offered to U.S. shoppers during the last weekend before Christmas to lure customers [count 61].
“Significant sums of money” which has been and will be spent, including but not limited to
- the costs incurred in defending and settling the consumer class actions filed brought against the Company
- the costs incurred in assisting and responding to the Secret Service and DOJ investigations into the data breach, including any potential fines that may result
- the costs resulting from the firm’s own internal investigation into the breach, including, but not limited to, expense for legal, investigative, and consulting fees
- remediation expenses and capital investments
- the cost of notifying customers, replacing cards, sorting improper from legitimate charges and reimbursing customers for improper charges
- the cost providing free credit monitoring to victims of the data breach
- the compensation and benefits paid to the board members who breached their duties to the firm [count 61]
- the cost related to instituting chip-based credit cards that will enhance security (from the second suit’s Damages to the Company, 97.)i
Order the company to take all necessary actions to reform and improve its corporate governance and internal procedures to comply with applicable laws and to protect the company and its shareholders from a repeat of the these events, including, but not limited to, putting forward for shareholder vote, resolutions for amendments to the company’s by-Laws or articles of incorporation to strengthen corporate controls and disclosure protocols. [Prayer for Relief B]
Plaintiffs’ Legal Fees
[Prayer for Relief C]
Other Equitable Relief
Any other equitable relief as the court may deem just and proper [Prayer for Relief D].
Summing up its demand, the second derivative suit alleged that the company “has sustained significant damages that will likely exceed hundreds of millions of dollars.”ii
Know Your Enemy
Both law firms bringing suit have experience in bringing derivative actions, resulting in settlement dollars or court awards.
Fortunately, derivative suits are covered under directors & officers liability insurance policies, both the traditional forms and the newer A-Side only policies covering non-indemnifiable claims only. While an A-Side policy would probably not cover related defense expenses, they would cover any resulting settlement or court award.
Cyber liability is continuing to evolve rapidly and this expansion into D&O exposure is one that can be expected to continue, especially with the U.S. Securities and Exchange Commission’s recent advice on cyber exposure disclosures.