The Definition of Insanity? Wendy’s Shareholders File Derivative Action Based on 2015-16 Data Breach

Kevin McGinty
Mintz - Privacy & Cybersecurity Viewpoints
Contact
LinkedIn
Facebook
X
Send
Embed

An old saw defines insanity as doing the same thing over and over again and expecting a different result.  Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016.  Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.

Readers of this space will note our skepticism about the merits of shareholder derivative actions against corporate officers and directors in data breach cases.  Claims for corporate mismanagement are subject to the business judgment rule, which protects officers and directors from lawsuits second-guessing their exercise of judgment in the performance of their corporate responsibilities absent self-interested conduct – which is generally not present in data breach cases – or such extreme dereliction of responsibilities as to constitute a breach of their fiduciary duty of care.  The difficulty in surmounting that burden is exemplified by dismissals of derivative actions based on data breaches perpetrated against Wyndham, Target, and Home Depot.

The Home Depot dismissal, issued just three weeks ago, apparently did not deter the Wendy’s shareholders from pursuing their derivative claims.  But it should have. In both cases the shareholders elected to sue without making demand on the boards of directors, despite the fact that both corporations are incorporated under Delaware law, which makes demand mandatory absent proof that a majority of the board members would be unable to exercise disinterested judgment.  The Home Depot shareholders could not do so, and the Wendy’s plaintiffs are unlikely to fare any better.   Allegations that a company’s data security practices proved inadequate, standing alone, are generally insufficient to establish that the company’s board cannot exercise independent judgment about whether such inadequacy rises to the level of a fiduciary breach.  If past is prologue, the likely result of this shareholder derivative action will be to divert corporate attention from responding to the data breach until such time as the case is dismissed.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide