No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Consequences of a Data Breach: Lessons from Wyndham Worldwide

by Shamoil Shipchandler
December 8, 2014
in Compliance
Consequences of a Data Breach: Lessons from Wyndham Worldwide

with contributing authors Dan Myers, David Ball and Laura Hang

On October 20, 2014, Wyndham Worldwide Corporation won dismissal of a shareholder derivative suit seeking damages arising out of three data breaches that occurred between 2008 and 2010.  Dennis Palkon, et al. v. Stephen P. Holmes, et al., Case No. 2:14-cv-01234 (D. N.J. Oct. 20, 2014). Wyndham prevailed, but the litigation carries key cybersecurity warnings for officers and directors.

Businesses suffering data breaches end up litigating on multiple fronts. Wyndham had to defend itself against the shareholder derivative action and against a Federal Trade Commission action.  In other data breach-related cases, the Securities & Exchange Commission, the Department of Justice and state regulatory agencies have asserted jurisdiction. Regulatory actions only compound exposure from private civil actions.

Officers and directors play a key role in cybersecurity. Wyndham’s directors supported the company as it defended its conduct and procedures before the FTC. However, they also had to satisfy their fiduciary duties to assess whether the breaches were the result of negligent or reckless conduct by Wyndham’s officers, which may have required the company to file its own civil action against its officers. It is not difficult to imagine situations in which a Board of Directors determines that the company’s officers acted wrongfully or negligently and end up with a choice between suing the company’s own officers for their conduct or foregoing such a lawsuit and facing derivative litigation from shareholders.

The Wyndham litigation underscores that companies must examine how their cybersecurity policies and procedures may expose them to liability. Companies must take all reasonable measures to implement strong cybersecurity measures and prepare crisis response teams in the event a breach nevertheless occurs.

Case Summary

Between April 2008 and January 2010, hackers breached Wyndham’s network on three occasions and obtained the personal and financial data of over 600,000 customers. The FTC investigated and in June 2012, commenced legal action against Wyndham.  Federal Trade Commission v. Wyndham Worldwide Corp., et al., Case No. 2:13-cv-01887 (D. N.J.). Years later, a Wyndham shareholder demanded that its Board bring a lawsuit against the company’s officers based on the data breaches. The Board’s audit committee declined to pursue the suit, a decision that the Board adopted. Palkon, at 2-3.

In February 2014, the shareholder filed a derivative lawsuit against Wyndham, its officers and its directors, claiming that the company’s failure to implement adequate cybersecurity measures and disclose the data breaches in a timely manner caused shareholders to suffer the damages of an FTC investigation. The lawsuit also claimed that the Board wrongfully decided not to pursue litigation. Wyndham moved to dismiss, asserting that the Board’s decision was a valid exercise of its business judgment. Id. at 4.

The Court’s Analysis

A Board’s decision to refuse a shareholder’s demand to commence litigation is afforded a rebuttable presumption that the refusal was a proper exercise of its business judgment so long as the decision was made “on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the company.” Id. at 5 (citing Spiegel v. Buntrock, 571 A.2d 767, 773 (Del. 1990)).  In Wyndham, the court made the following determinations:

  • That Wyndham’s counsel, who both represented Wyndham in the FTC action and advised the Board not to pursue litigation against the officers, did not have a conflict of interest because counsel’s “obligations in the FTC and shareholder matters were identical: it had to act in [Wyndham’s] best interest.” at 6-7.
  • That the Board had a firm grasp of the litigation demand by the shareholder, had conducted a diligent investigation and had specifically met to consider the data breach and cybersecurity issues. at 9-11.
  • That the shareholder’s claim that the Board breached its fiduciary duty by refusing the litigation demand was “novel” and dubious, and that Wyndham had appropriately responded by employing five advisory firms on cybersecurity issues and implementing post-breach security measures.

Lessons Learned

The Wyndham litigation provides several important lessons for businesses that may be subject to a data breach:

  • Prior to suffering a data breach, businesses should confer with knowledgeable counsel and technology consultants to implement cybersecurity measures and compliance procedures. Strong cybersecurity measures weaken any argument that a business or its management is reckless or has otherwise failed to satisfy an appropriate standard of care.
  • Following a data breach, businesses must be prepared to respond to civil legal proceedings and government regulatory inquiries and investigations. Regulators are not focused only on financial institutions and retail businesses, but rather on any entity that maintains sensitive information electronically.
  • Management and/or the Board of Directors may have to defend the company’s conduct in parallel actions: a civil suit and a regulatory investigation. Defending its cybersecurity in a civil case while simultaneously identifying its cybersecurity flaws in a regulatory action places businesses in a tenuous, uncomfortable position; all the more reason to act diligently, prudently and proactively before a breach occurs.

Previous Post

Views from FCPA Enforcement’s Latin American Specialists

Next Post

With Great Power Comes Great Responsibility – To Keep Your Patients Safe

Shamoil Shipchandler

Shamoil Shipchandler

Shamoil Shipchandler headshot 5-12-14 (457x640)Shamoil T. Shipchandler is a white collar defense partner at Bracewell & Giuliani in Dallas, where he counsels corporate and individual clients regarding statutory and regulatory compliance and advises companies and corporations who were victimized through white collar crime or cybercrime.  Previously, Shamoil was a former Deputy Criminal Chief with the United States Attorney’s Office for the Eastern District of Texas, where he served for nearly 10 years as the Attorney-in-Charge of the Plano Office and as the Asset Forfeiture Chief. During his tenure with the Department of Justice, Shamoil handled the prosecution of some of the largest and most significant complex white collar matters in North Texas, including cases involving securities fraud, mortgage fraud, tax evasion, bank fraud, mail and wire fraud, computer sabotage, money laundering, public corruption, theft of trade secrets and immigration fraud. Shamoil is a frequent nationwide instructor regarding trial techniques, professional responsibility, asset forfeiture, money laundering and substantive white collar crimes. Shamoil has developed and presented financial investigations courses to U.S. Attorney’s offices and local state and federal law enforcement, as well as to Bosnian and Macedonian prosecutors and judges. Shamoil received the 2011 Director’s Award, a Department of Justice-wide recognition, for his work in the United States v. Barry, et al. prosecution. He can be reached at shamoil.shipchandler@bgllp.com  

Related Posts

low battery on iphone warning

Ethics Fatigue: The Burnout That’s Putting Your Organization at Risk

by Nick Gallo
June 20, 2025

The psychology behind why ethics professionals are exhausted and what companies risk when they let it go unchecked

news roundup new

Few Business Leaders Feel Fully Prepared for Challenges of 2025

by Staff and Wire Reports
June 20, 2025

Data center operators not using full slate of available sustainability tactics; companies continue to use AI without policies

SmartSearch Daon Partnership

SmartSearch Partners With Daon for Enhanced ID Verification

by Corporate Compliance Insights
June 19, 2025

UK digital compliance provider SmartSearch has partnered with digital identity company Daon to integrate AI-powered biometric identity technology into its...

Ondato Media Screening Launch

Ondato Launches AI-Powered Adverse Media Screening for AML Compliance

by Corporate Compliance Insights
June 19, 2025

Global online ID verification provider Ondato has released an AI-powered adverse media screening feature that automatically scans online sources for...

Next Post
With Great Power Comes Great Responsibility – To Keep Your Patients Safe

With Great Power Comes Great Responsibility – To Keep Your Patients Safe

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights