United States District Court, D. New Jersey
October 20, 2014
DENNIS PALKON, Derivatively on Behalf of WYNDHAM WORLDWIDE CORPORATION, Plaintiff,
STEPHEN P. HOLMES, ERIC A. DANZIGER, SCOTT G. McLESTER, JAMES E. BUCKMAN, MICHAEL H. WARGOTZ, GEORGE HERRERA, PAULINE D.E. RICHARDS, MYRA J. BIBLOWIT, BRIAN MULRONEY, STEVEN A. RUDNITSKY, AND DOES 1-10, Individual Defendants, and WYNDHAM WORLDWIDE CORPORATION, a Delaware corporation, Nominal Defendant.
STANLEY R. CHESLER, District Judge.
This matter comes before the Court upon the motion filed by Defendants Myra J. Biblowit, James E. Buckman, Eric A. Danziger, George Herrera, Stephen P. Holmes, Scott G. McLester, Brian Mulroney, Pauline D.E. Richards, Steven A. Rudnitsky, Michael H. Wargotz, and Wyndham Worldwide Corporation (collectively "Defendants") to dismiss the Complaint pursuant to Rules 23.1(b) and 12(b)(6) of the Federal Rules of Civil Procedure. Plaintiff Dennis Palkon ("Plaintiff") opposes the motion. The Court has considered the parties' submissions. For the reasons that follow, the Court grants the motion to dismiss, and the case will be closed.
This case involves a shareholder who seeks to compel a corporate board of directors to bring a lawsuit on the company's behalf. The shareholder's proposed suit pertains to breaches of the company's online networks, during which hackers accessed the personal and financial information of a large number of customers. The Court has jurisdiction over this action pursuant to 28 U.S.C. § 1332(a)(2), as the parties are citizens of different states and the amount in controversy exceeds $75, 000. The Court draws the following facts from the complaint, and assumes them to be true for purposes of this motion only.
Wyndham Worldwide Corporation ("WWC") is a large hospitality company that operates hotels and resorts globally. The company is incorporated in Delaware and headquartered in Parsippany, New Jersey. As part of the hospitality business, WWC's subsidiaries often collect customers' personal and financial data. WWC hotels let customers make room reservations online, which requires the customers to enter their personal credit card information.
On three occasions between April 2008 and January 2010, that information was stolen. Hackers breached WWC's main network and those of its hotels. They performed a "brute force attack, " which means they guessed user IDs and passwords to enter an administrator's account, and then used "memory-scraping malware" to collect sensitive data. Through these methods, the hackers obtained the personal information of over six-hundred thousand customers.
In April 2010, the Federal Trade Commission ("FTC") began to investigate the cyberattacks against WWC, and in June 2012, it commenced a legal action against the company for its security practices. WWC retained the law firm of Kirkland & Ellis, LLP ("Kirkland") to represent it in the FTC action.
In November 2012, a WWC shareholder sent a letter to WWC's Board of Directors ("the Board") demanding that it bring a lawsuit based on the online breaches. The Board instructed its Audit Committee to evaluate the demand. That committee then consulted with Kirkland, which found that the "shareholder demand letter [was] not well grounded." On March 5, 2013, the Audit Committee recommended that WWC not bring the lawsuit, and on March 11, the full Board voted to adopt that recommendation.
Approximately three months later, on June 11, 2013, Plaintiff Dennis Palkon ("Plaintiff") sent a letter to the Board similarly demanding that it "investigate, address, and promptly remedy the harm inflicted" on the company by the breaches. Plaintiff is a Pennsylvania resident who owned shares of WWC when it was hacked. WWC's General Counsel, Scott McLester ("McLester"), wrote to Plaintiff on June 28 that he had submitted the demand to the Board.
The Board met on August 8 to discuss Plaintiff's demand as well as developments in the FTC action. The Board voted unanimously not to pursue Plaintiff's proposed litigation. On August 20, McLester wrote to Plaintiff's counsel to report that the Board had found it "not in the best interests of [WWC] to pursue the claims" in Plaintiff's demand. The letter further provided that the Board was declining Plaintiff's demand for the same reasons it had refused the earlier, November 2012 demand, which was "virtually identical." Plaintiff is represented by the same counsel who pursued that earlier demand.
Although it decided not to bring a lawsuit based on the breaches, the Board discussed the cyber-attacks, WWC's security policies, and proposed security enhancements at fourteen meetings between October 2008 and August 2012. The Audit Committee reviewed the same matters in at least sixteen meetings during that period. WWC hired technology firms to investigate each breach and to issue recommendations on enhancing the company's security. Following the second and third breaches, WWC began to implement those recommendations.
B. Procedural History and Defendants' Motion to Dismiss
On February 25, 2014, Plaintiff filed a derivative lawsuit against WWC and numerous of its corporate officials. At the heart of Plaintiff's Complaint is an assertion that Defendants failed to implement adequate data-security mechanisms, such as firewalls and elaborate passwords, and that this failure allowed hackers to steal customers' data. He further claims that Defendants failed to timely disclose the data breaches after they occurred. Plaintiff claims that these actions damaged WWC's reputation and cost it significant legal fees. Most pertinently, given these allegations, Plaintiff contends that the Board's decision to refuse his demand was wrongful.
Defendants moved to dismiss Plaintiff's Complaint on June 2, 2014. Defendants argue three points to support their motion. First, they urge that the Board's refusal to pursue Plaintiff's demand was a good-faith exercise of business judgment, made after a reasonable investigation. Second, even if the Board's refusal had been wrongful, Defendants assert that the Complaint fails to state a claim upon which relief can be granted. Third, Defendants claim that Plaintiff's alleged damages are speculative and unripe.
Plaintiff opposes the motion for three corresponding reasons. He first contends that the Board wrongfully refused his demand by relying on an investigation dominated by conflicted counsel. He next urges that he adequately pleaded his legal claims, as WWC failed to institute reasonable security protections. Last, Plaintiff asserts that shareholders have already suffered damages due to the costs of defending against the FTC investigation.
A. Motions to Dismiss
Defendants move to dismiss pursuant to Rules 23.1(b) and 12(b)(6) of the Federal Rules of Civil Procedure. Accordingly, the Court will accept as true all of the factual allegations in Plaintiff's Complaint, as well as the reasonable inferences therefrom. See In re Forest Labs. Derivative Litig. , 450 F.Supp.2d 379, 387 (S.D.N.Y.2006) (applying Delaware law). The Court will not, however, accept a "legal conclusion couched as a factual allegation." Baraka v. McGreevey , 481 F.3d 187, 195 (3d Cir. 2007); Fowler v. UPMC Shadyside , 578 F.3d 203, 210-11 (3d Cir. 2009); see also Ashcroft v. Iqbal , 556 U.S. 662, 679 (2009) ("While legal conclusions can provide the framework of a complaint, they must be supported by factual allegations.").
B. Demand Refusal
Because WWC is a Delaware corporation, the substantive law of that state governs. See Kamen v. Kemper Fin. Servs. , 500 U.S. 90, 108-09 (1991); Blasband v. Rales , 971 F.2d 1034, 1047 (3d Cir. 1992). Under Delaware law, "[t]he decision to bring a law suit or to refrain from litigating a claim on behalf of a corporation is a decision concerning the management of the corporation[, ]" and it is "part of the responsibility of the board of directors." Spiegel v. Buntrock , 571 A.2d 767, 773 (Del. 1990). A shareholder who wishes to sue on behalf of a corporation, therefore, cannot do so independently, and must instead demand that the board of directors bring the action. Id.
If a board of directors refuses to pursue a shareholder's demand, that decision falls under the purview of the "business judgment rule." Id. at 773-74. Under that rule, courts presume that the board refused the demand "on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the company." Id. at 774.
A shareholder dissatisfied with a board's refusal may seek to rebut that presumption by bringing a derivative action lawsuit. See id.; Rich ex rel. Fuqi Int'l v. Chong , 66 A.3d 963, 975 (Del. Ch. 2013). The shareholder must raise a reasonable doubt that the refusal was a business judgment, which requires pleading with particularity that the decision was either: (1) "made in bad faith, " or (2) "based on an unreasonable investigation." In re Merrill Lynch & Co., 773 F.Supp.2d 330, 351 (S.D.N.Y.2011) (quoting RCM Sec. Fund v. Stanton , 928 F.2d 1318, 1328 (2d Cir. 1991)) (applying Delaware law); see also Fed.R.Civ.P. 23.1(b)(3)(A) (providing that shareholder must plead with particularity the efforts to make a demand upon the board). This is a high burden. See In re Merrill Lynch, 773 F.Supp.2d at 345 (noting that "few, if any, plaintiffs surmount this obstacle").
Based on these principles, here the Court must decide if Plaintiff pled with particularity facts which raise a reasonable doubt that the Board acted (1) in good faith, or (2) based on a reasonable investigation. For the reasons that follow, Plaintiff has failed to meet this burden.
C. Bad Faith
Underlying Plaintiff's bad faith claim is the argument that the board's refusal was influenced by conflicted legal counsel. Plaintiff must show "that no reasonable business person could possibly" have made the refusal in good faith, or put differently, that the refusal goes "so far beyond the bounds of reasonable business judgment that its only explanation is bad faith." In re Tower Air, Inc. , 416 F.3d 229, 238 (3d Cir. 2005). Plaintiff has not made such a demonstration with respect to either Kirkland or WWC's General Counsel.
Plaintiff first urges that Kirkland had a conflict of interest with respect to the shareholder demands because it already represented WWC in the FTC litigation. The principal case upon which Plaintiff relies is Stepak v. Addison , 20 F.3d 398, 400 (11th Cir. 1994). There, a board of directors solicited the advice of an outside law firm to refuse a shareholder's demand. Significantly, however, that same firm "had represented the alleged wrongdoers in criminal proceedings involving the very subject matter of the demand." Id . The plaintiff urged, and the appellate panel found, that the firm had competing, conflicting duties, and thus could not impartially assess the shareholder demand. The firm faced "lingering and divided loyalties, " to the criminal defendants who it represented, and was "hampered in its investigation of the shareholder's allegations by its continuing duty to preserve the secrets and confidences of its former clients." Id. at 405-06. Emphasizing that the outside proceedings were criminal, the panel concluded that the "firm's representation of the alleged wrongdoers in criminal investigations is clearly incompatible with its simultaneous handling of a reasonable and neutral investigation of their conduct on behalf of the corporation." Id. at 405.
This case presents no such concerns. Kirkland did not have multiple, conflicting duties. Instead, its obligations in the FTC and shareholder matters were identical: it had to act in WWC's best interest. Plaintiff concedes this mirroring obligation in his brief, where he writes that "Kirkland was simultaneously representing [WWC] in the FTC Action and was duty-bound to zealously protect the Company's interests in that case." [Docket Item # 38 at 13]. As Plaintiff expressly acknowledges, in the FTC Action Kirkland had to look after WWC's interests, just as it had to do for Plaintiff's demand. While the firm in Stepak had lingering confidentiality duties to individual criminal defendants, here Kirkland was duty-bound at all times to advocate for WWC, and for no one else. This fundamental distinction renders Stepak inapposite.
Plaintiff next argues that WWC's General Counsel was conflicted when he advised the Board, as he faced personal liability stemming from the cyber-attacks. This argument lacks factual support. Plaintiff has provided no indication that his demand exposed McLester to any liability. Had the demand letter named McLester as a responsible party, Plaintiff's argument may carry more water. But the letter does not mention him. Furthermore, the subject matter of the demand was not an area with which McLester would likely be associated; he served as General Counsel, not as a technology or security official. See In re Bridgeport Holdings , 388 B.R. 548, 573 (Bankr. D. Del. 2008) ("Different corporate offices obviously hold different responsibilities."). Given that neither McLester nor other officials were named as targets, they had no reason to believe they were caught in Plaintiff's crosshairs.
To salvage this argument, Plaintiff asserts that McLester was "intimately involved in setting up the Company's data security in general[.]" (Compl. ¶ 80). Yet Plaintiff pleads no facts whatsoever as to what exactly McLester's supposed role was in the creation of the security programs. What was his intimate involvement? Without an answer to that question, Plaintiff's assertion falls short of the particularized pleading requirement of Rule 23.1(b), and it constitutes a conclusory allegation that the Court must disregard. See Iqbal , 556 U.S. at 679. Even if this allegation were substantiated, at most it would establish that personal liability may have been on McLester's radar. But WWC indemnified McLester against such liability [Docket Item # 14-3 at 25-28], and more importantly, the fear of personal liability alone does not render a corporate director conflicted. See Halpert Enters., 2007 WL 486561, at *6.
Plaintiff also claims that McLester's conflict of interest spilled over to muddy Kirkland's ability to give neutral advice. Plaintiff has failed, however, to allege any particularized facts suggesting that McLester improperly influenced Kirkland, and even if he had influenced the firm, the Court has already found that McLester had no conflict of interest to impart.
D. Unreasonable Investigation
Plaintiff asserts that the Board's investigation was predetermined and thus unreasonable. Preliminarily, the Court notes that "there is no prescribed procedure or form a Board must follow when responding to a demand letter." In re Merrill Lynch, 773 F.Supp.2d at 349. To assess the Board's investigation, then, the Court examines whether Plaintiff has pled particularized facts suggesting gross negligence, i.e., that "the Board acted with so little information that their decision was unintelligent and unadvised[.]" In re Gen. Motors Class E Stock Buyout Sec. Litig. , 694 F.Supp. 1119, 1133 (D. Del. 1988) (internal quotation marks and citation omitted). In light of the ample information the Board had at its disposal when it rejected Plaintiff's demand, and considering the numerous steps the Board took to familiarize itself with the subject matter of the demand, Plaintiff has also failed to make this showing.
The Board's familiarity with the factual underpinnings of Plaintiff's demand did not begin with its arrival. Board members had already discussed the cyber-attacks at fourteen meetings from October 2008 to August 2012. "At every quarterly Board meeting, the General Counsel gave a presentation regarding the Breaches, and/or [WWC's] data-security generally." (Compl. ¶ 63). Similarly, WWC's "Audit Committee discussed these same issues in at least sixteen committee meetings during this same time period." (Id.). Board members' understanding of the subject matter of Plaintiff's demand had also already been developed pursuant to the FTC action, which stemmed from the same attacks. Finally, just before receiving Plaintiff's demand, the Board received and investigated a "virtually identical" demand letter brought by Plaintiff's counsel. (Compl. ¶¶ 75, 82). In response to that letter, the Board formally charged the Audit Committee with a review and discussed the matter at multiple meetings.
These earlier investigations, standing alone, would indicate that the Board had enough information when it assessed Plaintiff's claim. A board need not treat each demand as though it is the first; instead, board members may rely on earlier-obtained information. See In re Boston Scientific Corp. Shareholders Litig. , 2007 WL 1696995, at *5-6 (S.D.N.Y. June 13, 2007) (finding directors had sufficient information after they reviewed "earlier investigative work"); In re Merrill Lynch, 773 F.Supp.2d at 349 (approving investigation where board "had already considered and rejected a similar demand" and "was already quite familiar with the allegations in plaintiff's letters from its consideration of the various other [related] proceedings); Halpert Enterprises v. Harrison , 2007 WL 486561, at *5-6 (S.D.N.Y. Feb. 14, 2007) (rejecting Plaintiff's notion that investigation was inadequate because it "merely referenced prior investigations").
All told, by the time Plaintiff submitted his letter, the Board's review of it did "not occur in a vacuum." [Docket Item #1-5 at 2]. Members were well versed on its allegations. Nevertheless, the Audit Committee and Board did specifically consider Plaintiff's submission. Board members met to discuss the demand on August 8, 2013, and they unanimously voted not to pursue it. In the Board's response to Plaintiff, it noted that it was rejecting Plaintiff's demand for the same reasons it had denied the earlier, "identical" demand. Those reasons were that: (1) "[WWC] has strong defenses to the FTC's allegations"; (2) the suit "would impair [WWC's] defenses in the FTC's lawsuit"; (3) "the claims contemplated are not yet ripe"; (4) "there has been no material damage to [WWC's] shareholders as a result of the FTC's lawsuit or the conduct at issue"; and (5) "there would be significant legal barriers to the claims contemplated by your letter." [Docket Item #1-4 at 2-3].
To counter these explanations, Plaintiff simply notes that a letter-brief submitted on WWC's behalf states that the Board retained counsel to advise it "regarding rejection of the demand." Plaintiff contends that this phraseology shows that the refusal was preordained. Such isolated and post hoc language from a legal brief is "not evidence, " In re eBay, Derivative Litig., 2011 WL 3880924, at *5 n.8 (D. Del. Sept. 2, 2011), and even if it were, it could not overcome the extensive steps taken and information had by the Board, as reviewed above.
Given the business judgment rule's strong presumption, courts uphold even cursory investigations by boards refusing shareholder demands. See Levine v. Smith , 591 A.2d 194, 199, 214 (upholding investigation where board merely wrote to plaintiff that it had reviewed the demand and found that pursuing it would not be in the corporate interest). Here, the Court finds that WWC's Board had a firm grasp of Plaintiff's demand when it determined that pursuing it was not in the corporation's best interest.
For the reasons above, the Court will grant Defendants' motion, dismissing Plaintiff's claims with prejudice. An appropriate Order will be filed.