United States District Court, D. New Jersey
DENNIS PALKON, Derivatively on Behalf of WYNDHAM WORLDWIDE CORPORATION, Plaintiff,
STEPHEN P. HOLMES, ERIC A. DANZIGER, SCOTT G. McLESTER, JAMES E. BUCKMAN, MICHAEL H. WARGOTZ, GEORGE HERRERA, PAULINE D.E. RICHARDS, MYRA J. BIBLOWIT, BRIAN MULRONEY, STEVEN A. RUDNITSKY, AND DOES 1-10, Individual Defendants, and WYNDHAM WORLDWIDE CORPORATION, a Delaware corporation, Nominal Defendant.
STANLEY R. CHESLER, District Judge.
This matter comes before the Court upon the motion filed by Defendants Myra J. Biblowit, James E. Buckman, Eric A. Danziger, George Herrera, Stephen P. Holmes, Scott G. McLester, Brian Mulroney, Pauline D.E. Richards, Steven A. Rudnitsky, Michael H. Wargotz, and Wyndham Worldwide Corporation (collectively "Defendants") to dismiss the Complaint pursuant to Rules 23.1(b) and 12(b)(6) of the Federal Rules of Civil Procedure. Plaintiff Dennis Palkon ("Plaintiff") opposes the motion. The Court has considered the parties' submissions. For the reasons that follow, the Court grants the motion to dismiss, and the case will be closed.
This case involves a shareholder who seeks to compel a corporate board of directors to bring a lawsuit on the company's behalf. The shareholder's proposed suit pertains to breaches of the company's online networks, during which hackers accessed the personal and financial information of a large number of customers. The Court has jurisdiction over this action pursuant to 28 U.S.C. § 1332(a)(2), as the parties are citizens of different states and the amount in controversy exceeds $75, 000. The Court draws the following facts from the complaint, and assumes them to be true for purposes of this motion only.
Wyndham Worldwide Corporation ("WWC") is a large hospitality company that operates hotels and resorts globally. The company is incorporated in Delaware and headquartered in Parsippany, New Jersey. As part of the hospitality business, WWC's subsidiaries often collect customers' personal and financial data. WWC hotels let customers make room reservations online, which requires the customers to enter their personal credit card information.
On three occasions between April 2008 and January 2010, that information was stolen. Hackers breached WWC's main network and those of its hotels. They performed a "brute force attack, " which means they guessed user IDs and passwords to enter an administrator's account, and then used "memory-scraping malware" to collect sensitive data. Through these methods, the hackers obtained the personal information of over six-hundred thousand customers.
In April 2010, the Federal Trade Commission ("FTC") began to investigate the cyberattacks against WWC, and in June 2012, it commenced a legal action against the company for its security practices. WWC retained the law firm of Kirkland & Ellis, LLP ("Kirkland") to represent it in the FTC action.
In November 2012, a WWC shareholder sent a letter to WWC's Board of Directors ("the Board") demanding that it bring a lawsuit based on the online breaches. The Board instructed its Audit Committee to evaluate the demand. That committee then consulted with Kirkland, which found that the "shareholder demand letter [was] not well grounded." On March 5, 2013, the Audit Committee recommended that WWC not bring the lawsuit, and on March 11, the full Board voted to adopt that recommendation.
Approximately three months later, on June 11, 2013, Plaintiff Dennis Palkon ("Plaintiff") sent a letter to the Board similarly demanding that it "investigate, address, and promptly remedy the harm inflicted" on the company by the breaches. Plaintiff is a Pennsylvania resident who owned shares of WWC when it was hacked. WWC's General Counsel, Scott McLester ("McLester"), wrote to Plaintiff on June 28 that he had submitted the demand to the Board.
The Board met on August 8 to discuss Plaintiff's demand as well as developments in the FTC action. The Board voted unanimously not to pursue Plaintiff's proposed litigation. On August 20, McLester wrote to Plaintiff's counsel to report that the Board had found it "not in the best interests of [WWC] to pursue the claims" in Plaintiff's demand. The letter further provided that the Board was declining Plaintiff's demand for the same reasons it had refused the earlier, November 2012 demand, which was "virtually identical." Plaintiff is represented by the same counsel who pursued that earlier demand.
Although it decided not to bring a lawsuit based on the breaches, the Board discussed the cyber-attacks, WWC's security policies, and proposed security enhancements at fourteen meetings between October 2008 and August 2012. The Audit Committee reviewed the same matters in at least sixteen meetings during that period. WWC hired technology firms to investigate each breach and to issue recommendations on enhancing the company's security. Following the second and third breaches, WWC began to implement those recommendations.
B. Procedural History and Defendants' Motion to Dismiss
On February 25, 2014, Plaintiff filed a derivative lawsuit against WWC and numerous of its corporate officials. At the heart of Plaintiff's Complaint is an assertion that Defendants failed to implement adequate data-security mechanisms, such as firewalls and elaborate passwords, and that this failure allowed hackers to steal customers' data. He further claims that Defendants failed to timely disclose the data breaches after they occurred. Plaintiff claims that these actions damaged WWC's reputation and cost it significant ...