Security and tech executives like Target's former CIO won't be the only ones in the cross-hairs after a data breach — corporate board members and other executives may soon bear some of the liability if a lawsuit filed by a Wyndham Worldwide Corporation shareholder sets a precedent.
Wyndham shareholder Dennis Palkon filed a derivative suit against the hotel chain in U.S. District Court, District of New Jersey, on February 2, accusing Wyndham Worldwide board directors and officers, as well as the chain itself, of failing “to take reasonable steps to maintain their customers' personal and financial information in a secure manner” after the company was wracked by three breaches between April 2008 and January 2010.
Although the suit was filed in February, it was just made public May 2 with considerable redactions to protect confidential business data, according to a Wednesday blog post on The D&O Diary, penned by attorney Kevin M. LaCroix.
“As a result of WWC's complete and utter lack of appropriate security measures, thieves were able to steal sensitive personal and financial data from over 619,000 of the Company's customers,” the suit says, noting that identity thieves have already used the personal information of many victims to commit crimes such as fraud. Many others must maintain “constant vigilance of their financial and personal records…to protect themselves from the threat” of identity theft.
Wyndham has been under fire for the three breaches with the Federal Trade Commission filing suit against Wyndham in June 2012, alleging that more than $10 million in fraudulent purchases were made by using hundreds of thousands of credit card numbers belonging to customers.
With the derivative suit, Palkon seeks to “remedy defendants' violations of law, breaches of fiduciary duties, and waste of corporate assets that have caused substantial damages to the Company,” according to court documents.
While the suit adds to Wyndham's woes, it has even broader implications that data breaches are increasingly being viewed as an upper level executive or boardroom-level liability, whether those at the top are made to bear the cost with dollars or at the expense of their jobs. In fact, though reasons were manifold, Target's CEO Gregg Steinhafel stepped down yesterday as impact of the retailer's high-profile breach continues to ripple out.
Speaking to SCMagazine.com Tuesday about the resignation of Steinhafel, Rick Doten, CISO at DMI, a provider of mobile solutions and services, noted “as risk management becomes more of a focus as it relates to IT, it's not just going to be IT folks that get canned when there's a problem, but those business people higher up the chain.”
Indeed, customers and shareholders alike are likely to demand answers from the top as well as restitution to mitigate the damage done by a breach — the former intent on protecting identity and the latter focused on the costs of responding to and remediating a breach. The de rigueur year of monitoring that most companies offer victims often costs well into the millions of dollars, depending on the size of the breach and the number potentially affected.