Security and tech executives like Target's former CIO won't be the only ones in the cross-hairs after a data breach — corporate board members and other executives may soon bear some of the liability if a lawsuit filed by a Wyndham Worldwide Corporation shareholder sets a precedent.
Wyndham shareholder Dennis Palkon filed a derivative suit against the hotel chain in U.S. District Court, District of New Jersey, on February 2, accusing Wyndham Worldwide board directors and officers, as well as the chain itself, of failing “to take reasonable steps to maintain their customers' personal and financial information in a secure manner” after the company was wracked by three breaches between April 2008 and January 2010.
Although the suit was filed in February, it was just made public May 2 with considerable redactions to protect confidential business data, according to a Wednesday blog post on The D&O Diary, penned by attorney Kevin M. LaCroix.
“As a result of WWC's complete and utter lack of appropriate security measures, thieves were able to steal sensitive personal and financial data from over 619,000 of the Company's customers,” the suit says, noting that identity thieves have already used the personal information of many victims to commit crimes such as fraud. Many others must maintain “constant vigilance of their financial and personal records…to protect themselves from the threat” of identity theft.
Wyndham has been under fire for the three breaches with the Federal Trade Commission filing suit against Wyndham in June 2012, alleging that more than $10 million in fraudulent purchases were made by using hundreds of thousands of credit card numbers belonging to customers.
With the derivative suit, Palkon seeks to “remedy defendants' violations of law, breaches of fiduciary duties, and waste of corporate assets that have caused substantial damages to the Company,” according to court documents.
While the suit adds to Wyndham's woes, it has even broader implications that data breaches are increasingly being viewed as an upper level executive or boardroom-level liability, whether those at the top are made to bear the cost with dollars or at the expense of their jobs. In fact, though reasons were manifold, Target's CEO Gregg Steinhafel stepped down yesterday as impact of the retailer's high-profile breach continues to ripple out.