October 6, 2022

Volume XII, Number 279

Advertisement

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

October 03, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Definition of Insanity? Wendy’s Shareholders File Derivative Action Based on 2015-16 Data Breach

An old saw defines insanity as doing the same thing over and over again and expecting a different result. Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016.  Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.

Readers of this space will note our skepticism about the merits of shareholder derivative actions against corporate officers and directors in data breach cases.  Claims for corporate mismanagement are subject to the business judgment rule, which protects officers and directors from lawsuits second-guessing their exercise of judgment in the performance of their corporate responsibilities absent self-interested conduct – which is generally not present in data breach cases – or such extreme dereliction of responsibilities as to constitute a breach of their fiduciary duty of care.  The difficulty in surmounting that burden is exemplified by dismissals of derivative actions based on data breaches perpetrated against Wyndham, Target, and Home Depot.

The Home Depot dismissal, issued just three weeks ago, apparently did not deter the Wendy’s shareholders from pursuing their derivative claims.  But it should have. In both cases the shareholders elected to sue without making demand on the boards of directors, despite the fact that both corporations are incorporated under Delaware law, which makes demand mandatory absent proof that a majority of the board members would be unable to exercise disinterested judgment.  The Home Depot shareholders could not do so, and the Wendy’s plaintiffs are unlikely to fare any better.  Allegations that a company’s data security practices proved inadequate, standing alone, are generally insufficient to establish that the company’s board cannot exercise independent judgment about whether such inadequacy rises to the level of a fiduciary breach.  If past is prologue, the likely result of this shareholder derivative action will be to divert corporate attention from responding to the data breach until such time as the case is dismissed.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VI, Number 355
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kevin McGinty Healthcare & Class Action Attorney Mintz Law Firm
Member

Kevin is an accomplished class action litigator with deep experience defending clients facing all types of class claims. He ably represents clients in consumer, contract, antitrust, unfair trade practice, tort, and employment class actions. Companies in diverse industries — including financial services, manufacturing, insurance, and retail — seek his assistance on complex litigation. A particular focus of his practice is representing healthcare-related companies in connection with False Claims Act cases, commercial disputes, privacy claims, and class actions.

Kevin concentrates in...

617-348-1688
Advertisement
Advertisement
Advertisement