rule continues to play a formidable role in protecting the business decisions of officers and directors. The shareholder derivative actions outlined in this section illustrate how courts have addressed duty of oversight claims and critical facts that increasingly may inform the perspective of board members moving forward.
1. Wyndham
Wyndham Worldwide Corporation (Wyndham) experienced repeated hack- ing between 2008 and 2010, compromis- ing the data of roughly 619,000 custom- ers.42 Specifically, “[o]n three occasions between April 2008 and January 2010,” information was stolen when “hackers breached [Wyndham’s] main network and those of its hotels.”43 As a result, Wyndham was subject to an enforcement action by the Federal Trade Commis- sion, and a shareholder demand.” 44 After evaluating the demand and consulting with outside counsel, the board’s audit committee decided that the “shareholder demand letter [was] not well grounded”
and recommended that Wyndham not bring the suit.45 The board voted in ac- cordance with the audit committee’s rec- ommendation and the shareholder filed suit in New Jersey federal court regard- ing the board’s demand refusal.46
Specifically, the complaint alleged that “[i]n violation of their express prom- ise to do so, and contrary to reasonable customer expectations, [Wyndham] and its subsidiaries failed to take reason- able steps to maintain their customers’ personal and financial information in a secure manner.” 47 Moreover, the board members “aggravated” the damage by not disclosing the breaches and their “failures to implement appropriate inter- nal controls at [Wyndham] designed to detect and prevent repetitive data breach- es [...] severely damaged” the company.48 Ultimately, the complaint alleged that “[t]he Board consciously disregarded its duty to conduct a reasonable investiga- tion upon receipt of a shareholder de- mand and refused to conduct any inde-
pendent investigation whatsoever of the demand’s allegations.” 49
The court ruled that defendants did not act in bad faith.50 Next, the court concluded that the board’s investigation in light of the demand was not unrea- sonable given that the board “had al- ready discussed the cyber-attacks at 14 meetings from October 2008 to August 2012,” the cybersecurity issues had been addressed by the board’s audit commit- tee, and Wyndham had hired outside experts to investigate the cybersecu- rity issues.51 Accordingly, the claim was dismissed because the board had taken sufficient steps to conduct a reasonable investigation of the cybersecurity issues and was entitled to deference under the business judgment rule.52
2. Target
After a 2013 data breach, Target an- nounced on December 19, 2013, that 40 million credit and debit card accounts had been compromised by the breach, and on January 10, 2014, it announced
      Contact Thomas Harvey today for a tour.
etharvey@harveyhanna.com
AVAILABLE
Creekwood Corporate Center
910 Basin Road, New Castle, Delaware 19720
• 7,870 S.F. of Class A office space • 12 executive offices
• 1 executive board room
• Spacious open floor plan
• 5 parking spaces per 1,000 S.F.
• Located at the Route 141/I-95 Interchange
 harveyhanna.com (302) 323-9300 405 E. Marsh Lane, Suite 1, Newport, DE 19804
   SPRING 2020 DELAWARE LAWYER 17