2013 TARGET DATA BREACH, (2014).
72. See Memorandum of Law of the Special Litig. Comm. of the Bd. of Dirs. of Target Corp. in Support of its Motion for Approval and Dismissal at 18-19, Davis v. Steinhafel, No. 0:14-cv-00203-PAM-JJK (D. Minn. May 6, 2016).
73. In re The Home Depot S’holder Derivative Litig., 223 F. Supp. 3d 1317, 1321 (N.D. Ga. 2016).
Litig., No. 2017-0222-JRS, 2019 Del. Ch. LEXIS 1293, at *2 (Del. Ch. Oct. 1, 2019).
96. Id.
97. Id. at *28.
98. Id. (citations omitted).
99. Id. at *29. fn. 47 (citations omitted).
100. Id. (citations omitted).
101. Id. (citations omitted). Specifically,
the court held: “Plaintiffs have alleged particularized facts supporting reasonable inferences that: (i) the Board knew the TIGER-X protocol incorporated RECIST; (ii) RECIST requires reporting only confirmed responses; (iii) industry practice and FDA guidance require that the study managers report only confirmed responses; (iv) management was publicly reporting unconfirmed responses to keep up with Tagrisso’s response rate; and (v) the Board knew management was incorrectly reporting responses but did nothing to address this fundamental departure from the RECIST protocol. When Clovis’ serial non-compliance with RECIST was finally revealed to the regulators, Roci was doomed. And when the drug’s failure was revealed to the market, Clovis’ stock price tumbled.” Id. at *30-31.
102. See Lawrence J. Trautman & Peter C. Ormerod, Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach, 66 AM. U. L. REV. 1231, 1240 (2017).
103. This article focuses on the enforcement actions of several U.S. regulators that are integral players in the discussion surrounding cybersecurity and corporate governance. However, there are a number of other U.S. regulators (e.g., U.S. Department of Health and Human Services) that influence attendant challenges and court reviews of deficient oversight allegations. It is also important
to note that the European Union’s data protection regulators lodged several large enforcement actions under the General
Data Protection Regulation that came into effect in 2018 and allows regulators to fine companies up to 4 percent of their global annual revenue. Allison Grande, The Biggest Privacy & Cybersecurity Developments Of 2019, LAW360, (Dec. 20, 2019), https:// www.law360.com/articles/1228763/the- biggest-privacy-cybersecurity-developments- of-2019. Notable enforcement actions under the GDPR in connection with cybersecurity incidents include the United Kingdom’s plan to fine Marriott $129 million and British Airways $244 million. Id.
104. FEDERAL TRADE COMMISSION, Privacy & Data Security Update: 2018, at 2 (2018).
105. The FTC Act does not create a private right of action, nullifying the possibility of a class action against a company or its directors under Section 5(a). See 15 U.S.C. § 45(a)(1) (2006).
106. F.T.C. v. Wyndham Worldwide Corp., 10 F.Supp.3d 602, 635 (D.N.J. 2014) aff’d, 799 F.3d. 236 (3d Cir. 2015).
107. See Gerard M. Stegmaier & Wendell Bartnick, Psychics, Russian Roulette, And Data Security: The FTC’s Hidden Data- Security Requirements, 20 Geo. Mason L. Rev. 673 -720 (May 9, 2013).
108. See Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common
Law of Privacy, 114 COLUM. L. REV. 583, 607 (2014) (observing practitioners follow FTC consent decrees very carefully in efforts to understand what specific practices or omissions are more likely to receive enforcement scrutiny).
109. For example, “Facebook launched services with feel-good names like ‘Privacy Shortcuts’ and ‘Privacy Checkup’ that claimed to help users manage their settings and limit who had access to their data,”
but even under the most restrictive settings “Facebook made consumers’ personal data accessible to companies that developed apps used by consumers’ friends.” Lesley Fair, FTC’s $5 billion Facebook settlement: Record- breaking and history-making, F.T.C. (July 24, 2019), https://www.ftc.gov/news-events/ blogs/business-blog/2019/07/ftcs-5-billion- facebook-settlement-record-breaking-history.
110. FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook, FTC(July 24, 2019), https://www. ftc.gov/news-events/press-releases/2019/07/ ftc-imposes-5-billion-penalty-sweeping-new- privacy-restrictions (“The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms
to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.”). These provisions also apply to the companies Facebook controls, including Instagram and WhatsApp. Id.
111. See Gerard Stegmaier, $5 billion Federal Trade Commission settlement with Facebook represents largest privacy enforcement penalty ever, TECHNOLOGY LAW DISPATCH (July 30, 2019), https://www.technologylawdispatch. com/2019/07/privacy-data-protection/5- billion-federal-trade-commission-settlement- with-facebook-represents-largest-privacy- enforcement-penalty-ever/
112. We believe that those seeking to file Caremark claims might look to FTC orders as evidence of best practices or even legal obligations in companies not subject to such orders. In part, this may be a byproduct of how the agency enforces its authority and the manner in which it provides guidance, often blurring the line between what is required and what may be desired.
113. Complaint at ¶¶ 21, 22, FTC v. Equifax Inc. No. 1:19-cv-03297 (N.D. Ga. filed July 22, 2019).
114. Equifax to Pay $575 Million as Part
of Settlement with FTC, CFPB and States Related to 2017 Data Breach, FTC(July 22, 2019), https://www.ftc.gov/news-events/ press-releases/2019/07/equifax-pay-575- million-part-settlement-ftc-cfpb-states-related
115. CF Disclosure Guidance: Topic No.
2, Division of Corporation Finance, SEC (October 13, 2011), https://www.sec.gov/ divisions/corpfin/guidance/cfguidance- topic2.htm
116. Id.
117. 17 C.F.R Parts 229 and 249; [Release Nos. 33-10459; 34-82746]; Commission Statement and Guidance on Public Company Cybersecurity Disclosures.
118. Id. at 6. 119. Id.
74. Id. 75. Id. 76. Id. 77. Id. 78. Id. 79. Id. 80. Id. 81. Id. 82. Id.
at 1324-25. at 1325.
at 1326.
at 1326.
at 1327.
83. Plaintiffs’ Unopposed Motion For Preliminary Approval of Shareholder Derivative Settlement and Memorandum
of Law In Support, In re The Home Depot S’holder Derivative Litig., No. 1:15-cv-2999 (N.D. Ga. 2016).
84. Plaintiffs’ Unopposed Motion at 3. 85. Id.
86. In 2016, Wendy’s publicly announced that it suffered a data breach due to malware that compromised more than 300 of its franchise locations. See Complaint at ¶ 106, Graham v. Peltz, No. 1:16-cv-1153 (S.D. Ohio filed Dec. 16, 2016). Shareholders filed a derivative lawsuit in the Southern District of Ohio against Wendy’s and 19 of its directors. In May 2018 the parties entered into a settlement that, in relevant part, established that “[t]he Board will maintain a Technology Committee with oversight responsibilities relating to matters of information technology and cybersecurity” and “[t]he Technology Committee will be governed by a Charter, which will include in relevant part that
the Technology Committee shall oversee, among other things, cybersecurity matters.” Memorandum of Law In Support of Plaintiff James Graham’s Motion For Preliminary Approval of Derivative Litigation Settlement at 17, Graham v. Peltz, No. 1:16-cv-1153 (S.D. Ohio filed May 6, 2018), ECF No. 41-1.
87. See supra at IIC; see also id.
88. Marchand v. Barnhill, 212 A.3d 805, 807
(Del. 2019).
89. Id.
90. Id.
91. Id. at 821. The Court further explained that “our focus here is on the key issue of whether the plaintiff has pled facts from which we can infer that Blue Bell’s board made no effort to put in place a board-level compliance system. That is, we are not examining the effectiveness of a board-level compliance and reporting system after the fact. Rather, we are focusing on whether the complaint pleads facts supporting a reasonable inference that the board did not undertake good faith efforts to put a board-level system of monitoring and reporting in place.” Id.
92. Id. at 822.
93. Id.
94. Id.
95. In re Clovis Oncology, Inc. Derivative
SPRING 2020 DELAWARE LAWYER 27