Liability and Reputation Risks from Failure to Stay Current – the Wyndham Hotel Security Breac
The spate of cyber-security failures is now producing lawsuits that highlight the Caremark and D & O liability risks companies face when they fail to develop policies to stay in touch with modern science and practice in use of computer security systems. The risks of course apply to other failures, such as failures to keep up with molecular biology. Specifically, a May 7,2014 post at the D&O Diary reports on a formerly sealed lawsuit against Wyndham. Two key quotes are below; the full article is worth reading. The highlighted phrase could easily refer to most any failure with respect to detecting corporate risks, such as product liability risks from selling products without reasonable attention to up to date science. Note especially the allegation that the company was three years out of date; that may not seem like a long time to some, but in today’s world, …..
“The complaint alleges further … that the Company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.” *** The company’s three data breaches allegedly resulted in the compromise of more that 619,000 consumer payment card account numbers, many of which were subsequently exported to a domain registered in Russia, allegedly causing fraudulent charges and more than $10.6 million in fraud loss.”
“The complaint alleges that the defendants’ failure to implement appropriate internal controls designed to detect and protect repetitive data breaches “severely damaged” the company and resulted in the FTC enforcement action noted above. The FTC action, the complaint notes, “poses the risk of tens of millions of dollars in further damages.” The company’s failure to protect its customers’ personal information “has damaged its reputation with its customer base.” The complaint alleges that the plaintiff has brought the action “to rectify the conduct of the individuals bearing ultimate responsibility for the Company’s misconduct – the directors and senior management.”