Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he failed to show that the directors faced a substantial likelihood of liability on a non-exculpated claim.
The data breach, which exposed the personal information of approximately 500 million customers, took place via the reservation database of a property company that the corporation had acquired two years prior. The plaintiff alleged that the directors breached their fiduciary duties by failing to adequately conduct due diligence of cybersecurity technology for the property company in the pre-acquisition time period. For the post-acquisition period, the plaintiff alleged that the defendants continued to operate the property company’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under In re Caremark Int’l Inc. Derivative Litigation, a 1996 Delaware Chancery Court decision establishing a standard for oversight liability for board members.
With respect to the pre-acquisition time period, the court held that the plaintiff’s claims were time-barred and that was no basis for tolling. As to the post-acquisition claims, the court concluded that the directors do not face a substantial likelihood of liability under Caremark. Although the court noted that “[c]ybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors,” the allegations “do not meet the high bar required to state a Caremark claim. According to the court, the plaintiff has not shown that the directors completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures.” The court acknowledged that the data breach was “momentous in scale and put the data of hundreds of millions of people at risk,” but concluded that the actions were “at the hands of a hacker,” saying that “[the corporation] was the victim of an illegal act rather than the perpetrator.”
On January 30, the FDIC adopted the Final Rule to Revise Securitization Safe Harbor Rule (rule) as recommended by FDIC staff in a memorandum dated January 23. In July, as previously covered by InfoBytes, the FDIC approved a proposal to remove the requirement that, for safe harbor treatment, “the documents governing a securitization issuance require compliance with Regulation AB” of the SEC Regulation AB, “in circumstances where Regulation AB is not, by its terms, applicable to that transaction.” The proposal suggested that “it is no longer clear that compliance with the public disclosure requirements of Regulation AB in a private placement or in an issuance not otherwise required to be registered is needed to achieve the policy objective of preventing a buildup of opaque and potentially risky securitizations such as occurred during the pre-crisis years, particularly where the imposition of such a requirement may serve to restrict overall liquidity.” The final rule—which is unchanged from the proposal—eliminates the “significant disclosure requirements” to no longer mandate that private placements of securitization obligations provide Regulation AB disclosures. With the adoption of the final rule, only those transactions that are subject to Regulation AB are required to make the disclosures. The rule is expected to increase the securitization of residential mortgages and will become effective 30-60 days after it is published in the Federal Register.
- Daniel R. Alonso to discuss internal investigations at the Institute of Internal Auditors of Argentina Spanish-language webinar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel R. Alonso to discuss anti-money-laundering at FELABAN Spanish-language webinar “Perspective for banks: LAFT, FINCEN, OFAC, Cryptocurrency”
- Daniel R. Alonso to discuss "What’s new in BSA/AML compliance?" at the Institute of International Bankers Regulatory Compliance Seminar
- Marshall T. Bell and John R. Coleman to speak at 2021 AFSA Annual Meeting
- Jon David D. Langlois to discuss "Regulatory update: What you need to know under the new boss; It won’t be the same as the old boss" at the IMN Residential Mortgage Service Rights Forum (East)
- Benjamin B. Klubes to discuss “Creating a Fantastic Workplace Culture”
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek