Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Delaware Chancery Court rules hotel corporation plaintiff failed to allege particular facts

    Courts

    On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he failed to show that the directors faced a substantial likelihood of liability on a non-exculpated claim.

    The data breach, which exposed the personal information of approximately 500 million customers, took place via the reservation database of a property company that the corporation had acquired two years prior. The plaintiff alleged that the directors breached their fiduciary duties by failing to adequately conduct due diligence of cybersecurity technology for the property company in the pre-acquisition time period. For the post-acquisition period, the plaintiff alleged that the defendants continued to operate the property company’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under In re Caremark Int’l Inc. Derivative Litigation, a 1996 Delaware Chancery Court decision establishing a standard for oversight liability for board members.

    With respect to the pre-acquisition time period, the court held that the plaintiff’s claims were time-barred and that was no basis for tolling. As to the post-acquisition claims, the court concluded that the directors do not face a substantial likelihood of liability under Caremark. Although the court noted that “[c]ybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors,” the allegations “do not meet the high bar required to state a Caremark claim. According to the court, the plaintiff has not shown that the directors completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures.” The court acknowledged that the data breach was “momentous in scale and put the data of hundreds of millions of people at risk,” but concluded that the actions were “at the hands of a hacker,” saying that “[the corporation] was the victim of an illegal act rather than the perpetrator.”

    Courts Privacy/Cyber Risk & Data Security Derivatives Data Breach

    Share page with AddThis
  • FDIC finalizes securitization safe harbor

    Agency Rule-Making & Guidance

    On January 30, the FDIC adopted the Final Rule to Revise Securitization Safe Harbor Rule (rule) as recommended by FDIC staff in a memorandum dated January 23. In July, as previously covered by InfoBytes, the FDIC approved a proposal to remove the requirement that, for safe harbor treatment, “the documents governing a securitization issuance require compliance with Regulation AB” of the SEC Regulation AB, “in circumstances where Regulation AB is not, by its terms, applicable to that transaction.” The proposal suggested that “it is no longer clear that compliance with the public disclosure requirements of Regulation AB in a private placement or in an issuance not otherwise required to be registered is needed to achieve the policy objective of preventing a buildup of opaque and potentially risky securitizations such as occurred during the pre-crisis years, particularly where the imposition of such a requirement may serve to restrict overall liquidity.” The final rule—which is unchanged from the proposal—eliminates the “significant disclosure requirements” to no longer mandate that private placements of securitization obligations provide Regulation AB disclosures. With the adoption of the final rule, only those transactions that are subject to Regulation AB are required to make the disclosures. The rule is expected to increase the securitization of residential mortgages and will become effective 30-60 days after it is published in the Federal Register.

    Agency Rule-Making & Guidance FDIC Derivatives Bank Regulatory Deposit Insurance Securities Securitization Safe Harbor Rule RMBS Disclosures Mortgages SEC

    Share page with AddThis

Upcoming Events