Opinion
INDEX NO. 654456/2018
04-13-2020
FRANCISCO BARRIENTOS, STEPHEN SZPILA, Plaintiff, v. SCOTT SALMIRS, LINDA CHAVEZ, J. PHILIP FERGUSON, ANTHONY FERNANDES, ART GARCIA, THOMAS GARTLAND, SUDHAKER KESAVAN, LAURALEE MARTIN, FILIPPO PASSERINI, WINIFRED WEBB, DIEGO SCAGLIONE, JAMES MCCLURE, SCOTT GIACCOBE, ABM INDUSTRIES INCORPORATED (NOMINAL DEFENDANT), LEIGHANNE BAKER, DONALD COLLERAN Defendant.
NYSCEF DOC. NO. 109 MOTION DATE 12/20/2019 MOTION SEQ. NO. 002
DECISION + ORDER ON MOTION
HON. SALIANN SCARPULLA: The following e-filed documents, listed by NYSCEF document number (Motion 002) 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 84, 85, 86, 87, 88, 89, 90, 100, 101, 102, 103, 104, 105 were read on this motion to/for DISMISSAL.
In this shareholders' derivative action, defendants Scott Salmirs, Linda Chavez, J. Philip Ferguson, Anthony Fernandes, Art Garcia, Thomas Gartland, Sudhaker Kesavan, Lauralee Martin, Filippo Passerini, Winifred Webb, Diego Scaglione, James Mcclure, Scott Giaccobe, Leighanne Baker, Donald Colleran (together, the "Individual Defendants") and nominal defendant ABM Industries, Inc. ("ABM") (collectively, "Defendants") move, pursuant to CPLR 3211(a)(1) and (a)(7), to dismiss the amended verified complaint of plaintiffs Francisco Barrientos and Stephen M. Szpila (together, "Plaintiffs"). Background
ABM is a Delaware corporation with its principal place of business in New York, New York. ABM provides "janitorial, facilities engineering, parking, and specialized mechanical and electrical technical solutions." The Individual Defendants are certain current and former members of ABM's Board of Directors (the "Board" or "Board Members") and certain of its current and former executive officers.
The description of the parties and Plaintiffs' allegations of wrongdoing are taken from Plaintiffs' amended verified complaint, NYSCEF Doc. No. 46.
ABM allegedly collects and stores highly sensitive private information about its 140,000 employees, including: full names, social security numbers, medical information, health insurance information, biometric identifiers and information, addresses, birth dates, driver's license numbers, and credit card information ("PI"). ABM allegedly retains the PI even after employees leave ABM.
On or about August 1, 2017, ABM discovered that it had incurred a data breach. A phishing attack was successfully executed, resulting in the theft of PI. Plaintiffs allege that ABM did not send out mass notices to its employees of the data breach until the week of March 5, 2018, more than seven months later. Further, citing to a consolidated class action lawsuit brought by ABM employees whose data had been compromised (the "Employees' Class Action"), Plaintiffs allege that ABM eventually sent notification letters to 104,882 current and former employees concerning the 2017 data breach.
Plaintiffs also allege that ABM was the victim of earlier cyber-attacks in 2011, 2014 and 2017.
Plaintiffs next allege that, on or around June 14, 2018, ABM was alerted to additional suspicious activity related to certain employee email accounts. ABM determined that an unknown actor gained access to certain ABM employee email accounts through another phishing attack. Following an investigation, ABM determined that the unauthorized access occurred between January 8, 2018 and August 7, 2018. Again citing the Employees Class Action, Plaintiffs claim that the 2018 data breach affected approximately 60,000 current and former ABM employees.
The Employees' Class Action is a consolidated case styled as: Evelia Davila v ABM Industries, Inc. et al., Case No. 2:18cv-03919 (C.D. Cal. May 10, 2018). Plaintiffs explain that Larry Wade initially brought an action in the Circuit Court of Cook County, Illinois, which was removed to the United States District Court for the Northern District of Illinois and docketed as: Wade v ABM Industries Incorporated, Case No. 1:18-cv-02940 (N.D. Ill. Apr. 25, 2018) (the "Wade Action"). The Wade Action was then transferred to the United States District Court for the Central District of California and docketed as: Wade v ABM Industries Incorporated, Case No. 2:18-cv-05256 (C.D. Cal. June 14, 2018). The Wade Action was then consolidated with an action originally brought in California state court, Davila v ABM Industries Incorporated, No. BC699176 (Cal. Super. Ct., filed March 22, 2018), and removed and docketed as Case No. 2:18-cv-03919-FMO-MRW (C.D. Cal.). After submission of the motion papers Defendants submitted a pending motion to settle the Employees' Class Action. The proposed settlement sets out the enhanced cybersecurity protocols ABM has instituted and will institute. Also, the proposed settlement provides, among other things, for free credit monitoring for class members. Defendants posit that the Employees' Class Action will be settled for less than $1million.
Procedural History
Plaintiffs commenced this action in September 2018 and filed an amended verified complaint in May 2019. In the amended verified complaint Plaintiffs assert causes of action for: breach of fiduciary duty against ABM's current and former directors (first cause of action); breach of fiduciary duty against ABM's CEO (second cause of action); and breach of fiduciary duty against ABM's non-director officers (third cause of action).
Specifically, in their amended verified complaint, Plaintiffs allege that the Individual Defendants breached their fiduciary duties to ABM by: (i) failing to implement and enforce a system of effective internal controls and procedures to protect employees' PI; (ii) failing to exercise their oversight duties by not monitoring ABM's compliance with internal procedures and federal and state regulations; (iii) storing the PI of employees, former employees and vendors; (iv) failing to have proper cybersecurity safeguards to adequately secure the PI; (v) failing to have a sufficient incident response plan to immediately respond to a data breach; (vi) failing to ensure that ABM notified all potentially affected individuals and entities in a timely manner upon discovering the data breaches; (vii) failing to make adequate public disclosure of the data breaches and related Employees' Class Action; and (viii) allowing ABM to violate state and federal laws and regulations concerning data privacy. Plaintiffs claim that, because of the Individual Defendants' breach of their fiduciary duties, ABM has and will in the future be required to expend significant amounts of money, and that ABM has lost "credibility, reputation and goodwill."
Amended verified complaint, ¶ 198, NYSCEF Docket No. 46.
Plaintiffs did not make a demand on the Board to investigate their allegations before commencing this action and did not make a demand before serving the amended verified complaint. In the amended verified complaint Plaintiffs allege that "demand would be a futile and useless act because the Individual Defendants are incapable of making an independent and disinterested decision to institute and vigorously prosecute this action."
Amended verified complaint, ¶ 206, NYSCEF Docket No. 46.
Defendants now move to dismiss the amended verified complaint on the ground that Plaintiffs lack standing because they have not made the required demand on the Board and have failed sufficiently to allege facts to show that demand was excused. Defendants also argue that the amended verified complaint fails to state causes of action for breach of fiduciary duty. In opposition, Plaintiffs argue that they have standing because demand was excused, and that they have adequately pled their claims. Derivative Standing
Because ABM is incorporated in Delaware, the law of Delaware applies to the issue of whether Plaintiffs have sufficiently pled demand futility in this shareholder derivative action. Asbestos Workers Phila. Pension Fund v Bell, 137 A.D.3d 680 (1st Dept 2016); Wandel v Dimon, 135 AD3d 515 (1st Dept 2016). A fundamental principle of Delaware corporate law is that:
[t]he business and affairs of every corporation . . . shall be managed by or under the direction of a board of directors . . . [and] 'by its very nature [a] derivative action impinges on the managerial freedom of directors.' Therefore, the right of a stockholder to prosecute a derivative suit is limited to situations where either the stockholder has demanded the directors pursue a corporate claim and the directors have wrongfully refused to do so, or where demand is excused because the directors are incapable of making an impartial decision regarding whether to institute such litigation . . . [Delaware] Court of Chancery Rule 23.1, accordingly, requires that the complaint in a derivative action "allege with particularity the efforts, if any, made by the plaintiff to obtain the action the plaintiff desires from the
directors [or] the reasons for the plaintiff's failure to obtain the action or for not making the effort.Stone ex. re. AmSouth Bancorp. v Ritter, 911 A2d 362 (Del. 2006).
Further, under Delaware law, the factors to be examined in determining whether demand is excused depends on whether plaintiffs' complaint concerns affirmative board actions and transactions or a board's alleged failure to act. Asbestos Workers Phila. Pension Fund v Bell, 137 AD3d 680 (1st Dept 2016). In Asbestos Workers Phila. Pension Fund v Bell, the First Department described the distinction as follows:
Where the underlying lawsuit seeks to challenge affirmative board action, a two prong [Aronson] test is applied in assessing the futility of such a demand . . . The Aronson test is 'whether, under the particularized facts alleged, a reasonable doubt is created that: (1) the directors are disinterested and independent [or] (2) the challenged transaction was otherwise the product of a valid exercise of business judgment' Since this test is in the disjunctive, if either prong is satisfied, pre-suit demand is excused.137 AD3d at 682 (citing Aronson v Lewis, 473 A2d 805, 814 (Del Ch 1984), overruled in part on other grounds Brehm v Eisner, 746 A2d 244 (Del 2000)). The First Department continued that:
[o]n the other hand, where a complaint alleges board inaction, demand futility can be established by particularized facts creating a reasonable doubt that at the time the complaint was filed, the board could not have properly exercised its independent and disinterested business judgment in responding to the demand [the Rales test]."Id., citing In re Goldman Sachs Group, Inc. Shareholder Litig., 2011 WL 4826104 (Del Ch 2011), affd sub nom. Southeastern Pennsylvania Transp. Auth. v Blankfein, 44 A3d 922 (Del 2012) and Rales v Blasband, 634 A2d 927 (Del 1993).
Plaintiffs and Defendants disagree both as to the demand futility standard to be applied to the amended verified complaint and whether Plaintiffs have met their burden of alleging sufficient facts to support a claim of demand futility under the applicable standard.
Should the Aronson or Rales Standard Govern the Amended Complaint?
In their memorandum in support, Defendants argue that, because Plaintiffs challenge the Board's alleged inaction, i.e., failure to ensure and maintain sufficient cybersecurity protocols and failure timely and fully to disclose the data breaches, rather than challenging a specific board action or transaction, the Rales standard of analyzing demand futility is applicable. In opposition, and citing Staehr v. Mack, No. 07 CIV. 10368 DAB, 2011 WL 1330856 (S.D.N.Y. 2011), Plaintiffs argue that they "believe the Aronson test applies here" because the Individual Defendants' alleged "conscious" decision not to act quickly to disclose and ensure sufficient cybersecurity protocols "is akin to affirmative board action for purposes of determining which standard to use." Mem. In Opp. at 5.
Plaintiffs essentially argue that, because the phishing and disclosure events occurred, the Board's alleged failure to ensure an adequate cybersecurity protocol and to timely disclose the phishing attacks must have been deliberate and conscious. Even assuming that a plaintiff could convert an action concerning a Board's inaction (triggering the Rales standard) into an action concerning affirmative board action (triggering the Aronson standard) by simply claiming that the Board's deliberate inaction was an affirmative action, that conscious failure to act must be supported by particularized allegations. Staehr, No. 07 CIV. 10368 DAB, 2011 WL 1330856 at 4 (citations omitted); see Brehm v Eisner, 746 A2d 244 (Del 2000) ("Rule 23.1 is not satisfied by conclusory statements or mere notice pleading."). Plaintiffs' allegations of conscious failure to act are entirely conclusory, without sufficient factual support.
The gravamen of Plaintiffs' allegations is the Individual Defendants' inadequate management over the flow of information concerning the data breaches and failure to ensure that ABM employed adequate cybersecurity protocols. Thus, for example, Plaintiffs admit that in 2017 the Board formed a subcommittee, the Board Strategy and Risk Enterprise Committee ("SER Committee"), and appointed a Chief Information Officer ("CIO") to address (among other things) cybersecurity issues, but allege that neither the SER Committee nor the CIO adequately prepared for, or responded to, the data breaches. These factual allegations plainly support application of the Rales demand futility standard.
To the extent that Plaintiffs allege that the Board failed to ensure adequate and full disclosure of the data breaches in ABM's public filings, these allegations are also examined under the Rales demand futility standard. Deckter on Behalf of Bristol-Myers Squibb Co. v Adreotti, 170 AD3d 486, 487 (1st Dept 2019), quoting Steinberg v Bearden, 2018 WL 2434558, *8 (Del Ch 2018).
At bottom, this action is anchored on allegations of the Individual Defendants' alleged inaction. Accordingly, I analyze Plaintiffs' demand futility argument under the Rales demand futility standard.
Have Plaintiffs Adequately Alleged Demand Futility Under Rales?
Under Delaware law, where the plaintiff's complaint is based upon Board inaction,
the criteria for determining whether plaintiff's failure to make a pre-suit demand on the board is excused are set forth in Rales v. Blasband . . . . Under Rales, 'a court must determine whether ... the particularized factual allegations of a derivative stockholder complaint create a reasonable doubt that, as of the time the complaint is filed, the board of directors could have properly exercised its independent and disinterested business judgment in responding to a demand . . the mere threat of personal liability ... is insufficient to challenge either the independence or disinterestedness of directors.Deckter, 170 AD3d at 487, quoting Rales v Blasband, 634 A.2d 927, 934-36 (Del. 1993) (additional citations omitted); see also Madison Sullivan Partners LLC v PMG Sullivan Street LLC, 173 AD3d 437, 438 (1st Dept 2019) (To adequately allege demand futility, plaintiffs must set forth "particularized facts establishing that defendants faced a 'substantial likelihood' of personal liability." (citations omitted)). And, where, as here, a plaintiff's claims are based upon failure of a board of directors to exercise its oversight duties, "[o]nly a sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability." In re Caremark Int'l Inc. Derv. Litig, 698 A2d 959, 971 (Del Ch 1996).
In their amended verified complaint, Plaintiffs fail to plead sufficient factual allegations "creat[ing] a reasonable doubt that . . . the board of directors could have properly exercised its independent and disinterested business judgment in responding to a demand." First, Plaintiffs have failed to plead facts showing a "sustained or systematic failure of the board to exercise oversight" with the requisite specificity. At most, they plead facts showing that the Board did not act quickly enough to disclose the data breaches, did not disclose enough about the data breaches, and did not do enough to protect against past and future data breaches. These allegations do not amount to the "utter failure" of the Board to respond to the challenges of cybersecurity. See, e.g., Wandel, 135 AD3d at 516.
Additionally, "a derivative complaint must plead facts specific to each director, demonstrating that at least half of them could not have exercised disinterested business judgment in responding to a demand." Desimone v Barrows, 924 A.2d 908, 943 (Del. Ch. 2007) (footnote omitted). Here, Plaintiffs impermissibly group plead their claim that the Board members could not have exercised disinterested business judgment.
Further, the Board Members are insulated from monetary liability for breach of the fiduciary duty claims by an exculpation provision in ABM's restated certificate of incorporation. See Restated Certificate of Incorporation of ABM Incorporated, NYSCEF Doc. No. 29; 8 Del. C. § 102(b)(7). Under Delaware law, to survive a motion to dismiss on demand futility grounds made by an independent director protected by an exculpation clause, the plaintiff must plead "facts supporting a rational inference that director harbored self-interest adverse to the stockholders' interests, acted to advance the self-interest of an interested party from whom they could not be presumed to act independently, or acted in bad faith." In re Cornerstone Therapeutics, Inc. Stockholder Litigation, 115 A3d 1173, 1179-80 (Del. 2015) (footnote omitted).
Plaintiffs do not allege that any of the Individual Defendant directors are interested directors.
Plaintiffs generically claim that the Board advanced their own self-interest above that of the ABM shareholders because they paid themselves "lavishly." Plaintiffs however, have failed adequately to state specific facts showing that the Board members' alleged lavish compensation caused them to fail properly to oversee ABM's cybersecurity. Moreover, Plaintiffs do not allege that any of the Individual Defendants personally profited from the Board's alleged failure to oversee ABM's cybersecurity.
Plaintiffs have also failed to plead facts sufficient to show that the Board Members acted with bad faith. The allegations in the amended verified complaint concerning alleged bad faith deal mostly with the Board's alleged failure adequately and correctly to disclose the data breaches to the shareholders and in public filings. See Malone v Brincat, 722 A2d 5 (Del. 1998). Plaintiffs, however, do not plead any underlying facts showing that the Board took any specific action to misreport or underreport the data breaches. Instead, Plaintiffs broadly allege that ABM's public statements and disclosures were insufficient or too general, and therefore false and misleading. Plaintiffs' broad allegations concerning inadequate disclosure are not adequately pled with the specificity demanded by Chancery Rule 23.1.
In Malone v Brincat, the Delaware Supreme Court held that a board of director's knowing dissemination of false information to shareholders could, even in the absence of a request for shareholder action, support a claim for breach of fiduciary duty. Malone v Brincat, 722 A2d 5 (Del 1998).
Likewise, Plaintiffs' allegation that the Board, in bad faith, caused ABM to violate federal securities regulations on disclosure, as well as state privacy laws, are impermissibly broad. While Plaintiffs allege that Board Members willfully violated the data breach notification laws of several states, they do not make any particularized allegations as to what type of violation occurred, or as to which Board Member caused the alleged violations. The same impermissible generality affects Plaintiffs' allegations of violations of federal security regulations. Plaintiffs provide no particularized facts to support the assertion that a security law violation even occurred, let alone which Board Member acted to cause the violation.
Defendants point out that the Securities and Exchange Commission has not opened an investigation into ABM in connection with the data breaches.
At bottom, Plaintiffs lack standing to prosecute the amended verified complaint because they have not made the requisite demand on ABM's Board and have failed adequately to allege the futility of demand on the Board. For this reason I dismiss the amended verified complaint, with prejudice. Because I dismiss for lack of standing, I do not address Defendants' alternative grounds for relief.
In accordance with the foregoing, it is
ORDERED that the motion of defendants Scott Salmirs, Linda Chavez, J. Philip Ferguson, Anthony Fernandes, Art Garcia, Thomas Gartland, Sudhaker Kesavan, Lauralee Martin, Filippo Passerini, Winifred Webb, Diego Scaglione, James Mcclure, Scott Giaccobe, Leighanne Baker, Donald Colleran and nominal defendant ABM Industries, Inc. to dismiss the amended verified complaint of plaintiffs Francisco Barrientos and Stephen M. Szpila is granted, the amended verified complaint is dismissed with prejudice, and the Clerk of the Court is directed to enter judgment accordingly.
This constitutes the decision and order of the Court. Dated: New York, New York
March 30, 2020 4/13/2020
DATE