Case Details:

Risk Corporation is incorporated in Minnesota. The company operates a financial services business and serves clients in Wisconsin and Minnesota. Although the articles of incorporation describe the business purpose of the company as "providing financial services to business clients," Risk Corporation has recently begun selling insurance to clients.

Due to a recent increase in the number of cyber attacks affecting companies in the local area, Risk Corporation's board of directors decides to address the issue of data security during its regularly scheduled board meeting.Since the board does not have expertise in this area, the board decides to hire Crown Security Experts, a consulting firm, to advise them on the issue of data security. The board hires Crown Security based on the suggestion of board member Fay Francis. The board is unaware that Fay Francis has an ownership interest in Crown Security Since Fay does not mention her ownership interest in Crown Security. Because Fay has a background in data security, the board relies on Fay in its decision to hire Crown Security even though other security consulting firms offer similar services at a lower rate.

Crown Security informs the board that Risk Corporation should adopt a more aggressive data security program and an incident response plan in the event that corporate data is compromised by a data breach. Although many companies have incident response plans, there is no legal requirement to establish an incident response plan. Based on this advice, Risk Corporation's board decides to invest in an expensive incident response plan. Although the board monitors whether the incident response plan is implemented, the board does not fully monitor how individual employees are trained on data security procedures.

Two months later, there is a significant data breach after a Risk Corporation employee inadvertently forwards an email to the wrong recipient. Had the company adopted a more aggressive data security training program, it is possible that the data breach could have been avoided.

As a result of the data breach, customers' personal and financial data is confiscated, resulting in significant financial losses for Risk Corporation customers.Following the discovery of the data breach, stock prices at Risk Corporation decline.

Although Risk Corporation notifies customers of the security breach, the company does not notify customers in a timely manner.Risk Corporation notifies customers after two months, in violation of Wisconsin laws.Although the board ensures that customers are notified about the security breach, the board does not take an active role in evaluating the timing of the notification since other companies use a similar shareholder notification program.

Based on these activities, shareholders file a derivative action against the company and sue the board of directors. At the time the shareholders file the lawsuit against Risk Corporation and the board of directors, Risk Corporation's customers file a lawsuit against the shareholders. The customers' lawsuit against Risk Corporation shareholders alleges that the shareholders are liable for the customers' losses due to confiscated personal data since the corporation was formed to evade an existing obligation.

Answer (Choose a side from the case details):

If you are representing the shareholders, the plaintiff in this lawsuit, read the supplemental information for the plaintiff's attorney. If you are representing the board of directors, read the supplemental information for the defense. Once the comment period for posting initial comments ends, you will be able to access the supplemental information reviewed by your opponent.

If you represent the shareholders, present your arguments explaining why the shareholders should win their case. Also, indicate what additional information would be helpful in analyzing the case.

If you are representing the defendant, the board of directors, present your arguments explaining why the board of directors should not be liable in this case. Also, indicate what additional information would be helpful in analyzing the case.