Republished from Tressler’s Privacy Risk Report blog.
On July 7, 2016, Judge Paul Magnuson of the United States District Court for the District of Minnesota granted several motions to dismiss by Target directors and officers seeking dismissal of derivative suits filed by various Target shareholders. The derivative suits stem from the 2013 data breach at Target stores where hackers stole private data from an estimated 70 million customers, including credit and debit card information, names, mailing addresses, phone numbers and e-mail addresses.
Of the bevy of litigation that stemmed from the breach, a total of six derivative suits arose from Target shareholders. One of those was filed by shareholder Maureen Collier, wherein she alleges Target’s board of directors and top executives bear the responsibility for the financial and reputational damages to the company as a direct result of the data breach (Collier v. Steinhafel et al.). In her suit, Collier brings claims for breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control.
In order to assess the allegations, a special litigation committee (SLC) was appointed by the company, including a former Minnesota Supreme Court justice and a University of Minnesota law school professor. In March 2016, after a nearly two-year long investigation, the committee issued a 91-page report concluding that Target should not pursue claims against the directors and officers.
In May 2016, after completion of the report, the SLC filed its Motion for Approval and Dismissal moving to dismiss the derivative actions. As outlined in the SLC’s Motion, courts do not question a SLC’s conclusions or re-examine the merits of its decisions, rather the court’s evaluation is limited to determining whether the SCL’s members are disinterested and independent.
By Order on July 7, 2016, Judge Magnuson granted the SLC’s Motion for Approval and Dismissal as well as Motions to Dismiss brought by three other individual defendants. While the instant motion was granted, the Plaintiffs did retain the right to move the court for legal fees and expenses from Target.
This dismissal comes as yet another hit to Plaintiff litigation in cybersecurity derivative lawsuits. In addition to the Target litigation, several other cases have also failed to advance past a Motion to Dismiss. In December 2009, a derivative suit against Heartland Payment Systems, its CEO and CFO was dismissed by the United States District Court for the District of New Jersey. In October 2014, the same court dismissed a similar lawsuit against Wyndham Worldwide and its directors and officers.
While, to date, Plaintiffs have not had much success with this issue, cybersecurity derivative litigation is still within its infancy. As technology advances so too does the proclivity for such data breaches, wherein the necessity falls upon top executives and directors to handle these matters accordingly to avoid derivative litigation.