Republished from Tressler’s Privacy Risk Report blog.
High profile data breaches are inevitably followed by a flurry of lawsuits, including derivative lawsuits filed by those companies’ shareholders. However, derivative suits have not found success and are frequently dismissed at the early stages of the lawsuit. Earlier this year, Judge Paul Magnuson of the U.S. District Court for the District of Minnesota dismissed the derivative lawsuit against Target’s directors and officers, and this week, the court in the Home Depot shareholder derivative action reached a similar conclusion as Judge Magnuson.
On November 30, 2016, Judge Thomas W. Thrash, Jr. of the U.S. District Court for the Northern District of Georgia granted the motion to dismiss filed by Home Depot’s directors and officers in a shareholder derivative suit. The derivative suit arises out of the 2014 data breach in Home Depot’s stores, which resulted in the theft of financial data of 56 million customers. Following the breach, multiple shareholders filed derivative complaints against Home Depot, which were eventually consolidated. In the consolidated lawsuit, the shareholders claim that Home Depot’s directors and officers breached their duties to the shareholders by failing to take the risk of a data breach seriously and failing to implement sufficient security measures prior to the breach. The shareholders allege causes of action for breach of fiduciary duty, waste of corporate assets and violation of the Securities Exchange Act.
The shareholders made no demand on Home Depot’s board that it file suit against the directors, which is generally a prerequisite to filing a derivative suit unless the demand is excused. The court’s analysis accordingly focused on whether the demand requirement was excused. As to the breach of fiduciary duty claims, the court found that the shareholders faced an “incredibly high hurdle” to demonstrate particularized facts beyond a reasonable doubt that a majority of the board faced substantial liability because it consciously failed to act in the face of a known duty to act. The court noted that it was “not surprising” that the shareholders failed to meet this burden. The gist of the shareholders’ complaint was that the board improperly exercised its business judgment, which was simply not sufficient to show the bad faith necessary to excuse demand.
The court held that the demand was not excused as to the corporate waste claims on similar grounds, finding that the shareholders’ claim was fundamentally a challenge to the board’s business judgment for delaying the update of Home Depot’s security systems. Finally, the court held that the demand was not excused as to the shareholders’ securities claims because the shareholders failed to point to specific statements in Home Depot’s proxy statements that were rendered misleading or false by the alleged omissions concerning security threats. The shareholders therefore did not meet their burden to demonstrate particularized factual allegations that raise a reasonable doubt that directors were disinterested and independent.
The dismissal of the Home Depot derivative litigation is the latest in a long line of unsuccessful attempts by shareholders to file derivative lawsuits against corporations that experience data breaches. It remains to be seen whether shareholders can satisfy the “incredibly high hurdle” for excusing the demand requirement, or, alternatively, can surpass the findings of a special litigation committee, like the committee appointed in the Target litigation. Based on court rulings to date in these types of actions, however, it seems more likely than not that where a board implements a security plan, even if it is not a perfect security plan, it will be protected by the business judgment rule.