A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat
Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak
An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed. On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores. The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target.
As in the Wyndham and Target cases, fundamental principles of corporate governance doomed the claims against Home Depot’s officers and directors. In the Home Depot case it was failure to make a demand before bringing the derivative action. Under Delaware law, the board of directors controls the right to bring claims against officers and directors for breaches of duties owed to the corporation. Where a shareholder sues derivatively on behalf of a Delaware corporation, making pre-suit demand on the board is mandatory. Demand will only be excused where the plaintiff can show that it would be impossible for a majority of the directors would be able to exercise independent and disinterested business judgment when deciding to pursue the claims.
In Home Depot, the court concluded that the mere fact that all directors were being sued was not enough to meet that standard. To demonstrate demand futility, plaintiffs would have to make particularized factual allegations as to the specific conduct of each director that purportedly constituted the alleged breach. Plaintiffs could not do that here. There were, instead, generalized allegations that the board had failed to perform its duty to secure the financial data of Home Depot’s customers. These allegations were a mix of 20-20 hindsight about the adequacy of Home Depot’s existing cyber-security program and misleading allegations – discounted by the court – that transfer of data security responsibilities to the board’s Audit Committee had somehow left those duties unfulfilled because the Audit Committee had not modified its charter to address data security. In the end, these allegations were insufficient to overcome either the demand requirement or the substantial deference accorded to the decisions of corporate officers and directors under the business judgment rule.
It is a truism that mismanagement of a corporation is not actionable. Where a corporation adopts measures intended to maintain data security, the fact that those measures ultimately prove inadequate does not, standing alone, provide a basis to make claims against officers and directors for breaches of their fiduciary duties. Absent facts showing egregious dereliction of duties or total failure to attend to data security, post-breach derivative actions are unlikely to accomplish anything beyond diverting the attention of decision makers and wasting corporate resources at a time when all efforts should be focused on protecting the company’s data. The serial failures of derivative actions arising from the Target, Wyndham and Home Depot data breaches should signal the uselessness of bringing such cases and, perhaps, deter strike suit purveyors from bringing such cases in the future.