[BreachExchange] A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

[Audrey McNeil]

http://www.natlawreview.com/article/failed-strategy-
another-derivative-action-data-breach-case-goes-down-to-defeat

An attempt to impose liability on corporate officers and directors for data
breach-related losses has once again failed.  On November 30, 2016, a
federal judge in Atlanta issued a 30 page decision dismissing a shareholder
derivative action arising out of the September 2014 theft of customer
credit card data from point-of-sale terminals in Home Depot stores.  The
dismissal of the Home Depot derivative action follows earlier dismissals of
derivative actions arising from data breaches perpetrated against Wyndham
and Target.

As in the Wyndham and Target cases, fundamental principles of corporate
governance doomed the claims against Home Depot’s officers and directors.
In the Home Depot case it was failure to make a demand before bringing the
derivative action.  Under Delaware law, the board of directors controls the
right to bring claims against officers and directors for breaches of duties
owed to the corporation.  Where a shareholder sues derivatively on behalf
of a Delaware corporation, making pre-suit demand on the board is
mandatory.  Demand will only be excused where the plaintiff can show that
it would be impossible for a majority of the directors would be able to
exercise independent and disinterested business judgment when deciding to
pursue the claims.

In Home Depot, the court concluded that the mere fact that all directors
were being sued was not enough to meet that standard.  To demonstrate
demand futility, plaintiffs would have to make particularized factual
allegations as to the specific conduct of each director that purportedly
constituted the alleged breach.  Plaintiffs could not do that here.  There
were, instead, generalized allegations that the board had failed to perform
its duty to secure the financial data of Home Depot’s customers.  These
allegations were a mix of 20-20 hindsight about the adequacy of Home
Depot’s existing cyber-security program and misleading allegations –
discounted by the court – that transfer of data security responsibilities
to the board’s Audit Committee had somehow left those duties unfulfilled
because the Audit Committee had not modified its charter to address data
security.  In the end, these allegations were insufficient to overcome
either the demand requirement or the substantial deference accorded to the
decisions of corporate officers and directors under the business judgment
rule.

It is a truism that mismanagement of a corporation is not actionable.
Where a corporation adopts measures intended to maintain data security, the
fact that those measures ultimately prove inadequate does not, standing
alone, provide a basis to make claims against officers and directors for
breaches of their fiduciary duties.  Absent facts showing egregious
dereliction of duties or total failure to attend to data security,
post-breach derivative actions are unlikely to accomplish anything beyond
diverting the attention of decision makers and wasting corporate resources
at a time when all efforts should be focused on protecting the company’s
data.  The serial failures of derivative actions arising from the Target,
Wyndham and Home Depot data breaches should signal the uselessness of
bringing such cases and, perhaps, deter strike suit purveyors from bringing
such cases in the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161205/240d69e9/attachment.html>