[BreachExchange] Judge agrees to drop Target shareholder lawsuit on cyber breach

Mon Jul 11 19:18:44 EDT 2016

http://www.businessinsurance.com/article/20160711/NEWS06/160719975/judge-agrees-to-drop-target-shareholder-lawsuit-on-cyber-breach

Following the recommendation of a special litigation committee appointed by
Target Corp.'s board of directors, a U.S. District Court judge has
dismissed a shareholder derivative lawsuit filed in connection with the
company's 2013 cyber breach.

Shareholder plaintiffs in the litigation filed in connection with the data
breach, which affected as many as 110 million people, did not oppose the
committee's motion to dismiss the litigation, according to the ruling
issued July 7 by U.S. District Judge Paul A. Magnuson in St. Paul,
Minnesota in Mary Davis et al. v. Gregg W. Steinhafel et al.

The plaintiffs retain the right, though, to seek legal fees and expenses
from Target, while Target in turn retains the right to oppose that motion,
according to the ruling.

According to court papers in the case, the two-man committee of independent
members — a retired judge and a law professor — was appointed by Target's
board of director in June 2014 after litigation was filed by six Target
shareholders.

One of these lawsuits included a derivative demand that the company
investigate and bring actions against the board members and the company's
CEO, chief financial officer and chief information officer. The other
shareholder lawsuits targeted the board members and officers in five
derivative actions. The lawsuits were eventually consolidated.

The lawsuits claimed that Target's officers and directors had failed to
properly provide for and oversee an information security program, and
failed to give customers prompt and accurate information in disclosing the
breach, which they said were the result of their “conscious disregard of
their duties and constituted breach of their fiduciary duties to Target.”

The committee investigated the breach over a 21-month period, conducting 73
interviews of 68 individuals. In a 91-page report submitted on March 30,
2016, the committee concluded that it would not be in Target's best
interests to pursue claims against the retailer's directors and officers.

The committee cited 39 factors it said it weighed in reaching its
conclusion, including the financial expenditures required to litigate the
claims and “contractual and legal issues” relating to Target's D&O
insurance coverage for claims of breach of fiduciary duty arising out of
the data breach.

According to market sources, Target had at least $100 million of cyber
insurance, including self-insured retentions, and $65 million of D&O
liability coverage.

Also cited were reports by New York-based independent auditor Ernst & Young
L.L.P. that, before the breach, there had not been any significant
deficiencies or material weakness in Target's information technology
general controls, which included security-related IT general controls.

A Target spokesman could not immediately be reached for comment.

Target reached a $39.4 million settlement with banks over the data breach
last year.

In addition, in March 2014, the company paid $10 million to settle class
action litigation in connection with the breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160711/417bf7ec/attachment.html>