[BreachExchange] Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jul 13 20:55:06 EDT 2016


http://www.jdsupra.com/legalnews/fizzled-suit-against-target-officers-12686/

In a terse two-page order, Senior District Court Judge Paul Magnuson
dismissed derivative claims brought against officers and directors of
Target in connection with the 2013 holiday-season data breach.  The
dismissed claims, brought by Target shareholders on behalf of the
corporation, alleged that the data breach had resulted from management
failures by the defendant officers and directors.  The Target board of
directors appointed a special litigation committee (“SLC”) to investigate
the shareholders’ allegations and determine whether or not to pursue the
claims.  The SLC, composed of two newly-appointed independent directors
represented by independent counsel, recommended that Target not pursue
claims against the officers and directors.  The SLC then moved to dismiss,
as did Target and the defendant officers and directors.  Plaintiffs
declined to oppose and the court’s order followed.The SLC’s decision to
seek dismissal was unsurprising.  Although it was equipped with broad
investigative powers, the SLC had a relatively narrow legal mandate.
Corporate law protects officers and directors from lawsuits second-guessing
their exercise of judgment in the performance of their corporate
responsibilities absent self-interested conduct – which was not alleged
here – or such extreme dereliction of responsibilities as to constitute a
breach of their fiduciary duty of care.  This legal principle – known as
the business judgment rule – sets a high bar for derivative claims to clear
before a lawsuit can go forward.   The SLC conducted an extensive two-year
investigation into the data breach to evaluate whether the defendants’
conduct ran afoul of that standard of care, reviewing thousands of
documents and conducting 68 witness interviews.  The SLC also met with and
received information from counsel for the shareholders and for Target.  The
investigation yielded a 91-page report detailing the extensive data
security processes in place before the breach and the post-breach efforts
to improve those processes.  Weighing its findings of fact against the
highly deferential standard of care applicable to corporate fiduciaries,
the SLC concluded that it was not in the interest of Target to pursue
claims against the officers and directors.

The order of dismissal obligates Target to file a Form 8-K report with the
SEC disclosing the dismissal of the lawsuit.  The dismissal is without
prejudice to the right of any other Target shareholder to file a new
derivative claim within thirty days of the filing of the Form 8-K.
However, given the detail and extent of the SLC investigation, it is
unlikely that any new shareholder would be tempted to try to fashion a new
set of claims against the officers and directors.

A salient question is whether the derivative claims should ever have been
brought in the first place.  There is no dispute that the consequences of
the data breach have been serious.  Target’s latest Form 10-Q reports that
the company has incurred $291 million of cumulative expenses resulting from
the data breach, which have been partially offset by expected insurance
recoveries of $90 million, for net cumulative expenses of $201 million.
But the mere fact that a corporate mishap proves to be costly is not
evidence of a breach of fiduciary duty.  And, ironically, a non-trivial
part of those expenses is the substantial cost associated with the SLC
investigation.  Target incurred the cost of that massive SLC investigation
as a direct result of the shareholder plaintiffs’ decision to bring
derivative mismanagement claims in the face of the business judgment rule.
  Or, put another way, by commencing a derivative action with small
prospect of success, the shareholders arguably inflicted additional harm on
the corporation that that the lawsuit purported to benefit.

This result exemplifies the adverse consequences  of the “shoot first, ask
questions later” mentality that typifies the lawyer-driven race to the
courthouse after a data breach.   It is possible that some data breaches
could result from severe dereliction of corporate duty, such that a
derivative claim for breach of the duty of care might have merit.  But it
will rarely be possible to know that in the immediate aftermath of the
breach, when plaintiffs’ lawyers are jockeying for first-to-file status in
hopes of snagging coveted lead counsel roles in the ensuing litigation.
The rare cases where a corporation might want to consider action against
its officers and directors would only reasonably be determined long after
the breach has occurred.  In the vast majority of data breach cases, the
routine filing of derivative actions shortly after a breach has occurred
can only exacerbate the harms that the lawsuits supposedly aim to vindicate.

And here, there may be more harms yet to come.  Despite assenting to the
SLC’s motion to dismiss their claims, the derivative plaintiffs have
reserved the right to seek payment of their attorneys’ fees by Target.  It
remains to be seen whether the derivative plaintiffs will in fact file such
a motion and thereby, at a minimum, impose on Target the further cost of
opposing that fee request.  If nothing else, a parting demand for payment
of attorneys’ fees would leave little doubt about who the derivative action
was truly meant to benefit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160713/b9647bb1/attachment.html>


More information about the BreachExchange mailing list