[BreachExchange] Shareholder Derivative Suit Following Data Breach Misses Target

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 19 19:39:52 EDT 2016


http://www.jdsupra.com/legalnews/shareholder-derivative-suit-following-65180/

On July 7, 2016, Judge Paul A. Magnuson of the United States District Court
for the District of Minnesota granted Defendants’ Motions to Dismiss a
shareholder class action that had been initiated following a 2013 holiday
season data breach involving customers of Target Corporation (“Target,” or
“the Company”).  The data breach, which resulted in the release of
information of approximately 70 million consumer credit and debit cards,
made headlines as one of the biggest privacy hacks at the time.  Initially
disclosed to the public in December 2013, with an estimated 40 million
credit and debit cards affected, Target subsequently revealed a little less
than a month later that additional consumer data, including customers’
names, mailing addresses, phone numbers and email addresses, were also
stolen, and increased its initial estimate to 110 million.

Following the announcement and extensive coverage in the media, multiple
private litigants initiated shareholder derivative actions against 14
individual defendants on Target’s board and executive management alleging
that the Company’s officers and directors (1) failed to properly provide
for and oversee an information security program; and (2) failed to give
customers prompt and accurate information in disclosing the breach.  Based
on these allegations, plaintiffs asserted claims for breach of fiduciary
duty, gross mismanagement, waste of corporate assets and abuse of control.

After the commencement of litigation, the Target Board formed a Special
Litigation Committee (“SLC”) to investigate the shareholders’ allegations
and the suit was stayed pending the conclusion of the investigation.  Over
the span of nearly 2 years, the SLC sought to determine whether it was
appropriate for Target to pursue plaintiffs’ claims and to respond to the
litigation on behalf of the Board and the Company.  Following an intensive
review, involving interviewing witnesses, searching databases and reviewing
thousands of documents, the SLC concluded in a 91-page March 2016 report
that the Company should not pursue the claims, and instead, moved to
dismiss the action in May 2016.

As the SLC explained in its motion to dismiss, under Minnesota law, courts
defer to a corporation’s special litigation committee’s decision to dismiss
a derivative action if it determines that (1) the members of the SLC were
disinterested and independent; and (2) that the SLC conducted a good faith
investigation.  The SLC demonstrated in its papers that its members were
highly qualified, independent and disinterested.  Moreover, the SLC
described its robust and comprehensive investigative procedures, which
included retaining independent counsel (who had never represented the
Company before) and experts, interviewing 68 witnesses, reviewing and
analyzing thousands of documents, meeting frequently and considering myriad
factors regarding Target’s best interests in deciding whether or not to
pursue the claims against the individuals for the data breach.

By order dated July 7, 2016, the court granted the SLC’s motion to dismiss
and plaintiffs did not oppose motions to dismiss filed by the individual
defendants.   The Target case is significant in that it highlights the
significant risks that individual directors and officers, and not only the
companies for whom they work, face in connection with data breaches and the
importance of oversight over a robust information security system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/21b08514/attachment.html>


More information about the BreachExchange mailing list