Dismissal Of Home Depot Derivative Action Extends
Shareholder Losing Streak
An attempt to impose liability on corporate officers and
directors for data breach-related losses has once again failed. On
November 30, 2016, a federal judge in Atlanta issued a
30 page decision dismissing a shareholder derivative action
arising out of the September 2014 theft of customer credit card
data from point-of-sale terminals in Home Depot stores. The
dismissal of the Home Depot derivative action follows earlier
dismissals of derivative actions arising from data breaches
As in the Wyndham and Target cases, fundamental principles of
corporate governance doomed the claims against Home Depot's
officers and directors. In the Home Depot case it was failure to
make a demand before bringing the derivative action. Under Delaware
law, the board of directors controls the right to bring claims
against officers and directors for breaches of duties owed to the
corporation. Where a shareholder sues derivatively on behalf of a
Delaware corporation, making pre-suit demand on the board is
mandatory. Demand will only be excused where the plaintiff can show
that it would be impossible for a majority of the directors would
be able to exercise independent and disinterested business judgment
when deciding to pursue the claims.
In Home Depot, the court concluded that the mere fact that all
directors were being sued was not enough to meet that standard. To
demonstrate demand futility, plaintiffs would have to make
particularized factual allegations as to the specific conduct of
each director that purportedly constituted the alleged breach.
Plaintiffs could not do that here. There were, instead, generalized
allegations that the board had failed to perform its duty to secure
the financial data of Home Depot's customers. These allegations
were a mix of 20-20 hindsight about the adequacy of Home
Depot's existing cyber-security program and misleading
allegations – discounted by the court – that transfer
of data security responsibilities to the board's Audit
Committee had somehow left those duties unfulfilled because the
Audit Committee had not modified its charter to address data
security. In the end, these allegations were insufficient to
overcome either the demand requirement or the substantial deference
accorded to the decisions of corporate officers and directors under
the business judgment rule.
It is a truism that mismanagement of a corporation is not
actionable. Where a corporation adopts measures intended to
maintain data security, the fact that those measures ultimately
prove inadequate does not, standing alone, provide a basis to make
claims against officers and directors for breaches of their
fiduciary duties. Absent facts showing egregious dereliction of
duties or total failure to attend to data security, post-breach
derivative actions are unlikely to accomplish anything beyond
diverting the attention of decision makers and wasting corporate
resources at a time when all efforts should be focused on
protecting the company's data. The serial failures of
derivative actions arising from the Target, Wyndham and Home Depot
data breaches should signal the uselessness of bringing such cases
and, perhaps, deter strike suit purveyors from bringing such cases
in the future.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
At last week's Health Care Compliance Association's annual "Compliance Institute," Iliana Peters, HHS Office for Civil Rights' Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR's current and future endeavors.
The challenges that come along with securing sensitive information are unprecedented. It has become extremely difficult to protect data which is stored electronically, and breaches have unfortunately become a frequent occurrence.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).