On December 19, 2013, Target Corporation confirmed that hackers
stole information associated with approximately 40 million credit
and debit card accounts of its customers during November and
December of 2013. The data breach had significant consequences for
Target and its shareholders including over US$80 million of
expenses being incurred by Target in the past two quarters in
connection with the incident, the resignations of the company's
Chief Executive and Chief Information Officers, the initiation of
over 80 associated claims against the company and a significant
decline in the trading price of the company's shares.
Institutional Shareholder Services Inc. (ISS) believes the data
breach showed that Target was inadequately prepared for the risks
associated with its business and that responsibility for the
oversight of those risks lay with the Audit and Corporate
Responsibility Committees. In that context, ISS recommends that
Target's shareholders vote against the re-election of directors
who were on those Committees (seven out of 10 directors in total).
Glass Lewis, another leading proxy advisor, also raised corporate
governance concerns relating to the data breach but concluded that
it did not require voting against the incumbent directors.
In making its recommendation, ISS highlighted the role of the
audit and corporate responsibility committees in providing risk
oversight and management. In the context of Target's business,
ISS found that these committees should have been more cognizant of
the company's exposure to cyberattacks and that there was
little evidence that the company was adequately prepared for
"the significant risks associated with doing business in
today's electronic commerce environment". For example,
Target's chief information officer at the time of the breach
apparently had little information technology or data security
expertise and, prior to the data breach, the company had no chief
information security officer or chief compliance officer.
Although Target responded to the data breach with a number of
technology and corporate governance initiatives to strengthen its
risk management and cybersecurity capabilities, ISS characterized
these as reactionary measures that simply highlighted the
committees' failure to implement a risk management structure
that might have prevented that data breach. ISS (and Glass Lewis)
also criticized Target for not having an independent chair of its
board of directors and suggested that this may have played a role
in the board's failure to provide effective risk oversight.
ISS' recommendation against the Target directors highlights
the importance of a proactive approach to risk management at the
board level and that, depending on the nature of a company's
business, cybersecurity can be an important aspect of good
The content of this article does not constitute legal advice
and should not be relied on in that way. Specific advice should be
sought about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Under the Income Tax Act, the Employment Insurance Act, and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions or GST.
Under the Income Tax Act, the Employment Insurance Act, the Canada Pension Plan Act and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).