It has been an open question as to whether
derivative claims brought by shareholders against officers and
directors of a breached corporation would gain a foothold in the
litigation environment. With the recent dismissal of such a claim
in the Target case, it appears that these types of actions still
face significant hurdles.
The ruling issued on July 7, 2016 by U.S. District Judge Paul A.
Magnuson in St. Paul, Minnesota granted the motion brought forward
by the Special Litigation Committee
("SLC") of the Board of Directors of
Target Corporation and the other defendants to dismiss the
consolidated derivative claims that had been filed against
Target's directors and officers. The ruling noted that the
plaintiffs did not oppose the motion to dismiss, except to retain
the right to seek legal fees and expenses.
Target was sued in early 2014 by several shareholders following
a massive 2013 data breach. Four of those claims were ultimately
consolidated into the claim that was dismissed while another claim
was stayed pending this result. The plaintiffs claimed that
Target's directors and officers failed to properly provide for
and oversee an information security program and to give customers
prompt and accurate information in disclosing the breach.
Target's board established the SLC in June of 2014 and
eventually expanded the SLC's mandate to include all derivative
lawsuits. Minnesota courts defer to a corporation's SLC
decision to dismiss a derivative action if the SLC demonstrates
that it (i) possessed a disinterested independence and (ii)
conducted a good faith investigation into the derivative
The SLC produced its report in March of 2016 where it described
the SLC members, both of whom were disinterested and independent
parties, neither of whom had ever served on Target's Board of
Directors, been employed by Target, or otherwise represented the
company, its investigative methodology and the factors it
considered in making its determinations. The SLC concluded that
"it would not be in Target's best interests to pursue
claims against the officers or directors identified in the Demand
and derivative complaints, including those named in this
This is another data breach derivative case to have been
dismissed. In 2014, a New Jersey federal judge dismissed a
derivative action against the directors and officers of the Wyndham
Worldwide Corp. The claims made against Wyndham in that case were
similar to the claims made against Target, and similarly to
Target's board the Wyndham board rejected the shareholder
demands. The court in that case concluded that the plaintiff had
failed to show proof that Wyndham board's refusal investigate
and remedy the hotel chain’s security protocols was a sign of
While this case was dismissed, class actions by injured
consumers, financial institutions and payment card networks are
likely to follow a data breach. Boards need to continue to be
vigilant on cyber security risk management establishing processes
and procedures to bolster the security of their systems and to
respond to an attack. Insurance continues to be a topic of
discussion especially given the increasing costs of a breach.
Target has reportedly incurred in $291 million of cumulative data
breach related expenses, partially offset by expected insurance
recoveries of $90 million, for net cumulative expenses of $201
Under the Income Tax Act, the Employment Insurance Act, and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions or GST.
Under the Income Tax Act, the Employment Insurance Act, the Canada Pension Plan Act and the Excise Tax Act, a director of a corporation is jointly and severally liable for a corporation's failure to deduct and remit source deductions.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).