In the wake of its massive data breach, Target now faces a
shareholder derivative lawsuit, filed January 29, 2014. The suit
alleges that Target's board members and directors breached
their fiduciary duties to the company by ignoring warning signs
that such a breach could occur, and misleading affected consumers
about the scope of the breach after it occurred. Target already
faces dozens of consumer class actions filed by those affected by
the breach, putative class actions filed by banks, federal and
state law enforcement investigations, and congressional
This derivative action alleges that Target's board members
and directors failed to comply with internal processes related to
data security and "participated in the maintenance of
inadequate cyber-security controls." In addition, the suit
alleges that Target was likely not in compliance with the Payment
Card Industry's (PCI) Data Security Standards for handling
payment card information. The complaint goes on to allege that
Target is damaged by having to expend significant resources to:
investigate the breach, notify affected customers, provide credit
monitoring to affected customers, cooperate with federal and state
law enforcement agency investigations, and defend the multitude of
class actions. The derivate action also alleges that Target has
suffered significant reputational damage that has directly impacted
the retailer's revenue.
Target announced the breach December 18, 2013, stating that 40
million credit and debit card accounts may have been affected, and
notified its customers via email shortly thereafter. Though PINs
were not thought to have been part of the breach, on December 27,
Target announced that encrypted PINs had also been accessed. In
January, the retailer began offering credit monitoring to affected
individuals. On January 10, 2014, Target announced that it
uncovered a related breach of customer information – name,
address, phone number, and/or email address – for up to 70
million customers. With that announcement, many news outlets are
reporting that the total number of affected individuals is 110
This lawsuit is part of a growing trend of derivative and
securities fraud complaints based on alleged lack of internal
controls over data security and privacy that have been filed
against companies like Google, Heartland Payment, ChoicePoint, TJX,
and Sony. We previously blogged about the Google derivative suit here.
The prevalence of these suits highlights the fact that insurance
is an important protection that should not be overlooked. What
follows are key Rules for the Road:
Derivative suits against directors and officers are typically
covered under a D&O policy. However, other relevant policies to
review may include cyberliability/data privacy, professional
liability (E&O) coverage, and fiduciary liability (FLI)
coverage (if the company's employee benefit plans allow
investment in the company's own securities).
Notice should be given timely to all primary and excess
insurers pursuant to the policy provisions.
D&O policies typically provide that the insureds must
defend the claim, subject to obtaining the insurer's consent to
the defense arrangements. Accordingly, it is important to obtain
the insurer's consent to proposed defense arrangements that
consent should not be unreasonably withheld.
Potential exclusions or other terms and conditions impacting
coverage should be analyzed. Some may apply, if at all, only to a
portion of a claim. Others may not apply to defense costs, and
others may not apply unless and until there is a "final
adjudication" of the subject matter of the exclusion. It is
important to carefully review the coverage defenses raised, and
push back on the carriers' coverage challenges.
If settlement is being considered, review the policies'
provisions regarding cooperation, association in the defense and
settlement of the case, and requirements to obtain the
insurer's consent to a settlement. Carefully review coverage
for all components of a settlement, including settlement amounts,
plaintiffs' attorneys' fees, interest, and defense
Review the policy's dispute-resolution provisions so that
in the event of a coverage challenge, the insureds understand
whether there is a policy requirement or option to mediate or
arbitrate. Consider the provisions in excess policies as well.
Though it is tempting to conclude that Target is being attacked
from all sides – including this most recent attack from a
shareholder – because of the size of the breach, these kinds
of responses from consumers, banks, regulatory agencies,
legislative bodies, and shareholders are becoming all too common in
the aftermath of many security breaches. It is an important
reminder of the need for strong data security, internal controls,
insurance protection, and compliance with all relevant processes
This article is presented for informational purposes only
and is not intended to constitute legal advice.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On December 28, 2016, the New York Department of Financial Services issued a revised version of proposed regulations regarding cybersecurity requirements that would apply to financial services firms that are licensed, . . .
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).