Home Depot was recently hit with a books-and-records suit in the Delaware Court of Chancery, Frohman v. Home Depot, which seeks documents relating to the giant retailer’s data security breach last September. The plaintiff, a Home Depot shareholder, is requesting information concerning how the company first learned of the breach, any analysis of how the breach occurred, and what steps it took thereafter, among other topics. 

The suit was brought under Section 220 of the Delaware General Corporation Law, which permits shareholders to request corporate documents for a “proper purpose.” A proper purpose may include investigation of alleged wrongdoing by corporate officers and directors, if the allegations are adequately supported. The Delaware Court of Chancery has long encouraged shareholder plaintiffs to use Section 220 to investigate their claims before launching a derivative suit alleging breaches of fiduciary duty by the board or management, and increasingly plaintiffs’ attorneys have been following this advice.

Corporations that have been struck by data security breaches should anticipate that they may have to respond to such “books-and-records” suits seeking documents relating to the breach. Any corporate documents concerning the circumstances of a data security breach, subsequent investigations, and steps taken to prevent or remedy such breaches should be prepared with the awareness that these documents may well be requested in a subsequent shareholder suit. While it may be possible to limit access to these documents if they contain confidential commercial information or are protected by the attorney-client privilege and the attorney work product doctrine, the potential for disclosure should not be ignored.