On November 30, 2016, a Georgia federal judge dismissed a 2015 derivative lawsuit filed by two Home Depot shareholders against current and former Home Depot board members related to the company’s 2014 data breach.
The lawsuit alleged that the board members breached their duty of loyalty to the company for failing to institute necessary controls to guard against a data breach or to take immediate steps to address the breach once it occurred.
In dismissing the lawsuit, the court noted that the shareholders failed to make a pre-suit demand upon Home Depot’s board to take desired action and failed to demonstrate that such a demand would have been futile. The court held that as long as the board took reasonable steps to address the breach then their actions did not violate their duty of loyalty.
Further, the court rejected the shareholder’s argument that the board wasted corporate assets by moving too slowly in addressing the breach. Specifically, the court stated that “the board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one,” but that actions was nevertheless protected by the business judgment rule.
The court also rejected the shareholder’s argument that the board violated the Securities Exchange Act, because the claim was subject to a heightened pleading standard under the Private Litigation Reform Act, which the shareholders failed to satisfy. Specifically, the judge held that the shareholders could not sufficiently plead claims that the board’s failure to disclose its knowledge of specific threats to data security in 2014 and 2015 proxy statements violated the law.