In late 2013, the US retail giant Target was the victim of a damaging cyber-attack that affected approximately 110 million of its customers and resulted in an estimated 40 million of its customers’ credit card details and personal information being stolen by cyber hackers.

Following the data breach, a number of shareholders sued the directors and officers of Target (Target’s D&O) in proceedings that are still ongoing in the US. The specific contentions of the shareholders as to what Target’s D&O should have known and could have done to prevent the cyber-attack are instructive to directors and officers worldwide looking to manage their potential liability following a cyber-attack.

The background

Target was said to have been first hacked between 2005 and 2007. At some point prior to or following the first attack, Target’s Board and senior officers became aware that the point-of-sale (POS) machines were vulnerable to a cyber-attack. Despite possessing this knowledge, a decision was made by Target’s Board to refrain from updating the POS systems throughout its US stores. At the same time a 2007 data security expert, Dr Neal Krawetz, produced in 2007 a publically released white paper that estimated that a POS hack against Target would expose the credit card and personal information of around 58 million customers. Notwithstanding this report, no action was taken by Target’s D&O to secure the POS systems. In addition, the shareholders allege that following the first attack, Target failed to develop effective data security controls, policies or procedures.

It is within the context of the 2013 data breach arising from a cyber-attack on Target’s POS systems that the shareholder derivative lawsuits were brought against Target’s D&O.

The shareholder allegations

The shareholders allege that Target’s D&O knew or ought to have known that a cyber-attack would cause substantial financial and reputational damage to the company and that they failed to take actions that would have prevented the cyber-attack. It is also alleged that they failed to act reasonably once the attack occurred.

The shareholders argue that directors and officers owe a fiduciary obligation of trust, loyalty, good faith and due care to the company and its shareholders. To discharge this duty, it is alleged that Target’s D&O were required to exercise reasonable and prudent supervision over management, policies, practices and controls of the financial affairs of the company in carrying out their employment responsibilities. In the cyber sphere, it is argued that the directors and officers were expected to:

  • Devise and implement a system of internal controls to ensure that customers’ personal and financial information is protected.
  • Monitor and oversee the said system of internal control.
  • Ensure that customers were informed in a timely manner of any data breach relating to their personal or financial information.
  • Establish effective corporate governance and reporting structures to oversee data security risk management.
  • Operate in an efficient manner in compliance with all laws to ensure the provision of the highest quality performance of the business and avoid wasting the company’s assets to maximise the value of the company’s stock.
  • Keep up-to-date about the company’s operations and make reasonable inquiries in connection with the operations to ensure that steps were taken to correct any imprudent or unsounds conditions or practices.

The shareholders contend that as a result of failing to discharge the aforementioned duties Target’s D&O are liable for breaching their fiduciary duties, wasting corporate assets, gross mismanagement and abuse of their position.

Damages and remedy

The shareholders’ lawsuit seeks that Target make improvements to its corporate governance structures, including the protection of the financial and personal information of its customers.

In respect of monetary damages, the shareholders seek to recover for the following losses:

  • Lost revenue and profits resulting from diminished consumer confidence in the company’s security systems.
  • Various investigations following the cyber-attack, including legal, investigative and consulting expenses.
  • Increased cost of capital due to credit rating downgrade.
  • Defending any litigation and payment of any settlement in class actions brought by financial institutions.
  • Defending and paying any settlement or judgment in class actions brought by Target consumers.

At present, the shareholder derivative proceedings are stayed while a special litigation committee appointed by Target’s Board investigates the cyber-attack and prepares a report for the court.

The lessons

A cyber breach has the potential to cause a company significant first and third party loss – ranging from business interruption, investigation and notification costs as well as third party and shareholder actions.

To mitigate against the risk of a cyber-attack, directors and officers must act prudently by ensuring that the company has appropriate cyber security to protect the privacy of its own and its customers’ financial and personal information. This includes appropriate systems for identifying a data breach and providing timely and adequate information to customers and any relevant regulatory authority. Frequent testing of the company’s cyber-systems should be carried out as is reasonably expected in the circumstances. When problems are identified they should be rectified in a timeous manner.

A further important part of the risk management process is ensuring that directors and officers have adequate insurance to cover against potential claims. Despite the increased sophistication, damage and number of data breaches occurring globally, a PwC (UK) Report found that in 2014 only 39% of large organisations and 27% of small businesses were sufficiently insured to cover the types of data breaches occurring regularly. Directors and Officers should ensure that they understand cyber-risk and are adequately insured in the event of a cyber-attack against their company. Cyber is no longer a matter exclusively in the domain of the IT department. It is a board room issue.