In the wake of its massive data breach, Target now faces a shareholder derivative lawsuit, filed January 29, 2014. The suit alleges that Target’s board members and directors breached their fiduciary duties to the company by ignoring warning signs that such a breach could occur, and misleading affected consumers about the scope of the breach after it occurred. Target already faces dozens of consumer class actions filed by those affected by the breach, putative class actions filed by banks, federal and state law enforcement investigations, and congressional inquiries.

This derivative action alleges that Target’s board members and directors failed to comply with internal processes related to data security and “participated in the maintenance of inadequate cyber-security controls.” In addition, the suit alleges that Target was likely not in compliance with the Payment Card Industry’s (PCI) Data Security Standards for handling payment card information. The complaint goes on to allege that Target is damaged by having to expend significant resources to: investigate the breach, notify affected customers, provide credit monitoring to affected customers, cooperate with federal and state law enforcement agency investigations, and defend the multitude of class actions. The derivate action also alleges that Target has suffered significant reputational damage that has directly impacted the retailer’s revenue.

Target announced the breach December 18, 2013, stating that 40 million credit and debit card accounts may have been affected, and notified its customers via email shortly thereafter. Though PINs were not thought to have been part of the breach, on December 27, Target announced that encrypted PINs had also been accessed. In January, the retailer began offering credit monitoring to affected individuals. On January 10, 2014, Target announced that it uncovered a related breach of customer information – name, address, phone number, and/or email address – for up to 70 million customers. With that announcement, many news outlets are reporting that the total number of affected individuals is 110 million.

This lawsuit is part of a growing trend of derivative and securities fraud complaints based on alleged lack of internal controls over data security and privacy that have been filed against companies like Google, Heartland Payment, ChoicePoint, TJX, and Sony. We previously blogged about the Google derivative suit here.

The prevalence of these suits highlights the fact that insurance is an important protection that should not be overlooked. What follows are key Rules for the Road:

  • Derivative suits against directors and officers are typically covered under a D&O policy. However, other relevant policies to review may include cyberliability/data privacy, professional liability (E&O) coverage, and fiduciary liability (FLI) coverage (if the company’s employee benefit plans allow investment in the company’s own securities).
  • Notice should be given timely to all primary and excess insurers pursuant to the policy provisions.
  • D&O policies typically provide that the insureds must defend the claim, subject to obtaining the insurer’s consent to the defense arrangements. Accordingly, it is important to obtain the insurer’s consent to proposed defense arrangements that consent should not be unreasonably withheld.
  • Potential exclusions or other terms and conditions impacting coverage should be analyzed. Some may apply, if at all, only to a portion of a claim. Others may not apply to defense costs, and others may not apply unless and until there is a “final adjudication” of the subject matter of the exclusion. It is important to carefully review the coverage defenses raised, and push back on the carriers’ coverage challenges.
  • If settlement is being considered, review the policies’ provisions regarding cooperation, association in the defense and settlement of the case, and requirements to obtain the insurer’s consent to a settlement. Carefully review coverage for all components of a settlement, including settlement amounts, plaintiffs’ attorneys’ fees, interest, and defense costs.
  • Review the policy’s dispute-resolution provisions so that in the event of a coverage challenge, the insureds understand whether there is a policy requirement or option to mediate or arbitrate. Consider the provisions in excess policies as well.

Though it is tempting to conclude that Target is being attacked from all sides – including this most recent attack from a shareholder – because of the size of the breach, these kinds of responses from consumers, banks, regulatory agencies, legislative bodies, and shareholders are becoming all too common in the aftermath of many security breaches. It is an important reminder of the need for strong data security, internal controls, insurance protection, and compliance with all relevant processes and procedures.