A wave of litigation followed the breach’s announcement, including the four shareholder derivative lawsuits consolidated in Davis. The shareholder plaintiffs alleged that Target’s directors and officers breached their fiduciary duties by: (1) not adequately overseeing the company’s information security program prior to the breach; and (2) not providing the company’s customers with prompt and accurate information about the breach.
Target’s board of directors responded to these and other shareholder complaints by forming a special litigation committee, or “SLC,” vested with the full authority to investigate the derivative claims, determine whether to pursue them on Target’s behalf, and respond to the litigation on behalf of the company. The SLC was comprised of two members, a former Chief Justice of the Minnesota Supreme Court and a tenured professor of the University of Minnesota Law School, neither of whom was a Target board member or had any material ties to the company. They, in turn, retained independent counsel, a forensic expert, and a corporate governance expert to assist in their investigation and evaluation of the derivative claims.
For 21 months, the SLC investigated and evaluated the derivative claims. Ultimately, the SLC produced a 91-page report of its investigation (which was filed in the litigation), concluded that Target’s best interests would not be served by pursuing the shareholder derivative claims, and moved to dismissall of the claims.
After reviewing the SLC’s report, the derivative plaintiffs chose not to challenge the independence, investigation, or conclusion of the SLC, and accepted dismissal of their claims. The court dismissed the case and directed Target to provide notice of the dismissal to its shareholders; Target provided this notice by Form 8-K on 25 July. Other shareholders have 30 days from this notice to raise any objections to the dismissal. Plaintiffs have retained the right to seek attorneys’ fees and will file a fee application by 26 August; Target has the right to oppose that application.
Because the plaintiffs gave up their fight, the Target court was not required to analyze whether the directors and officers fulfilled their fiduciary duties with respect to data security. Nonetheless, the facts identified and considered by the independent SLC in reaching its conclusion not to pursue the litigation may provide useful guidance to companies concerned about these types of claims.
In articulating the facts supporting its conclusion that pursuing the derivative lawsuits was not in Target’s best interest, the SLC’s report outlined the components of Target’s pre-breach data security and post-breach actions that it relied on.
Examining Target’s pre-breach data security, the SLC report discussed, among other things, the following:
- the existence of written policies and standards governing the company’s data security, including a data classification and handling standard, information protection standard, and incident response plan;
- the responsibility of board committees for the company’s data security;
- the company’s use of third-parties to audit its data security, including an external auditor looking for deficiencies or material weaknesses in the company’s information technology general controls, a Quality Security Assessor evaluating the company’s compliance with the Payment Card Industry Data Security Standard, and other third-party consultants to assess the company’s data security shortly before the breach;
- the emphasis that Target’s internal audit department placed on data security, identifying it as a significant enterprise risk of the company during the four years prior to the breach; and
- the increased and significant commitment of resources (both human and financial) to data security and data protection following a smaller breach in 2007.
Turning to Target’s post-breach response, the SLC report discussed the following actions, among others:
- technical enhancements Target made, including expanding the use of two-factor authentication, further compartmentalizing vendors’ access to Target’s systems, and implementing application whitelisting on point-of-sale systems;
- Target’s centralization of personnel responsible for data security under a Chief Information Security Officer, who reports to the CIO, and installing a new Corporate Risk and Compliance Officer; and
- Target’s post-breach efforts to mitigate the cost and inconvenience to its customers, including providing one-year of free credit monitoring and identity-theft protection.
These facts discussed and relied upon by the Target SLC, which appears to have been independent, and whose independence was not challenged by the shareholder plaintiffs, provide insight into factors a court (or subsequent SLC) may consider in analyzing whether directors and officers complied with their fiduciary duties regarding data security. In addition, the guidance offeredfollowing the dismissal of the Wyndham breach remains valuable.
The potential for litigation against directors and officers following data breaches remains a serious concern. However, with the dismissals of the Wyndham and now the Target shareholder litigation, boards of directors and management have examples of concrete actions they can take, both before and after a data breach, to demonstrate their diligence and good faith in addressing this growing area of risk. Such attention will benefit the companies they serve, and in the event of a major breach, will help protect the directors and officers from allegations that they did not do enough to prevent the breach or to investigate it.