It has been an open question as to whether derivative claims brought by shareholders against officers and directors of a breached corporation would gain a foothold in the litigation environment. With the recent dismissal of such a claim in the Target case, it appears that these types of actions still face significant hurdles.
The ruling issued on July 7, 2016 by U.S. District Judge Paul A. Magnuson in St. Paul, Minnesota granted the motion brought forward by the Special Litigation Committee (“SLC”) of the Board of Directors of Target Corporation and the other defendants to dismiss the consolidated derivative claims that had been filed against Target’s directors and officers. The ruling noted that the plaintiffs did not oppose the motion to dismiss, except to retain the right to seek legal fees and expenses.
Target was sued in early 2014 by several shareholders following a massive 2013 data breach. Four of those claims were ultimately consolidated into the claim that was dismissed while another claim was stayed pending this result. The plaintiffs claimed that Target’s directors and officers failed to properly provide for and oversee an information security program and to give customers prompt and accurate information in disclosing the breach.
Target’s board established the SLC in June of 2014 and eventually expanded the SLC’s mandate to include all derivative lawsuits. Minnesota courts defer to a corporation’s SLC decision to dismiss a derivative action if the SLC demonstrates that it (i) possessed a disinterested independence and (ii) conducted a good faith investigation into the derivative allegations.
The SLC produced its report in March of 2016 where it described the SLC members, both of whom were disinterested and independent parties, neither of whom had ever served on Target’s Board of Directors, been employed by Target, or otherwise represented the company, its investigative methodology and the factors it considered in making its determinations. The SLC concluded that “it would not be in Target’s best interests to pursue claims against the officers or directors identified in the Demand and derivative complaints, including those named in this action.”
This is another data breach derivative case to have been dismissed. In 2014, a New Jersey federal judge dismissed a derivative action against the directors and officers of the Wyndham Worldwide Corp. The claims made against Wyndham in that case were similar to the claims made against Target, and similarly to Target’s board the Wyndham board rejected the shareholder demands. The court in that case concluded that the plaintiff had failed to show proof that Wyndham board’s refusal investigate and remedy the hotel chain’s security protocols was a sign of bad faith.
While this case was dismissed, class actions by injured consumers, financial institutions and payment card networks are likely to follow a data breach. Boards need to continue to be vigilant on cyber security risk management establishing processes and procedures to bolster the security of their systems and to respond to an attack. Insurance continues to be a topic of discussion especially given the increasing costs of a breach. Target has reportedly incurred in $291 million of cumulative data breach related expenses, partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $201 million.