Officers and directors may breathe a temporary sigh of relief following the recent dismissal of the Home Depot data breach derivative case. Others will look to the facts for guidance.
The complaint alleging the board had breached its fiduciary duties by “knowingly and in conscious disregard” failing to ensure that Home Depot took reasonable measures to protect its customers’ personal and financial information was dismissed with prejudice. The November 30, 2016 ruling by the Northern District of Georgia acknowledged that this was an “incredibly high hurdle” to surmount, signalling for at least the second time that D&O claims in derivative actions face an uphill pleading climb.
Data breaches have become an increasing worry for boards of directors, as the incidents can seriously damage the value of the company, and officers and directors are frequently concerned with personal liability arising out of their board service. Plaintiffs attempting to make claims stick have begun targeting individual board members as well as the companies themselves.
A shareholder derivative action is a lawsuit brought by a corporation’s shareholders, ostensibly on behalf of the corporation, and often against the corporation’s directors and officers. In October 2014, another district court dismissed the derivative suit brought against Wyndham Worldwide Corporation in the wake of its data security incident, finding that the board had reasonably exercised its business judgment and noting that the board discussed the matter with management during numerous board meetings.
The Home Depot Shareholder Derivative Litigation decision is the latest welcome news for boards, which are increasingly focused on enterprise risks relating to cybersecurity. Some experts have even begun to call for the presence of technology and cybersecurity expertise on boards, similar to what companies heard about audit and finance expertise nearly a decade ago. While nothing is yet certain in this developing area of law, companies and their boards will continue to be proactive in carrying out their responsibilities. Since many security pros believe all data breaches cannot be avoided, asking questions and discussing these areas regularly, seeking training, engaging experts, and other evidence of direct engagement are increasingly important in protecting officers and directors.