Public companies that are proactively working to mitigate “cyber” risks and prepare to respond to potential incidents frequently ask whether a “breach” will lead to litigation, loss of customers, stock price decline, and shareholder actions. There are a lot of factors that influence what adverse consequences follow disclosure of a breach. Of the hundreds of incidents that have been disclosed over the past few years by public companies, less than five were followed by a shareholder derivative action. To date, all derivative actions brought after an incident were unsuccessful. That trend continued with the November 30, 2016 ruling by a federal court dismissing a derivative against Home Depot and its directors following a payment card security incident Home Depot disclosed in 2014 that may have affected 56 million payment cards.
Background to the Suit. Home Depot’s 2012 Proxy Statement stated the Audit Committee would take over responsibility for information technology and digital security oversight. However, the Audit Committee’s charter was not amended to reflect this change in responsibility. Also, multiple times prior to the breach, Home Depot’s Chief Information Officer notified the Audit Committee and the Board that Home Depot was not compliant with the Payment Card Industry Data Security Standard (“PCI DSS”), and would likely continue to be out of compliance until February 2015.
The Derivative Suit. In August 2015, the plaintiff shareholders filed a derivative action alleging that Home Depot and the other Board defendants breached their duty of loyalty to the corporation. The plaintiffs alleged the Board failed to institute internal controls sufficient to oversee the risks that Home Depot faced in the event of a breach and breached its duty by disbanding the committee previously responsible for IT and digital security. The defendants moved to dismiss the claims. To excuse demand in their derivative action, the Court stated that the plaintiffs needed to overcome the high burden of showing “with particularized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act.”
Audit Committee Charter Amendment Claim. The plaintiffs alleged the Board consciously failed to act with a known duty to act by disbanding the Infrastructure Committee and thereafter failing to amend the Audit Committee’s charter to reflect its new oversight responsibilities. The plaintiffs allege that no one was designated with responsibility to oversee data security. The Court rejected this argument and said that “whether or not the Audit Committee had technical authority, both the Committee and the Board believed it did.” The Court also stated that the Audit Committee received regular reports from management on the state of Home Depot’s security and the Board also received briefings from management and the Audit Committee.
Inadequate Plan Post-Breach Claim. The plaintiffs also argued the Board breached the duty of loyalty by failing to ensure a plan was in place to immediately remedy Home Depot’s data security deficiency. The Court stated that under Delaware law, directors violate their duty of loyalty only if they knowingly and completely fail to undertake their responsibilities. Here, the Court found that because the Board acted before the breach occurred and planned to fix many of the security weaknesses by February 2015, the plaintiffs failed to show beyond a reasonable doubt that the majority of the Board faced substantial liability. Here, the plaintiffs’ claims that the Board didn’t act quickly enough was not enough to get over the high hurdle excusing demand in a derivative action.
Conclusion. Although the Board of Directors was aware of Home Depot’s challenges with deploying encryption and PCI DSS noncompliance, the Court ultimately found there was no conscious disregard of a duty to act.