Home Depot Settles Data Breach Related Derivative Lawsuit
Posted on 1/8/2017
Between 2014 and 2015, several companies that experienced high-profile data breaches were served with cybersecurity-related D&O lawsuits. All of these lawsuits were dismissed, including the one against Home Depot. The plaintiffs in the Home Depot case filed an appeal of the dismissal. While the appeal was pending, the parties reached a settlement, which could have interesting implications for the plaintiffs’ bar’s ongoing efforts to pursue data breach related D&O litigation.
In September 2014, Home Depot announced that its retail payment systems had been compromised and then later announced that data hackers had gained access to 56 million customer credit card numbers, in what was one of the largest data breaches in U.S. history. The breach led to at least 44 consumer civil actions against Home Depot alleging that the company failed to implement reasonable measures to prevent or mitigate the effects of the data breach. There have also been several federal and state investigations.
In August 2015, shareholders filed multiple derivative complaints against Home Depot, as nominal defendant, and certain of its current and former directors and officers (the various actions were later consolidated). The plaintiffs alleged that the defendants breached their duty of loyalty because they failed to institute internal controls sufficient to oversee the risks that Home Depot faced in the event of a breach and because they disbanded the board committee that was supposed to have oversight of those risks. The plaintiffs also alleged that the defendants wasted corporate assets and that they violated Section 14(a) of the Securities Exchange Act in their 2014 and 2015 proxy filings.
The defendants filed a motion to dismiss the plaintiffs’ complaint on the grounds that the plaintiffs failed to make the required pre-suit demand on Home Depot’s board that the company take up the lawsuit. The plaintiffs opposed the moon arguing that the demand was excused because it would have been futile.
In the November 30, 2016 opinion, Northern District of Georgia Judge Tom Thrash, applying Delaware law, ruled that the plaintiffs had failed to show that the demand was futile and granted the defendants’ motion to dismiss based on the plaintiffs’ failure to fulfill the demand requirement. Among other things, Judge Thrash said that the standard to show that the demand was futile represented “an incredibly high hurdle” for the plaintiffs to overcome. The plaintiffs filed a notice of appeal.
On April 28, 2017, the plaintiffs in the Home Depot case filed an unopposed motion for preliminary approval of a settlement of the derivative lawsuit. According to the moon the parties reached a settlement of the case, pursuant to which Home Depot agreed to adopt certain cyber-security related corporate governance reforms. The settlement agreement also provides for Home Depot to pay up to $1.125 million of the plaintiffs’ attorneys’ fees.
The corporate governance reforms include documenting the responsibilities of the company’s chief information security officer; maintaining a data security executive committee; and requiring regular reports on the retailer’s information technology and cybersecurity budget.
Prior to this settlement, plaintiffs’ track record in these kinds of data breach-related derivative lawsuits had been poor. The dismissal of the Home Depot case followed shortly after dismissals in the data breach-related derivative lawsuits involving Wyndham Worldwide and Target.
Notwithstanding this poor track record, we suggested that it would be premature to conclude that we do not need to be concerned about cybersecurity-related D&O litigation. And indeed, within a few days of Judge Thrash’s dismissal of this case, plaintiffs filed yet another data-breach related derivative lawsuit against Wendy’s. In addition, earlier this year, investors filed a data breach related securities class action lawsuit against Yahoo, and shortly after that, investors also filed a data breach-related derivative lawsuit arising from the Yahoo breach.
These latest lawsuits show that despite the setbacks in the earlier-filed lawsuits, including the lawsuit involving Home Depot, plaintiffs’ lawyers are continuing to pursue this type of litigation. The plaintiffs’ bar creativity and entrepreneurial nature should not be discounted as they have significant incentives to try to find a way to capitalize on the chronic cybersecurity risks and exposures that companies face. The plaintiffs’ lawyers will continue to experiment, and for that reason alone, we are going to see further cybersecurity-related D&O lawsuits.
The recent settlement in the Home Depot case may further encourage these kinds of efforts. The fact that the plaintiffs’ lawyers in the Home Depot case were able to secure a settlement that included the payment of their attorneys’ fees notwithstanding the fact that the case had been dismissed and an appeal was pending- suggests that plaintiffs’ lawyers may yet find (or even may have found) a way to profit from filing these kinds of cases. The post-dismissal settlement of the Home Depot case – that included payment of plaintiffs’ attorneys’ fees- could hearten and reassure securities plaintiffs’ lawyers as they scuffle to try to establish a way to profit from data breach related litigation.
About RT ProExec
RT ProExec is the Professional & Executive Liability Division of R-T Specialty, LLC. R-T Specialty, LLC is an independent wholesale insurance brokerage firm that provides Property, Casualty, Transportation and Professional & Executive Liability insurance solutions to retail brokers across the country. Our proven leadership, deep talent pool, and commitment to coverage and service has made us the largest wholesaler in the Professional & Executive Liability insurance marketplace.
About the Author
This article was prepared by Kevin M. LaCroix, Esq. of RT ProExec. Kevin has been advising clients concerning directors’ and officers’ liability issues for nearly 30 years. Prior to joining RT ProExec, Kevin was President of Genesis Professional Liability Managers, a D&O liability insurance underwriter. Kevin previously was a partner in the Washington, D.C. law firm of Ross Dixon & Bell.