I have frequently noted that among the many exposures a company experiencing a data breach could encounter is the possibility of a shareholder suit alleging that the company’s board breached their fiduciary duties by failing to take sufficient steps to protect the company from a breach and its consequences. This possibility has now been realized in connection with the recent massive data breach at Target — shareholder plaintiffs have now filed at least two shareholder derivative suits against the company’s directors and officers, as well as against the company itself as nominal defendant.
Both of the lawsuits were filed in the United States District Court for the District of Minnesota. The first of the two complaints, which can be found here, was filed on January 21, 2014. The second, which can be found here, was filed on January 29, 2014. The first complaint alleges claims for breach of fiduciary duty and waste of corporate assets. The second complaint alleges breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control.
Though the second complaint asserts additional claims not raised in the first complaint, the two filings generally are similar. Basically, the two complaints alleged that the defendants were aware of how important the security of private customer information is to customers and to the company, as well the risks to the company that that a data breach could present. The complaints allege that the company “failed to take reasonable steps to maintain its customers’ personal and financial information,” and specifically with respect to the possibility of a data breach that the defendants failed “to implement any internal controls at Target designed to detect and prevent such a data breach.”
Both complaints emphasize not only the failure to take steps to prevent a breach, but also allege that the defendants “aggravated the damage to customers by failing to provide prompt and adequate notice to customers and by releasing numerous statements meant to create a false sense of security to affected customers.”
The complaints allege that the failure to prevent the breach and then to timely report accurate information about it have “severely damaged the company,” noting that the company is currently under investigation by the United States Secret Service and the Department of Justice, and has been hit with numerous consumer class action lawsuits. Both of the derivative suit complaints allege that the class action lawsuits threaten the possibility of hundreds of millions of dollars of damages to the company. The complaints seek monetary damages and injunctive relief “by way of significant corporate and managerial reforms to prevent future harm to the Company by disloyal directors and officers.”
Given the magnitude of the Target breach and the amount of publicity it has garnered, it may not be all that surprising that these complaints have been filed. Nor are these the first D&O lawsuits filed against directors and officers of a company that experienced a significant data breach; several D&O lawsuits were filed against Heartland Financial’s directors and officer after that company experienced a significant breach of credit card information. And it remains to be seen whether or not these lawsuits (and others that may be filed against Target officials relating to the breach) will prove to be successful; the defendants will have a number of defenses, including among other things the fact that the plaintiffs filed their suits without first bringing a demand to the board for the board itself to pursue the claims on the company’s behalf.
Just the same, these lawsuits are significant if for no other reason than that they show how a data breach can lead directly to a D&O claim. For some time now, the public discussion of about privacy and network security have included the message that these concerns are board level issues. As the Target D&O lawsuits show, among the consequences that can follow from a significant data breach is an attempt by the company’s shareholders to hold the company’s senior officials liable for the harm that the data breach caused the company.
These lawsuits are not the first D&O lawsuit based on a cyber security breach, but they surely will not be the last. Indeed, the terrible problems that Target has experienced following its breach clearly represent an important message to other companies about the disruptive effect a serious data breach can have, and highlight the importance for other companies’ executives to take steps to protect against a similar development at their companies. Shareholders at companies experiencing future data breaches may allege that “even after the massive problems at Target” the company’s executives failed to take steps to protect the company or failed to have a plan in place for the company to deal with the situation if the company did experience a breach.
It is particularly interesting that both complaints emphasize (and seek to have liability based upon) the company’s reactions to and public disclosures following the breach. These allegations highlight the fact that shareholders may seek to hold company officials responsible for the failure to prevent the breach but also for the way that the company conducts itself as it responds to the breach.
Special thanks to Rick Bortnick of the CyberInquirer blog for sending me a copy of the complaint in the first filed derivative lawsuit. Speaking of Rick Bortnick, you can find his thougthts, along with those of Ann Longmore of Willis and Jonathan Fairtlough of Kroll, on the topic of “D&O Liability in Data Privacy and Cyber Security Situation in the US” from the January 2014 issue of Financier Worldwide, here.
California AG Law Suit for Late Data Breach Notification: As if the threat of shareholder litigation were not enough to worry about, there are other litigation concerns for companies experiencing data breaches to worry about as well. As discussed in a January 30, 2014 post on the Information Law Group blog (here), the California Attorney General’s office has filed a complaint against Kaiser Foundation Health Plan Inc. for the company’s alleged delay in providing notifications required under California law notification to affected persons following the company’s September 2011 loss of a hard drive containing sensitive personal information. It appears that the company delayed notification until it had completed its forensic investigation some months after the loss.
Among other things, the California AG’s recent suit shows that data security issues and requirements are becoming an increasingly important priority for regulators, as well as for shareholders. In addition, the lawsuit underscores the fact that the way that the company responds to a data breach can itself be a source of litigation exposure.
1. Way to go, Denver. Now everyone knows what it would look like if the Cleveland Browns were ever to play in a Super Bowl. That is, a team in an orange uniform would fail to execute, turn the ball over (repeatedly), miss tackles (repeatedly), and give up big plays on special teams. Take nothing away from the Seahawks, they played great and absolutely deserved to win big. But Denver kicked their own butt. Peyton Manning picked an odd time to start channelling his inner Brandon Weeden.
2. Lousy game, lousy commercials. The only commercial that succeeded universally in our group was the Cheerios ad where the little girl negotiated for a puppy. The women in our group all liked the ad with the puppy and the Clydesdale. Every single person who had anything to do with the Stephen Colbert/pistacho ad should be fired, as should anyone that thought the Bud Lite/Arnold Schwarzenegger ad was a good idea. There were way too many truly awful ads. Who even knows what the ridiculous ad with the cross between the doberman the chihuahua was trying to sell? And can I just say, the exploitation of the American flag and of our need to stand by our vets in order to sell beer and cars makes me very uncomfortable.
3. Halftime conversation: “Who is Bruno Mars?” (Still unsure.)
4. What do you think Pete Seeger would think of Bob Dylan hawking Chryslers?