After claimants filed shareholders’ data breach-related derivative suits against the boards of Target (here) and Wyndham Worldwide (here), a number of commentators (including me) asked whether we could see a wave of cybersecurity related D&O lawsuits. Interestingly, since these two lawsuits were filed more than a year ago, there have been no further lawsuits of this type filed, even though there have been a number of very high profile data breaches since that time – including, for instance, those involving Home Depot, Sony Pictures Entertainment, Anthem (not to mention the massive breach last week involving U.S. government personnel records).
The absence of new data breach-related D&O lawsuit filings for over a year and the October 2014 dismissal of the Wyndham lawsuit (here) made a number of observers (including me) wonder whether the anticipated wave of D&O litigation might not materialize after all. (Although there are a number of commentators have continued to suggest that we should just be patient, the lawsuits will arrive sooner or later).
Though there have not been any further liability lawsuits filed, there have been developments that suggest we might soon see a lawsuit arising out of the Home Depot data breach. As discussed in a June 15, 2015 Law 360 article (here, subscription required), a plaintiff shareholder has filed an action in Delaware Chancery Court seeking to review Home Depot’s books and records related to the massive data breach the company sustained last year. (I do not have a copy of the plaintiff’s books and records complaint; if any reader can provide me with a copy, I will add a link to the complaint to this post. UPDATE: Thanks to the helpful response of a loyal reader, the complaint can be found here. )
The plaintiff reportedly seeks to inspect the records to determine whether the company’s directors and officers breached their fiduciary duties by failing to adequately protect customer credit card information on its data systems despite the many high profile cybersecurity problems that other retailers had previously experienced. The plaintiff apparently sent the company a request under Section 220 of the Delaware Corporations Code in September 2014. Two months later, in response to the request, the company produced over 500 pages of documents, but in her recent complaint, the plaintiff complained that this production was incomplete and that many of the documents were redacted. The company and the plaintiff’s attorney apparently had been in negotiations to arrange for the plaintiff’s counsel to review the redacted documents but apparently frustrated by the process the plaintiff filed the recent Delaware Chancery Court action to compel inspection.
The Law 360 article includes a statement from a Home Depot representative with respect to the books and records action that “we look forward to resolving the matter.”
The parties may (or may not) be able to work out the issues surrounding the books and records inspection, but it seems likely that in any event, the sequence of events eventually will lead to the filing of a liability lawsuit against Home Depot and its executives. Among other things, the plaintiff alleges in her books and records suit that “There is a credible basis to believe that officers and directors of Home Depot were aware of the risks that the company faced from a cyberattack but in breach of their fiduciary duties the board has failed in its responsibilities to implement systems and internal controls to properly protect the company from this threat,” and that “[T]he allegations of lax cybersecurity at the company, the pending government investigations, together with numerous lawsuits claiming misconduct at Home Depot, provide a credible basis from which mismanagement at the company can be inferred.”
It is clearly not too much of a stretch to suggest that the books and records action is merely prefatory to a later liability lawsuit that will be filed eventually. To be sure, there is always the chance that the lawsuit may not materialize, but just as the battle does not always go to the strong nor the race to the swift, that’s the way you bet. I am not a betting man, but if I were I would be that sooner or later we will see a D&O lawsuit related to the Home Depot data breach. Either way it will be interesting to watch and see what happens because it could tell us something about whether the much anticipated data breach-related D&O litigation will arise.
For an earlier post discussing the possible reasons why we have not seen data breach securities class action litigation so far and whether or not we may see these kinds of securities suits in the future, refer here.