In early 2014, when plaintiffs initiated data breach-related derivative lawsuits against the boards of Target Corp. (here) and Wyndham Worldwide (here), there was some speculation that these cases might be the first of what could become a wave of data-breach related D&O lawsuits. But then the Wyndham Worldwide case was dismissed (refer here) and no new data breach-related D&O lawsuits followed, even though there were several high profile data breaches after that time (including Sony Entertainment, Anthem and Home Depot). Although many predicted that more D&O lawsuits were to come, the suits themselves did not materialize. There were, however, some suggestions that a lawsuit against Home Depot might eventually arrive, as a plaintiff initiated a books and records action in Delaware Chancery Court against the company.
The wondering and waiting about whether or not there will be a Home Depot data breach-related D&O lawsuit is now over. A Home Depot data breach-related shareholder’s derivative lawsuit has been filed in the Northern District of Georgia. On September 2, 2015, a plaintiff shareholder filed a redacted complaint in a lawsuit against Home Depot, as nominal defendant, and twelve Home Depot directors and officers, alleging that the defendants breached “their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties failing to ensure that Home Depot took reasonable measures to protect its customers’ personal and financial information.” The redacted version of the plaintiff’s complaint can be found here. (Please see below for further explanation about the timing of the filing of the plaintiff’s lawsuit and the redactions to the complaint.)
In September 2014, Home Depot announced that its retail payment systems had been compromised and then later announced that data hackers had gained access to 56 million customer credit card numbers, in what is one of the largest data breaches in U.S. history. The breach led to as many as 44 consumer civil actions against Home Depot in which it is alleged that Home Depot failed to implement reasonable measures to prevent or mitigate the effects of the data breach. There have also been several state and federal investigations as well.
The complaint alleges that company officials aware that because the company’s systems were “desperately out of date” the company was vulnerable to a data breach. The complaint alleges that the defendants were “complacent” leaving in place “vulnerabilities that not only allowed hackers to enter thee system undetected but permitted them to continue siphoning customer cardholder and personal data for almost five months without detection.” The complaint alleges further that the protective measure the company allegedly failed to put into place were in fact required by the credit card industry. The complaint also alleges that the company failed to implement and maintain an adequate fire wall.
The complaint further alleges that the individual defendants failed to ensure that the company effectively monitored its systems to detect and prevent unauthorized access to customer data. The complaint also alleges that there were also several high profile data breaches at other major retailers (Target, Neiman Marcus) which, the plaintiff alleges, should have alerted Home Depot to a heightened risk of a cybersecurity attack. The complaint alleges that:
The Individual Defendants’ abject failure to fulfill their fiduciary duties to oversee and manage risks at Home Depot related to data security was well evidenced, not only by the ease with which hackers were able to penetrate Home Depot’s systems and install malicious code, which enabled them to steal the personal and financial data of millions of Home Depot customers, but also by the length of time that the Breach was allowed to continue undetected.
The complaint alleges that the company has incurred and will continue to incur substantial costs, including not only the investigation of the breach and the remedial measure that company was immediately required to take, but also the costs related to the regulatory investigations and the consumer class action lawsuits.
The complaint asserts substantive counts against each of the individual defendants for breach of fiduciary duty and for waste of corporate assets. The complaint seeks to recover damages in favor of the company for all of the costs the company has incurred as result of the alleged breaches, as well as corporate governance reforms to protect against a repeat of a data security breach. The complaint also seeks restitution of compensation and benefits the individual defendants received.
It is worth noting that the publicly available complaint is heavily redacted. From the unredacted text, it appears that the masked portions relate to specific aspects of the companies alleged systems vulnerabilities. From the court’s docket, it appears that the original, unredacted complaint was filed on August 25, 2015, together with a motion to seal the complaint. The court granted to motion to seal and ordered the plaintiff to file a redacted complaint within seven days. The redacted complaint was filed and entered on the court docket on September 2, 2015 and made available publicly on September 4, 2015.
There are many interesting things about this lawsuit, and there undoubtedly will be many articles forthcoming that delve into the details of the plaintiff’s allegations and from them derive lessons for boards and managers of other companies. One particularly interesting aspect of the complaint is the allegation that the plaintiff makes based on the prior data breaches at Target and Neiman Marcus. The plaintiff is in effect contending that those prior breaches provided fair warning that Home Depot could expect much of the same. The suggestion is that as more organizations are hit with data breaches, the expectation on boards and company management to act will rise, and the alleged failure to act in response to the drum beat of revelations about data breaches will itself be the basis of claims against company officials.
While there definitely was a lag between the time the Target and Wyndham D&O lawsuits were filed and when this lawsuit was filed, the ultimate filing of this lawsuit seems to support the view that there will be further data breach-related D&O lawsuits. Given that the data breaches themselves are almost certainly to continue, the probabilities are that data breach-related D&O litigation will become an increasingly important part of the corporate and securities litigation landscape.
As I noted in a recent post (here), the possible D&O litigation likely to arise from data breach activity includes not only the kind of lawsuit described above, but also lawsuits filed against not the company that suffered the breach, but companies responsible for providing security against a breach.
Special thanks to several loyal readers who sent me copies of the redacted Home Depot complaint.