For some time now, many commentators, including me, have been predicting that cybersecurity-related litigation could become an important part of the D&O litigation environment. And that may yet happen. For now, however, the results in the recent cybersecurity-related cases have been, from the plaintiffs’ perspective, not particularly promising. On July 7, 2016, in the latest of these cases to hit the skids, District of Minnesota Judge Paul Magnuson, in reliance on the report of the special litigation committee appointed to investigate the claims and in the absence of opposition from the plaintiff, granted the motions of the special litigation committee and of the defendants and dismissed the consolidated cybersecurity-related derivative litigation that had been filed against Target Corporation’s board. As discussed below, the plaintiffs’ track record in this type of litigation has been poor, which does raise the question whether this type of litigation will become a significant phenomenon. A copy of Judge Magnuson’s order in the Target Corp. case can be found here.
In late 2013, Target Corporation was hit with a massive data breach that resulted in the theft of credit card and other information affecting as many as 70 million customers. The data breach also resulted in extensive negative publicity about the company, as discussed here. In February 2014, Target shareholders filed the first of several derivative lawsuits against Target’s board, alleging that the company’s board breached their fiduciary duties by failing to take sufficient steps to protect the company from a breach and its consequences. The various lawsuits were later consolidated.
Among other things, the complaints alleged that the company “failed to take reasonable steps to maintain its customers’ personal and financial information,” and specifically with respect to the possibility of a data breach that the defendants failed “to implement any internal controls at Target designed to detect and prevent such a data breach.”
In response to the complaints (and a related derivative demand), Target’s Board of Directors, as provided in Minnesota law, formed a Special Litigation Committee (SLC), composed of former Minnesota Supreme Court Chief Justice Kathleen Blatz and University of Minnesota Law Professor John Matheson. Neither Blatz nor Matheson were Target board members, and they did not have any prior material connection with the company or its officials.
Over a period of 21 months, the SLC investigated and evaluated the claims asserted in the derivative complaints. During that time, with the assistance of independent counsel, the SLC reviewed extensive document databases, reviewed thousands of documents, interviewed 68 witnesses, and consulted with independent experts that it had hired. The SLC then weighed the various factors to asses whether it would be in Target’s best interest to pursue the claims against the company’s directors and officers.
On March 21, 2016, the SLC released its 91-page report, in which the SLC stated its conclusion that “it is not in Target’s best interests to pursue such claims.” The SLC notified the shareholder plaintiffs that Target would not pursue an action against the company’s directors and officers. The SLC also separately filed a motion to dismiss the consolidated shareholder litigation. A copy of the SLC’s report can be found here and the SLC’s motion to dismiss can be found here. (Special thanks to Doug Greene of the Lane Powell firm and of The D&O Discourse blog for sending me a copies of these documents). The defendants also filed motions to dismiss.
In its report and related motion papers, the SLC noted that under Minnesota law, courts do not second-guess a special litigation committee’s conclusions. Rather the court’s role is limited to determining whether the SLC’s members are disinterested and independent and whether the SLC’s methodology indicated that its decision was the product of a good faith investigation. The shareholder plaintiffs, faced with the formidable committee’s formidable report, chose not to challenge the committee.
On July 7, Judge Magnuson entered his order granting the motions to dismiss. In his short 2-page order, he noted that the plaintiff shareholders had stipulated that they do not oppose the motions to dismiss, except to retain the right to move the court for legal fees and expenses. (Target retained the right to oppose the motion). If no shareholder moves to intervene in the next 30 days, the consolidated litigation will be dismissed with prejudice.
The Target Corp. derivative lawsuit dismissal is the latest in a string of dismissals of cybersecurity-related derivative lawsuits. As readers will undoubtedly recall, the Wyndham Worldwide cybersecurity-related derivative lawsuit was dismissed in October 2014, as discussed here. Before that, the derivative lawsuit that was filed against the board of Heartland Payment Systems, which arguably still stands as the largest data breach by volume, was also dismissed.
This track record has not been lost on prospective claimants and their attorneys. Though there have been numerous high profile data breaches in the interim (Anthem, Sony Entertainment , etc.), there really has only been one significant cybersecurity derivative lawsuit filed since the Target Corp. lawsuits were filed in early 2014; the exception is the derivative suit filed against Home Depot in September 2015 (about which refer here). There has not exactly been a flood of this kind of litigation, and based on the results so far, the relative dearth of litigation seems understandable.
There are a couple of things to keep in mind before anyone rushes to the conclusion that we can stop worrying about the possibility of this type of litigation. The first is that derivative lawsuits generally are tough cases to pursue, owing to the numerous procedural hurdles involved with this type of litigation. As the Target case shows, it is hard for derivative plaintiffs simply to establish their right to proceed with their claims. The other thing is that the processes of the Wyndham board and the internal processes of Target Corp. each withstood scrutiny; in each case, the record allowed the companies to argue the derivative lawsuit should not be permitted to proceed. Even in a world where cybersecurity has become a watchword, not every company will fare as well under scrutiny. Even if these early cases have been dismissed, their undoubtedly will be future cases involving lax processes or inattentive or conflicted boards, where it will be harder for the defendants to oppose a plaintiff shareholder’s right to proceed with a cybersecurity-related derivative claim.
Some readers will undoubtedly ask why the plaintiffs’ lawyers are pursing derivative claims rather than direct claims, such as might be asserted in a securities class action lawsuit. The plaintiffs’ lawyers likely would file these lawsuits if they could, but as data breaches have become a more frequent occurrence, the share prices of the companies hit with the breaches are hardly budging. The plaintiff shareholders would have a difficult time establishing loss causation – or, even more simply, loss. And it should not be forgotten that Heartland Payments Systems also was hit with a securities class action lawsuit — and that lawsuit also ended in a dismissal. So the track record for cybersecurity-related securities class action lawsuits is not all that great either, at least so far.
And so, as I said at the outset, cybersecurity-related D&O litigation has not been all that great for the plaintiffs, so far. However, I think it is far too early to declare that this type of litigation is off the table. There undoubtedly will be a case somewhere down the line where the facts do not support an early dismissal. I also think the plaintiffs’ lawyers are still working on how they are going to make money from this type of litigation. I suspect that when a case with worse facts shows up, the plaintiffs’ lawyers will know what to do. But while I am sure there will be significant case somewhere down the road, what is uncertain is when that will happen and whether or not this type of litigation will indeed become a substantial phenomenon.