For some time now, many commentators (including me) have been predicting that as a result of rising numbers of companies experiencing date breaches that there would be a resulting wave of D&O lawsuits. Indeed, there have been a small number of high profile data security-related D&O lawsuits filed. However, several of those cases – including, for example, the derivative lawsuits filed against Target (about which refer here) and Wyndham Worldwide (here) – have been dismissed. Following these dismissals, the sole remaining recent high-profile data breach-related derivative lawsuit was the one filed against the directors and officers of Home Depot. However, the Home Depot lawsuit has now also been dismissed as well. The spate of dismissals certainly raises a question about what we may expect with respect to future cybersecurity-related D&O lawsuits. A copy of Northern District of Georgia Judge Thomas Thrash’s November 30, 2016 opinion in the Home Depot derivative lawsuit can be found here.
In September 2014, Home Depot announced that its retail payment systems had been compromised and then later announced that data hackers had gained access to 56 million customer credit card numbers, in what was one of the largest data breaches in U.S. history. The breach led to as many as 44 consumer civil actions against Home Depot in which it is alleged that Home Depot failed to implement reasonable measures to prevent or to mitigate the effects of the data breach. There have also been several federal and state investigations as well.
As discussed here, in August 2015, shareholders filed multiple derivative complaints against Home Depot, as nominal defendant, and certain of its current and former directors and officers. (The various actions were later consolidated). The plaintiffs allege that the defendants breached their duty of loyalty because the defendants failed to institute internal controls sufficient to oversee the risks that Home Depot faced in the event of a breach and because they disbanded the Board of Directors committee that was supposed to have oversight of those risks. The plaintiffs also alleged that the defendants wasted corporate assets and that the defendants violated Section 14(a) of the Securities Exchange Act in their 2014 and 2015 proxy filings.
The defendants filed a motion to dismiss the plaintiffs’ complaint on the grounds that the plaintiffs failed to make the required pre-suit demand on Home Depot’s board that the company take up the lawsuit. The plaintiffs opposed the motion arguing that the demand was excused because it would have been futile.
The November 30, 2016 Decision
In a November 30, 2016 opinion, Judge Thrash, applying Delaware law, ruled that the plaintiffs had failed to show that demand was futile, and granted the defendants’ motion to dismiss based on the plaintiffs’ failure to fulfill the demand requirement.
In reaching this conclusion, Judge Thrash separately considered the plaintiffs’ demand futility argument with respect to each of the three separate substantive claims the plaintiffs asserted.
Breach of Loyalty Claims: With respect to the plaintiffs’ breach of the duty of loyalty claims, in which the plaintiffs alleged that the defendants had failed to institute sufficient controls and had disbanded the board cybersecurity oversight committee, Judge Thrash said that in order for plaintiffs to meet the demand futility requirement, they must “show with particularity facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act.” Judge Thrash called this “an incredibly high hurdle,” adding that “it is not surprising” that the plaintiffs “failed to do so.”
In attempting to meet these requirements, the plaintiffs cited the Board’s disbanding of the cybersecurity oversight committee. Oversight responsibility had been transferred to the Audit Committee, but the plaintiffs argued that Audit Committee’s charter had not been amended to reflect the new oversight duties, leaving the company without responsible cybersecurity oversight and reporting.
Judge Thrash called this argument “much too formal.” Even if the Audit Committee’s charter had not been amended, it received regular cybersecurity reports and briefed the Board. There is, Judge Thrash said, “no question that the Board was fulfilling its duty of loyalty to ensure that a reasonable system of reporting existed.” The Board also approved a plan to fix known security weaknesses; “with the benefit of hindsight, one can safely say that the implementation of the plan was probably too slow,” but the directors’ decision-making must be “reasonable not perfect.”
Because the plaintiffs failed to show beyond a reasonable doubt that the Board faced substantial liability because it consciously failed to act, Judge Thrash concluded that the demand was not excused as to the plaintiffs’ breach of loyalty claims.
Corporate Waste: With respect to the plaintiffs allegations that the defendants insufficient reaction to cybersecurity weaknesses cause “waste” to corporate assets, Judge Thrash said that in order to establish demand futility the plaintiffs must raise a reasonable doubt that the “challenged transaction was … the product of a valid exercise of business judgment.”
In concluding that the plaintiffs had failed to satisfy this requirement, Judge Thrash noted that “with hindsight, it is easy to see that the Board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one. But this decision falls squarely within the discretion of the Board and is under the protection of the business judgment rule.”
Violations of Section 14(a) of the Securities Exchange Act: In order to meet the burden to establish demand futility as their allegations of inadequate proxy disclosures, Judge Thrash said the plaintiffs must provide particularized factual allegations that raise a reasonable doubt that the directors were disinterested and independent.
In concluding that the plaintiffs had failed to meet these requirements, Judge Thrash found that the plaintiffs failed to specify which statements in the 2014 and 2015 Proxy Statements were rendered misleading or false by omissions; failed to show the materiality of the failure to report that the Audit Committee’s charter had not been amended; and failed to show that the alleged omissions caused the alleged losses.
At this point, it is fair to say that plaintiffs’ lawyers’ efforts to pursue data breach-related derivative lawsuits have fared very poorly. Together with the Target Corp. and Wyndham Worldwide derivative lawsuit dismissals, the dismissal in the Home Depot derivative lawsuit means that all three of the recent high-profile data breach-related derivative lawsuits have failed to overcome initial pleading hurdles. You can add to this list the early data breach-related derivative lawsuit involving Heartland Payment Systems, which was also dismissed.
At one level, it could be argued that this poor track record is unsurprising. Derivative lawsuits are particularly challenging for claimants, owing to the procedural hurdles (like the demand requirement) and the substantive defenses (like the business judgment rule). There is a reason that Judge Thrashed observed in the course of this Home Depot opinion that the hurdle the plaintiffs in that case faced was “incredibly high.”
The magnitude of the hurdles may well explain why so few data breach-related derivative lawsuit have been filed overall, despite the significant numbers of high-profile data breaches. To be sure, as an alternative to filing a derivative lawsuit, a prospective claimant might file a securities class action lawsuit. However, the fact is that most data breach disclosures have not been accompanied by a significant share price decline, making the securities class action lawsuit alternative unattractive (or even arguably unavailable).
The upshot of all of this is that there has not been a significant data breach-related derivative lawsuit (or other D&O claim) filed for some time now. The Home Depot lawsuit, filed in September 2015, was really the last one to be filed; there haven’t been any others filed in the interim.
It is however far too early to conclude that we don’t need to be worried about the possibility of cybersecurity-related D&O litigation. I think where we are now is that the plaintiffs lawyers are still trying to find the right approach (or perhaps to find a case with just the right facts). The plaintiffs’ bar is very creative and very entrepreneurial and they have significant incentives to try to find a way to capitalize on the chronic cybersecurity risks and exposures that companies face. I expect that the plaintiffs’ lawyers will continue to experiment, and for that reason alone we are going to see further cybersecurity-related D&O lawsuits. (Refer here for a recent post in which Doug Greene of the Lane Powell law firm contends on his D&O Discourse blog that we will eventually see more data breach related derivative lawsuits and shareholder class actions).
In the meantime, while the plaintiffs’ lawyers continue to experiment, companies continue to face the risk of regulator claims. As I noted in a recent post (here), there is a growing list of federal regulatory agencies jockeying to join the regulatory data security bandwagon, and state authorities are not far behind. While the current change in the Presidential administration raises a great deal of uncertainty about what might be ahead, the likelihood is that activity of regulators in this area will increase and not decrease; we likely will continue to see additional regulators becoming active in this space as well. Of particular concern is the possibility that the SEC will begin to crack down on reporting companies’ cybersecurity related disclosures.
Many readers likely were struck as I was by Judge Thrash’s uniform unwillingness to subject the defendants’ actions to hindsight judgments and his willingness to extend business judgment protection to the defendants’ decisions. This approach may give a great deal of comfort to corporate officials who are struggling to address cybersecurity issues and are concerned that their actions may later be second-guessed if despite their efforts their company nonetheless experiences a data breach or other cybersecurity incident. While Judge Thrash’s perspective may indeed be comforting, there is a larger issue that should be kept in mind, which is that Judge Thrash was willing to forebear from second-guessing because Home Depot was able to show that it was taking steps to address known concerns, and that oversight and reporting responsibilities were being administered.
All of this is just a reminder that even though the recent high-profile cases have been dismissed, it remains indispensable for companies and their senior officials to continue to take steps to ensure that if their actions and decisions are questioned that they can show that they were proceeding responsibly with reasonable efforts appropriately designed to try to meet security threats.