During the period 2014-2015, several companies –including Home Depot — that had experienced high-profile data breaches were hit with cybersecurity-related D&O lawsuits. All of these lawsuits, including the one against Home Depot, were dismissed. The plaintiffs in the Home Depot case filed an appeal of the dismissal. Now it appears that while the appeal was pending the parties to the Home Depot data breach-related derivative lawsuit have reached a settlement. The settlement could have interesting implications for the plaintiffs’ bar’s ongoing efforts to pursue data breach related D&O litigation.
In September 2014, Home Depot announced that its retail payment systems had been compromised and then later announced that data hackers had gained access to 56 million customer credit card numbers, in what was one of the largest data breaches in U.S. history. The breach led to as many as 44 consumer civil actions against Home Depot in which it is alleged that Home Depot failed to implement reasonable measures to prevent or to mitigate the effects of the data breach. There have also been several federal and state investigations as well.
As discussed here, in August 2015, shareholders filed multiple derivative complaints against Home Depot, as nominal defendant, and certain of its current and former directors and officers. (The various actions were later consolidated). The plaintiffs allege that the defendants breached their duty of loyalty because the defendants failed to institute internal controls sufficient to oversee the risks that Home Depot faced in the event of a breach and because they disbanded the Board of Directors committee that was supposed to have oversight of those risks. The plaintiffs also alleged that the defendants wasted corporate assets and that the defendants violated Section 14(a) of the Securities Exchange Act in their 2014 and 2015 proxy filings.
The defendants filed a motion to dismiss the plaintiffs’ complaint on the grounds that the plaintiffs failed to make the required pre-suit demand on Home Depot’s board that the company take up the lawsuit. The plaintiffs opposed the motion arguing that the demand was excused because it would have been futile.
As discussed here, on November 30, 2016 opinion, Northern District of Georgia Judge Tom Thrash, applying Delaware law, ruled that the plaintiffs had failed to show that demand was futile, and granted the defendants’ motion to dismiss based on the plaintiffs’ failure to fulfill the demand requirement. Among other things, Judge Thrash said that the standard to show that demand was futile represented “an incredibly high hurdle” for the plaintiffs to overcome. The plaintiffs filed a notice of appeal.
On April 28, 2017, the plaintiffs in the Home Depot case filed an unopposed motion for preliminary approval of a settlement of the derivative lawsuit. A copy of the motion can be found here. According to the motion, the parties reached a settlement of the case, pursuant to which Home Depot agreed to adopt certain cyber-security related corporate governance reforms. The settlement agreement also provides for Home Depot to pay up to $1.125 million of the plaintiffs’ attorneys’ fees.
The corporate governance reforms include documenting the responsibilities of the company’s chief information security officer; maintaining a data security executive committee; and requiring regular reports on the retailer’s information technology and cybersecurity budget.
As I noted at the time when Judge Thrash granted the motion to dismiss in this case, plaintiffs’ track record in these kinds of date breach-related derivative lawsuits has been poor. The dismissal of the Home Depot case followed shortly after dismissals in the data breach-related derivative lawsuits involving Wyndham Worldwide and Target.
Notwithstanding this poor track record, I suggested that it would premature to conclude that we don’t need to be worried about cybersecurity-related D&O litigation. And indeed, within a few days of Judge Thrash’s dismissal of this case, plaintiffs filed yet another data-breach related derivative lawsuit against Wendy’s (as discussed here). In addition, earlier this year, investors filed a data breach related securities class action lawsuit against Yahoo, and shortly after that investors also filed a data breach-related derivative lawsuit involving Yahoo, as well.
These latest lawsuits show that despite the setbacks in the earlier-filed lawsuits, including the lawsuit involving Home Depot, plaintiffs’ lawyers are continuing to pursue this type of litigation. As I have previously noted about these efforts and about the plaintiffs’ bar, the plaintiffs’ bar is very creative and very entrepreneurial and they have significant incentives to try to find a way to capitalize on the chronic cybersecurity risks and exposures that companies face. The plaintiffs’ lawyers will continue to experiment, and for that reason alone we are going to see further cybersecurity-related D&O lawsuits.
The recent settlement in the Home Depot case will even further encourage these kinds of efforts. The fact that the plaintiffs’ lawyers in the Home Depot case were able to secure a settlement that included the payment of their attorneys’ fees — notwithstanding the fact that the case had been dismissed and an appeal was pending – suggests that the plaintiffs’ lawyers may yet find (or rather may even have found) a way to profit from filing these kinds of cases. To be sure, the $1.125 million in fees the plaintiffs’ lawyers secured in this settlement is not exactly the kind of lotto jackpot that plaintiffs’ lawyers usually are seeking, but it isn’t dirt, either. The post-dismissal settlement of these case – that included payment of plaintiffs’ attorneys’ fees – could hearten and reassure the plaintiffs’ lawyers as they scuffle to try to establish the way that they might profit from this kind of litigation.