On Wednesday, November 30, 2016, a federal court dismissed a shareholder derivative action that had been brought against certain directors and officers of The Home Depot, Inc. ("Home Depot") following the home improvement retailer's 2014 data breach. Opinion and Order, In re The Home Depot, Inc. S'holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 62. The dismissal of the case illustrates the difficulties that shareholders face in pursuing claims against board members for failing to prevent data breaches.
The Home Depot data breach occurred when hackers used a third-party vendor's user name and password to infiltrate Home Depot's network. The hackers installed malware that allowed them to steal customers' financial information every time a payment card was swiped at Home Depot's cash registers. Home Depot estimated that 56 million cards were compromised, resulting in losses to the company of $152 million and a potential exposure that may reach as high as $10 billion. Id. at 3-4.
In the shareholder derivative action, Plaintiffs asserted claims against Home Depot directors and officers for breaching their fiduciary duties, wasting corporate assets, and violating Section 14(a) of the Securities Exchange Act in their 2014 and 2015 proxy filings. Id. at 4-5. In particular, Plaintiffs alleged that the directors and officers had failed to implement internal controls to oversee the risks Home Depot faced in the event of a data breach and disbanded a Board of Directors committee that was supposed to have oversight of those risks. Id. at 4.
In addition to questioning whether anyone at Home Depot had proper oversight over IT and data security, Plaintiffs alleged that there were numerous deficiencies in Home Depot's network security. Among other things, Plaintiffs claimed that Home Depot failed to follow Payment Card Industry Data Security Standards ("PCI DSS"). According to Plaintiffs, PCI DSS required Home Depot to (1) install and maintain a firewall, (2) protect against malware and regularly update anti-virus software, (3) encrypt transmissions of cardholder data, (4) not store cardholder data beyond the time necessary to authorize a transaction, (5) limit access to payment card data, and (6) regularly test its data security systems. Id. at 7.
Notwithstanding these allegations, Judge Thomas Thrash granted Defendants' motion to dismiss the complaint. Judge Thrash began by noting that since Plaintiffs had not demanded that the board take corrective action, they had to show that a demand would have been futile. Id. at 10-11. This required Plaintiffs to show that the directors' conduct was "so egregious on its face" that board approval could not meet the business judgment rule. Id. at 13.
With respect to Plaintiffs' breach of fiduciary duty claim, the court held that it was not enough for Plaintiffs to allege that Home Depot's directors failed to do everything they should have done. Rather, Plaintiffs had to show that the directors "consciously failed to act in the face of a known duty to act." Id. at 14. While the directors had disbanded a Board committee and failed to immediately remedy the company's data security deficiencies, Plaintiffs could not show that the directors had "knowingly and completely failed to undertake their responsibilities." Id. at 16 (quoting Lyondell Chemical Co. v. Ryan, 970 A.2d 235, 243-44 (Del. 2009)) (emphasis in original).
Turning to Plaintiffs' claim that the Board wasted corporate assets, Judge Thrash again found that Plaintiffs had failed to meet their burden. The court characterized Plaintiffs' claim as fundamentally challenging the directors' business judgment - i.e., that despite "red flags," the directors failed to see the extent of Home Depot's risk and therefore made a "wrong" business decision by allowing Home Depot to be exposed to the threat of a security breach. Id. at 20. As Judge Thrash noted, "With hindsight, it is easy to see that the Board's decision to upgrade Home Depot's security at a leisurely pace was an unfortunate one. But this decision falls squarely within the discretion of the Board and is under the protection of the business judgment rule." Id.
Judge Thrash's opinion affirms that just because a company is the victim of a data breach, it does not mean that its directors have violated their duty of loyalty. Shareholders bear a heavy burden in trying to prove otherwise, as the business judgement rule will protect most cybersecurity decisions. Nevertheless, corporate boards must be mindful of cybersecurity risks and take action to minimize these risks. Companies should have concrete policies and procedures in place to address data security.