Everyone remembers the Target Corporation data breach, one of the worst in history. In late 2013, hackers forced their way into Target’s computer system, accessing the information of approximately 70 million customers, including approximately 40 million credit and debit card accounts. In the evolving cybercrime landscape, those concerned with preventing toxic publicity and minimizing litigation expenses should be mindful of Target’s breach and the litigation that followed.

In early 2014, Target’s shareholders filed four derivative complaints, later consolidated and now pending in the U.S. District Court for the District of Minnesota. They allege that Target’s board of directors and certain officers breached their fiduciary duties and wasted corporate assets by failing to prevent the breach and failing to properly respond to it.

Although the complaint alleges that a demand on the board would be futile because the conduct of the entire board is at issue, Target’s board had appointed a special litigation committee (SLC) in response to a demand from another shareholder not involved in the consolidated litigation. Accordingly, in June 2014, all parties stipulated to “a short stay” to allow the SLC to determine whether and to what extent Target should pursue the litigation. The investigation was anticipated to conclude by December 2014.

Seasoned businesspeople and litigants might be able to predict what happened next. December 2014 came and went, and the stay was extended: first to March 2015, and later to July. In its July 2015 status report, the SLC recounted it had, to date:

• hired independent counsel;
• hired expert consultants on corporate governance and technical matters;
• met, with counsel present, 75 times and conducted almost 60 interviews; and
• reviewed nearly 100,000 documents and acquired approximately 3,000 more. 

On top of those activities, the SLC anticipates substantial further investigation:

• Director interviews are not anticipated to complete until late August 2015.
• Subsequently, the SLC will interview officers and “may conduct additional interviews as well, depending on its analysis of the investigation at that time.”
• Despite extensive document review, the SLC “continues to request and receive additional and supplemental documents and information from Target and others as issues arise.” 

Currently, the stay has been extended to November 1, 2015. But, if the trend continues, it may be extended even further before the SLC’s report surfaces. Moreover, even if the SLC ultimately concludes the suit is not in the company’s best interests and Target moves to dismiss on that basis, the court may disagree. In deciding whether to dismiss, courts typically look at the independence of the SLC’s members and the reasonableness of the investigation, and may additionally look at the reasonableness of the substantive conclusion itself.

Although we do not yet know the outcome of Target’s derivative litigation, some things are clear. First, Target has undoubtedly expended tremendous resources for the SLC, whose investigation is backward-looking only. Keep in mind, these expenditures became necessary without any judicial findings—a demand letter alleging lax procedures and an inadequate response was enough to trigger them. And all of these costs are on top of the resources spent on the consumer class actions and other fallout from the breach.

Second, companies can take actions before a breach to moderate the costs of any post-breach demand investigation. For example, a company must invest sufficient time and resources to protect itself from cyberattack, but management must also involve the board in the identification of cyber risk, the choices of how to apply finite resources, and the testing and auditing of cyber risk systems. Smart preparation involving the board can help not only to mitigate the risk and damages of a cyberattack, but also to protect the board members from a derivative lawsuit. Although for a company of Target’s size a cyberattack may ultimately be inevitable, the resulting damage and costs can usually be reduced by proactively devoting more attention and resources to risk analysis and involving the board early and often.

Instead, a year and a half has passed since shareholders filed suit, and Target is still wading through its investigation with no end in sight. Beyond the lessons of board engagement and investment in cybersecurity, Target’s protracted investigation provides a third lesson: it is imperative to document the company’s investment and discussions such that they are readily accessible and provable, further minimizing the costs of an investigation.

With cyberattacks on the rise, and given the publicity they inevitably generate, expect to see increased derivative litigation for companies behind the curve on cybersecurity. The smarter buy is to consult counsel and invest in preventative measures to avoid becoming a “Target” in the first place.