Home Depot Evades Shareholder’s Derivative Suit for 2014 Data Breach



Public companies that are proactively working to mitigate “cyber” risks and prepare to respond to potential incidents frequently ask whether a “breach” will lead to litigation, loss of customers, stock price decline, and shareholder actions. There are a lot of factors that influence what adverse consequences follow disclosure of a breach. Of the hundreds of incidents that have been disclosed over the past few years by public companies, less than five were followed by a shareholder derivative action. To date, all derivative actions brought after an incident were unsuccessful. That trend continued with the November 30, 2016 ruling by a federal court dismissing a derivative against Home Depot and its directors following a payment card security incident Home Depot disclosed in 2014 that may have affected 56 million payment cards.

Background to the Suit. Home Depot’s 2012 Proxy Statement stated the Audit Committee would take over responsibility for information technology and digital security oversight. However, the Audit Committee’s charter was not amended to reflect this change in responsibility. Also, multiple times prior to the breach, Home Depot’s Chief Information Officer notified the Audit Committee and the Board that Home Depot was not compliant with the Payment Card Industry Data Security Standard (“PCI DSS”), and would likely continue to be out of compliance until February 2015.

The Derivative Suit. In August 2015, the plaintiff shareholders filed a derivative action alleging that Home Depot and the other Board defendants breached their duty of loyalty to the corporation. The plaintiffs alleged the Board failed to institute internal controls sufficient to oversee the risks that Home Depot faced in the event of a breach and breached its duty by disbanding the committee previously responsible for IT and digital security. The defendants moved to dismiss the claims. To excuse demand in their derivative action, the Court stated that the plaintiffs needed to overcome the high burden of showing “with particularized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act.”

Audit Committee Charter Amendment Claim. The plaintiffs alleged the Board consciously failed to act with a known duty to act by disbanding the Infrastructure Committee and thereafter failing to amend the Audit Committee’s charter to reflect its new oversight responsibilities. The plaintiffs allege that no one was designated with responsibility to oversee data security. The Court rejected this argument and said that “whether or not the Audit Committee had technical authority, both the Committee and the Board believed it did.” The Court also stated that the Audit Committee received regular reports from management on the state of Home Depot’s security and the Board also received briefings from management and the Audit Committee.

Inadequate Plan Post-Breach Claim. The plaintiffs also argued the Board breached the duty of loyalty by failing to ensure a plan was in place to immediately remedy Home Depot’s data security deficiency. The Court stated that under Delaware law, directors violate their duty of loyalty only if they knowingly and completely fail to undertake their responsibilities. Here, the Court found that because the Board acted before the breach occurred and planned to fix many of the security weaknesses by February 2015, the plaintiffs failed to show beyond a reasonable doubt that the majority of the Board faced substantial liability. Here, the plaintiffs’ claims that the Board didn’t act quickly enough was not enough to get over the high hurdle excusing demand in a derivative action.

Conclusion. Although the Board of Directors was aware of Home Depot’s challenges with deploying encryption and PCI DSS noncompliance, the Court ultimately found there was no conscious disregard of a duty to act.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.