The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach. And in an unusual turn, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.
In a two-page order issued late yesterday, U.S. District Judge Paul A. Magnuson dismissed claims against the retailer’s leadership team and board, noting that the derivative plaintiffs – the shareholders who filed the lawsuits – had 30-days to come back to the Court to seek legal fees.
Days before the start of the 2013 holiday shopping season, Target disclosed that hackers had compromised the credit and debit card information of 40 million of its customers. Several weeks later, Target updated that number to include the personal information of an additional 70 million customers. Since then, the company has been embroiled in litigation with shareholders, financial institutions and consumers.
The derivative lawsuits claim that Target’s directors and officers breached their fiduciary duties and committed gross mismanagement, waste of corporate assets, and abuse of control. Shortly after the suits were filed, the Target Board formed a Special Litigation Committee (SLC) that included a University of Minnesota law professor and former chief justice of the state’s supreme court. The SLC was given broad authority to investigate “all of the shareholders’ claims” and determine whether it was in Target’s best interest to pursue them. Over the course of 21 months, the SLC interviewed 70 witnesses, reviewed thousands of documents and finally issued a 91-page report in March 2016. The report concluded that Target should not pursue the derivative claims – a conclusion that was not challenged by the derivative plaintiffs.
As is the case in many states, Minnesota law does not permit a court to second-guess the merits or conclusions of an SLC so long as the investigation was independent and focused on the company’s best interests.
With yesterday’s ruling, Target becomes the second data breach derivative case to have been dismissed. In 2014, a New Jersey federal judge dismissed a derivative action against the directors and officers of the Wyndham Worldwide Corp. over a series of three data breaches at the resort chain that compromised the data of 600,000 customers. Similar to the Target case, the plaintiffs claimed that Wyndham’s c-suite failed to take adequate steps to safeguard customers’ personal and financial information. The Wyndham Board rejected the shareholder demands – a conclusion that U.S. District Judge Stanley R. Chesler agreed with based on a failure to demonstrate “bad faith.” The court concluded that Wyndham’s Board had been active on cybersecurity matters, noting that in the course of a six-year period, it held 14 meetings to discuss the attacks and improve its data security policies and practices.
In an upcoming post, we will take a closer look at what corporate leaders should take away from both the Target and Wyndham rulings. Stay tuned.