Target Corporation’s (Target) directors and executive officers can breathe a sigh of relief after a Minnesota federal judge dismissed derivative claims brought against them by Target shareholders, stemming from a data breach in 2013 in which hackers stole credit card and other personal information of tens of millions of Target customers. Davis v. Steinhafel, No 14-cv-00203 (D. Minn.). This decision provides useful guidance for directors and officers on the issues a court may consider in determining whether to allow a derivative suit to proceed based on alleged violations of fiduciary duties in overseeing corporate cybersecurity.
On December 19, 2013, Target disclosed that hackers had breached its online systems and stolen payment card data from up to 40 million consumer credit and debit cards used in Target stores from November 27 to December 18, 2013. On January 10, 2014, the company divulged that personally identifiable information—such as names, mailing addresses, phone numbers, and email addresses—of up to 70 million more customers was stolen during the breach. The attack brought widespread media attention, negatively affected Target’s sales and reputation, and subjected the company to lawsuits by banks for their costs in reinstating consumer credit cards.
The Derivative Litigation
Following the breach, Target shareholders filed derivative actions in Minnesota—one in state court and four in federal court—against Target directors and certain executive officers. The federal cases were consolidated and the state lawsuit was stayed pending the outcome of the federal case. The shareholders alleged that the defendants breached their fiduciary duties by failing to properly provide for and oversee an information security program, by actively attempting to conceal the extent of the breach, and by failing to give customers and the public prompt and accurate information about the breach. Pursuant to applicable Minnesota law, Target formed a Special Litigation Committee (SLC), comprised of disinterested and independent directors (two former judges appointed to the board solely for this purpose) to investigate the claims and determine whether it would be in the best interests of the company to pursue the litigation.
Review by the SLC
After a lengthy and extensive investigation that included reviewing thousands of documents related to Target’s information security and procedure, performing dozens of interviews, consulting with experts, listening to presentations from the shareholders’ counsel, the directors’ counsel, and Target’s counsel, and reviewing applicable law, the SLC concluded it was not in Target’s best interest to pursue the litigation against the directors and executives.
Under Minnesota law, a court will defer to an SLC’s recommendation to dismiss a derivative action so long as: (1) the SLC was comprised of disinterested and independent members; and (2) the SLC’s recommendation is based on a good-faith investigation of the allegations. Based on its investigation, the SLC filed a motion to dismiss the lawsuit. Target, its officers, and directors likewise filed three separate motions to dismiss. The court granted their motions and dismissed the action.
Take-Aways for Directors and Officers
Directors and officers can look to the Target SLC report as a guidepost for the types of measures that should be a part of a robust information security program to help establish that they have discharged their fiduciary duties. Factors that the SLC reviewed, considered, and relied upon included:
While future courts will review derivative actions on a case-by-case basis, the Target defendants’ situation illustrates the importance of being able to demonstrate a strong, even if imperfect, cybersecurity program. The more evidence directors can produce to demonstrate that they prioritize and enforce cybersecurity, the more difficult it will be for plaintiffs to sustain breach of fiduciary duty claims against them following a breach.