The 2013 Target Corporation’s data breach saga could be coming to a close—or at least there’s a glimmer of hope that the costs related to the breach are slowing. If you will recall, in late 2013, more than 70 million Target customers were victims of a hack that exposed payment card data and personally identifiable information.
That was just the beginning of Target’s woes. The total cost of the breach to Target by the end of April 2016 was close to $300 million.
From the company’s Form 10-Q:
Since the Data Breach, we have incurred $291 million of cumulative expenses, partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $201 million.
This includes a $10 million settlement in a securities class action lawsuit with an additional $6.75 million in plaintiff attorney fees—the total sum of which felt like a mini-win for Target.
The most recent win for the corporation is the dismissal of a pending derivative lawsuit. As a reminder, derivative suits are those that current shareholders bring on behalf of the corporation against its directors and officers for allegedly breaching fiduciary duties.
Any monetary awards that the plaintiffs win go back into the company’s coffers, but are supposed to come from the directors and officers themselves (though, more realistically, the money will be paid by insurance carriers). The plaintiffs’ lawyers who bring successful suits are paid separately, usually either by the corporation or by insurance.
In July 2016, a Minnesota judge granted a motion to dismiss the Target derivative suit. The dismissal shows how due diligence can go a long way in the eyes of a court.
When a derivative suit is filed against a corporation, it can respond a couple of different ways. One path is to deny allegations and allow plaintiffs to pursue the case. Another path is for the corporation to form a “special litigation committee” and investigate the allegations to determine if it’s in the best interest of the corporation to pursue the case.
Target chose the latter. Their special litigation committee was comprised of independents—those who did not have an interest in Target and were not implicated in any way by the litigation—and included legal luminaries: a University of Minnesota law professor and former Minnesota Supreme Court Chief Justice no less.
The special litigation committee spent nearly two years on the investigation. By all accounts, it was exhaustive. The committee concluded that it was not in the best interest of the shareholders to pursue the case.
Its reasons included a long trail of consistent efforts by Target to address cyber security concerns.
Under the Minnesota law, the court must defer to a special litigation committee’s decision if the proponent of that decision shows that the committee members were disinterested, independent actors and the committee’s procedures were adequate.
The plaintiffs, of course, chose not to pursue any further action against Target’s Ds and Os. However, they aren’t letting Target off the hook completely: they have the right to pursue legal fees and expenses from the company.
You may remember back in 2015, Wyndham faced a similar situation. Directors were sued for breaching their fiduciary duties in connection with a major cyber breach. Also in that case, upon reviewing a long history of diligent efforts by the board to address cyber security risks, the court granted the Ds and Os motion to dismiss.
Both Wyndham and now Target demonstrate that directors who are diligent in their efforts when it comes to oversight of cyber liability risks will win their motions to dismiss if they are sued derivatively after a major cyber breach.
The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: firstname.lastname@example.org.