Officers and directors of companies that have had data breaches have become targets of litigation through shareholder derivative claims since the consumer class-action claims have had a difficult time making it past the causation of harm threshold. Those officers and directors may now sigh in relief, if only briefly, following a November 30, 2016, ruling by the District Court in the Home Depot Shareholder Derivative Litigation dismissing the shareholders’ claims against the officers and directors. (Court’s Order)
The general theory of data breach shareholder derivative claims is that when a company has a data breach, the damages to the value of the company begin to accrue at the time of the breach (or, discovery of the breach) through expenses such as response and remediation costs and litigation costs, as well as diminution in brand value, all of which then reduces the value of the shareholders’ investment in the company thereby causing harm to the shareholders. Because the officers and directors consciously failed to act in the face of known risks to prevent those risks, the theory goes, they breached their duties of care and loyalty to the company and should be held responsible for such losses.
In the Home Depot ruling, the court found that the plaintiff did not meet their burden of proving the officers and directors “consciously failed to act in the face of a known duty to act” which the court called an “incredibly high hurdle for the plaintiff to overcome” and remarked that it was “not surprising that they failed to do so.”
This is a little simplistic and should not be taken as a “Get Out of Jail Free” pass for many reasons, including that the Court’s Order was 30 pages and there are more nuanced cybersecurity, corporate, and shareholder derivative issues that will be examined more closely in a future post. But for now, this at least one ray of hope for officers and directors looking for a reason to sleep a little better tonight.
Enjoy it while you can, it won’t last forever …
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.