The general theory of data breach shareholder derivative claims is that when a company has a data breach, the damages to the value of the company begin to accrue at the time of the breach (or, discovery of the breach) through expenses such as response and remediation costs and litigation costs, as well as diminution in brand value, all of which then reduces the value of the shareholders’ investment in the company thereby causing harm to the shareholders. Because the officers and directors consciously failed to act in the face of known risks to prevent those risks, the theory goes, they breached their duties of care and loyalty to the company and should be held responsible for such losses.
In the Home Depot ruling, the court found that the plaintiff did not meet their burden of proving the officers and directors “consciously failed to act in the face of a known duty to act” which the court called an “incredibly high hurdle for the plaintiff to overcome” and remarked that it was “not surprising that they failed to do so.”
This is a little simplistic and should not be taken as a “Get Out of Jail Free” pass for many reasons, including that the Court’s Order was 30 pages and there are more nuanced cybersecurity, corporate, and shareholder derivative issues that will be examined more closely in a future post. But for now, this at least one ray of hope for officers and directors looking for a reason to sleep a little better tonight.
Enjoy it while you can, it won’t last forever …
______________________
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
