Recently, on July 7, 2016, a Minnesota federal judge dismissed the shareholders’ derivative lawsuit against Target Corporation’s Board and several top-executives based on the recommendation of Target’s Special Litigation Committee (“SLC”). The decision highlights the risks that companies and their boards face if proper attention is not given to the management of cybersecurity and data privacy both before and after a data breach.
Target’s Derivative Litigation
In late 2013, Target was hit with a massive data breach that resulted in the theft of credit card and personal identification information affecting roughly 70 million customers. Thereafter, shareholders filed several derivative lawsuits, which later were consolidated, against Target’s CEO, CFO, CIO and other officers, alleging breach of fiduciary duty, gross mismanagement, waste of corporate assets, and abuse of control, based on the alleged failure to implement internal controls designed to detect and prevent a data breach. In response, as provided for under Minnesota law, Target’s Board formed a 2-person SLC, comprised of a former chief justice of the Minnesota State Supreme Court and a University of Minnesota Law School professor. The case was stayed pending the SLC’s written report.
The SLC conducted a 21-month comprehensive internal investigation to consider all of the claims raised in the derivative suit, which included: the interview of 68 witnesses; the review of thousands of documents; the consideration of the roles of Target’s current and former D&Os, employees, and third-party consultants responsible for Target’s data security program; and the analysis of relevant law and best practices. Following its investigation, in March 2016, the SLC issued a 91-page report, which concluded that, after considering the legal and factual strengths and weaknesses of all of the claims asserted, it would not be in Target’s best interests to pursue any claims against the D&Os named in the derivative lawsuit, and recommended that the suit be dismissed. In arriving at its conclusions, the SLC evaluated, among other things:
- Target’s data security systems and technologies, including Target’s investment in and maintenance of technology security and resources prior to the breach, the vulnerabilities exploited during the breach, and the remedial measures taken after the breach;
- the strengths and weaknesses of Target’s data-security-related policies;
- the strengths and weaknesses of Target’s risk assessment and risk management policies;
- the cybersecurity and data privacy training that had been offered at Target and the extent of Target employees’ and D&Os’ knowledge of general and specific cybersecurity threats;
- Target’s compliance with industry standards prior to the breach;
- the accuracy and timeliness of customer notifications after the breach;
- Target’s cooperation with law enforcement and regulators (SEC, FTC) following the breach; and
- Target’s assessment of its vendor’s cybersecurity and data privacy procedures.
In May 2016, the SLC moved to dismiss the derivative suit. Under Minnesota’s Law, a federal court evaluating the recommendation of an SLC is limited to considering whether the SLC was disinterested and independent and whether the SLC’s investigation was conducted in good faith. Considering that the two members of the SLC were entirely independent of Target, had retained their own counsel and investigators, and had conducted a very thorough investigation, the shareholder plaintiffs chose not to challenge the SLC’s motion. Relying on the SLC’s recommendation, the court issued an order dismissing the litigation, noting that the shareholders stipulated they did not oppose the motion to dismiss.
Practical Insights
The Target decision provides insight into some appropriate steps a company should take to address cybersecurity and data privacy concerns and potentially avoid liability in the event of a breach. The decision is the latest in the string of early dismissals of cybersecurity-related derivative lawsuits, joining the Wyndham and Heartland Payment Systems cases.
In October 2014, in the highly publicized Wyndham case, a New Jersey federal judge dismissed the derivative action against Wyndham’s D&Os following a series of data breaches in 2008 and 2009 at the resort chain, which compromised the personal data of 600,000 customers. Like the Target case, the plaintiffs in Wyndham argued that senior corporate executives did not take adequate steps to safeguard customers’ personal and financial information. Wyndham’s Board formed a committee and hired outside counsel to conduct a special investigation to probe whether a lawsuit was in the company’s best interests. Based on the findings of the investigation, Wyndham’s Board rejected the shareholder demand because of a failure to demonstrate “bad faith.” The court agreed and dismissed the suit. (Significantly, Wyndham did not fare as well in its defense against FTC charges that Wyndham’s security practices unfairly exposed the personal data of hundreds of thousands of consumers to hackers. Wyndham settled with the FTC, agreeing to establish a comprehensive security program.)
In 2009, Heartland Payment Systems was faced with a derivate lawsuit resulting from a data breach that compromised the data of millions of individuals and hundreds of financial services companies. Heartland’s shareholders claimed that the company concealed a past cyberattack and made fraudulent statements about the state of the company’s cybersecurity. Another New Jersey federal judge dismissed that case based on, among other reasons, there was no particularized allegation that Heartland’s D&Os knew that the security systems were deficient or that the cyberattack was not adequately addressed. (Heartland faced a separate consumer class action suit in Texas, which resulted in the creation of a pool of up to $2.4 million to pay consumers and a $1.5 million cost to the company to notify consumers that they could file a claim.)
While there have been several recent high-profile data breaches – Anthem, Sony Entertainment, eBay, The Home Depot – the only cybersecurity-related derivative lawsuit filed was against The Home Depot. The reluctance to bring a lawsuit seems understandable considering the unfavorable results thus far. Despite these dismissals, however, derivative actions in cyber-related cases continue to pose financial and legal risks for companies. In both the Target and Wyndham cases, although the companies were afforded the opportunity to argue that the derivative lawsuits should not be permitted to proceed, the litigation costs were substantial. In small cases, SLC costs can range from $300,000 to $500,000, while more complex investigations can exceed $1 million.1 Furthermore, unlike Target, not all companies will withstand the judicial scrutiny of their cyber security practices. Surely, there will be future derivative suits based on deficient processes that do not warrant dismissal, leading to significant litigation costs.
Minimizing Legal and Financial Risks of Cyber Breaches
To limit the risks flowing from a data breach, it is important for a company to establish and implement a company-wide cybersecurity and data privacy policy that includes, among other things, reasonable security safeguards, security protocols to be followed, an immediate response plan, and post-breach remediation measures. Additionally, many regulators, including the FTC, issue guidance that addresses these very points. The FTC, for example, includes data security materials on its website, including identifying ten lessons from its data security settlements.
Obtaining sufficient cybersecurity insurance coverage is another avenue to manage risk. Recent cases demonstrate that a data breach brings with it a host of costs, including litigation, settlement, and forensic investigation costs, among others. Having the right insurance in place is key to protecting the corporation from out-of-pocket response costs, property losses, and third-party liability. Errors and Omissions (“E&O”) coverage is a supplemental way to provide for protection against cyber-related losses. E&O policies may cover the “wrongful acts” of management or employees, which can help ensure that management is not exposed if a derivate suit is filed. Many D&Os are not familiar, however, with the terms of their insurance policies or if cyber-related incidents even are covered. Indeed, some policies may be limited only to the insured’s own wrongful acts, not hacks, or may exclude coverage for hefty regulatory fines.
Negotiating a comprehensive cyber-insurance policy and understanding what it covers is critical. Companies should seek the assistance of outside insurance counsel to help negotiate such a policy and familiarize the company with the policy and its terms.
In the current climate, the likelihood of having to deal with a cyber-breach poses a real threat. In fact, cybercrime already is the second most reported economic crime.2 To manage the attendant risks, companies and their D&Os should take the necessary reasonable steps in advance of a breach to be in the best position to deal with it and any potential lawsuit that follows.