Bennek v. Home Depot and the future of Cybersecurity-related Derivative Suits
On September 2, 2015, a Home Depot shareholder sued Home Depot and twelve of its officers and directors, claiming that the Company and the directors and officers knowingly failed to ensure that Home Depot reasonably protected its customers’ personal and financial information.
This suit was not a total surprise: in 2014, Home Depot suffered a data breach that may affect up to 56 million customers. And in June of this year, a plaintiff filed an action in Delaware to inspect the Company’s books and records related to the data breach.
Nor is it surprising that the Home Depot plaintiff named Officers and Directors as defendants. Regulators have emphasized the role that directors and officers should be playing in overseeing their organization’s cybersecurity efforts. For example, last year, speaking at the New York Stock Exchange, SEC Commissioner Luis Aguilar emphasized “that boards are responsible for overseeing how management implements cyber security programs….” Aguilar concluded that “directors [are] on notice to proactively address the risks associated with cyber-attacks.” Home Depot joins a growing list of companies that have faced shareholder suits naming Directors and Officers as defendants in the aftermath of data breaches, such as Heartland Payment Systems, TJX, Target, and Wyndham Worldwide Corp.
Much has been written about the Wyndham case, which was dismissed on the grounds that the directors acted within the scope of the business judgment rule in rejecting the shareholder’s demand to bring suit. See Palkon ex rel. Wyndham Worldwide Corp. v. Holmes, case 2:14-cv-01234 (D.N.J., Chesler., J). Perhaps in response to that decision, the plaintiff in the Home Depot case is taking a different approach: alleging that a demand on the corporation would be futile because the directors face personal liability and therefore cannot exercise independent business judgment. Clearly the plaintiff’s bar is adapting as this rapidly developing and volatile area of law matures.
The Home Depot allegations are instructive. Plaintiff alleges that nine of the individual Director/Officer defendants sat on the Company’s Audit Committee and, as such, were charged with primary responsibility to ensure that Home Depot honored its contractual obligations to comply with PCI-DSS, which establishes minimum data security levels for consumer debit and credit card transactions. The complaint further alleges that the Director/Officer defendants received warnings in multiple forms that hackers were targeting Home Depot, but failed to ensure that the company implemented up-to-date security software that the Company had already acquired. And, the Complaint alleges, this was not for wont of technological know-how – upon learning its network had been breached in September 2014, Home Depot was able to install the updated encryption technology at 75% of its stores in eleven days.
We will continue to monitor developments in Home Depot, as it is likely to lead to new law in the area of data privacy and security law, particularly concerning the roles of Officers and Directors. The allegations here underscore that, in an age of seemingly ubiquitous data breaches, the actions of Directors and Officers with regard to cyber security will be scrutinized. Moreover, we may see the development of a classic “Catch 22”, whereby the personal involvement of Directors and Officers exercising their business judgment in overseeing cyber security risk may excuse the demand requirement that would otherwise shield them from suit.