August 17, 2017

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

August 14, 2017

Subscribe to Latest Legal News and Analysis

Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims

Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims. As previously reported, that derivative action was dismissed on November 30, 2016.  That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches. Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal.  The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss.  On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement.  If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach.

The Stipulation of Settlement filed with the court specifies that Home Depot will agree to implement the following nine changes to its information governance practices (which are a checklist of best practices for any business):

  1. Document the duties and responsibilities of the Chief Information Security Officer (“CISO”);

  2. Periodically conduct Table Top “Cyber Exercises” to prepare for emergencies and train personnel to respond to data security threats;

  3. Monitor and periodically assess key indicators of compromise on computer network endpoints;

  4. Maintain and periodically assess the Company’s partnership with a dark web mining service to search for confidential Home Depot information;

  5. Maintain an executive-level committee focused on the Company’s data security;

  6. Receive periodic reports from management regarding the amount of the Company’s IT budget and what percentage of the IT budget is spent on cybersecurity measures;

  7. Maintain an Incident Response Team and an Incident Response Plan;

  8. Maintain membership in at least one Information Sharing and Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO); and

  9. Retain their own IT, data and security experts and consultants as they deem necessary.

It is unknown whether Home Depot had independently contemplated implementing any of these practices in the aftermath of the breach.

The proposed settlement assigns credit for the changes to the derivative action and, by making them part of a court-approved settlement, does allow for judicial enforcement in the event that Home Depot fails to comply with the remediation program.  More significantly, wrapping these practices into the derivative action settlement provides a justification for the shareholders’ counsel to request a fee award of $1,125,000.  Significantly, Home Depot continues to deny any wrongdoing, and the Settlement Agreement expressly states that it may not be construed as evidence or admission of fault, liability or wrongdoing.

The amount of the requested fee award, which is relatively modest by the standards of large scale derivative litigation, suggests that this may have been a nuisance value settlement of an appeal with slim prospects for success.  Given the prior failures of derivative claims in data breach cases, it remains to be seen whether this settlement will encourage shareholders in future data breach cases to attempt to buck the odds by asserting derivative claims.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Kevin McGinty, Corporate, Class Action, Attorney, Mintz Levin, Law Firm
Member

Kevin concentrates in complex corporate and class action litigation. He chairs the firm's Class Action Working Group and has extensive experience defending consumer, antitrust, unfair trade practice, contract, mass tort, and employment class actions.

He has also represented corporations, professionals, and individuals in business acquisition disputes. Kevin’s clients have included health care–related entities (including pharmacies, PBMs, and managed care organizations), insurers (including life, auto, and casualty companies), retailers, manufacturers, and accounting firms. Several...

617-348-1688