Securities Regulation Daily Home Depot data breach derivative suit dismissed
Thursday, December 1, 2016

Home Depot data breach derivative suit dismissed

By Gregory Kane, J.D., M.B.A.

The court dismissed a shareholder derivative action against a home improvement retail giant for failure to meet heightened pleading requirements in relation to corporate mismanagement of its information technology that led to a customer data breach costing the company an estimated $1 billion (In re The Home Depot, Inc., November 30, 2016, Thrash, T.).

Background. The Home Depot is a multinational home improvement retailer incorporated in Delaware with its principal place of business in Georgia. In September 2014, the financial data of 56 million Home Depot customers was stolen due to a breach of the company’s data system. The Board was well aware that the company’s IT and data systems were out of date and well below the required industry standards. The Board had dissolved the committee charged with IT and data security and put those responsibilities with the Audit Committee, although the Audit Committee’s charter was never altered to reflect that change. The Board had approved a plan to improve the company’s cybersecurity, but it was not set for full implementation until 2015. The data breach cost the company an estimated $1 billion.

Demand standard. Under Delaware law, a prerequisite to shareholder derivative actions is that the aggrieved shareholders demand that the board take the desired action. No demand was made in this instance and as such plaintiffs were required not only to prove their claims but demonstrate that the demand was excused because it would have been futile. The primary claim for liability is a breach of duty of loyalty to the company and, with the added demand futility standard required here, plaintiffs would have needed to show with particularized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it failed to act in the face of a known duty to act—a hurdle too high for the plaintiffs to overcome.

While the Board likely acted too slowly, it had approved a plan to fix many of the security weaknesses then in place which was a reasonable business decision. Plaintiffs also made a claim of corporate waste which, with no particular transaction at issue, was merely a challenge to the board’s business judgment. Lastly, the plaintiffs claimed a violation of Section 14(a) of the Exchange Act because proxy statements at the time omitted any mention of the data security weaknesses of the company. The plaintiffs failed to show, however, that any specific statements in the proxy were misleading or false. For these reasons, the defendants’ motion to dismiss was granted.

The case is No. 1:15-CV-2999-TWT.

Attorneys: Corey Daniel Holzer (Holzer & Holzer, LLC) for Mary Lou Bennek. Cara Marie Peterman (Alston & Bird LLP) for F. Duane Ackerman and The Home Depot, Inc.

Companies: The Home Depot, Inc.

MainStory: TopStory CorporateGovernance CyberPrivacyFeed DirectorsOfficers FiduciaryDuties FormsFilings FraudManipulation PublicCompanyReportingDisclosure GeorgiaNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Reading Securities Regulation Daily on tablet

Securities Regulation Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on securities regulation legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More