In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach. The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors. The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims. The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors. The SLC then moved to dismiss, as did Target and the defendant officers and directors. Plaintiffs declined to oppose and the court’s order followed. The SLC’s decision to seek dismissal was unsurprising. Although it was equipped with broad investigative powers, the SLC had a relatively narrow legal mandate. Corporate law protects officers and directors from lawsuits second-guessing their exercise of judgment in the performance of their corporate responsibilities absent self-interested conduct – which was not alleged here – or such extreme dereliction of responsibilities as to constitute a breach of their fiduciary duty of care. This legal principle – known as the business judgment rule – sets a high bar for derivative claims to clear before a lawsuit can go forward. The SLC conducted an extensive two-year investigation into the data breach to evaluate whether the defendants’ conduct ran afoul of that standard of care, reviewing thousands of documents and conducting 68 witness interviews. The SLC also met with and received information from counsel for the shareholders and for Target. The investigation yielded a 91-page report detailing the extensive data security processes in place before the breach and the post-breach efforts to improve those processes. Weighing its findings of fact against the highly deferential standard of care applicable to corporate fiduciaries, the SLC concluded that it was not in the interest of Target to pursue claims against the officers and directors.
The order of dismissal obligates Target to file a Form 8-K report with the SEC disclosing the dismissal of the lawsuit. The dismissal is without prejudice to the right of any other Target shareholder to file a new derivative claim within thirty days of the filing of the Form 8-K. However, given the detail and extent of the SLC investigation, it is unlikely that any new shareholder would be tempted to try to fashion a new set of claims against the officers and directors.
A salient question is whether the derivative claims should ever have been brought in the first place. There is no dispute that the consequences of the data breach have been serious. Target’s latest Form 10-Q reports that the company has incurred $291 million of cumulative expenses resulting from the data breach, which have been partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $201 million. But the mere fact that a corporate mishap proves to be costly is not evidence of a breach of fiduciary duty. And, ironically, a non-trivial part of those expenses is the substantial cost associated with the SLC investigation. Target incurred the cost of that massive SLC investigation as a direct result of the shareholder plaintiffs’ decision to bring derivative mismanagement claims in the face of the business judgment rule. Or, put another way, by commencing a derivative action with small prospect of success, the shareholders arguably inflicted additional harm on the corporation that that the lawsuit purported to benefit.
This result exemplifies the adverse consequences of the “shoot first, ask questions later” mentality that typifies the lawyer-driven race to the courthouse after a data breach. It is possible that some data breaches could result from severe dereliction of corporate duty, such that a derivative claim for breach of the duty of care might have merit. But it will rarely be possible to know that in the immediate aftermath of the breach, when plaintiffs’ lawyers are jockeying for first-to-file status in hopes of snagging coveted lead counsel roles in the ensuing litigation. The rare cases where a corporation might want to consider action against its officers and directors would only reasonably be determined long after the breach has occurred. In the vast majority of data breach cases, the routine filing of derivative actions shortly after a breach has occurred can only exacerbate the harms that the lawsuits supposedly aim to vindicate.
And here, there may be more harms yet to come. Despite assenting to the SLC’s motion to dismiss their claims, the derivative plaintiffs have reserved the right to seek payment of their attorneys’ fees by Target. It remains to be seen whether the derivative plaintiffs will in fact file such a motion and thereby, at a minimum, impose on Target the further cost of opposing that fee request. If nothing else, a parting demand for payment of attorneys’ fees would leave little doubt about who the derivative action was truly meant to benefit.