FEATURE
 that other personal information of ap- proximately 70 million customers had been compromised as well.53 According to the company’s Form 10-Q for the quarterly period ending April 30, 2016, Target had “incurred $291 million of cu- mulative expenses, partially offset by ex- pected insurance recoveries of $90 mil- lion, for net cumulative expenses of $201 million.” 54 In connection with the inci- dent, Target settled a consumer class ac- tion for $10 million.55 Target also settled with 47 states and the District of Colum- bia for $18.5 million for various claims that could have been brought under state laws, putting an end to the multi-state investigation of the incident and Target’s response.56 At the time, this multistate settlement was the largest ever for a data breach.57 Target also settled class-action claims with thousands of financial insti- tutions.58
Target shareholders filed five deriva- tive actions that were later consolidated, calling on the board to take action. In response to the demand, Target created a Special Litigation Committee (SLC) “to investigate all of the shareholders’ claims, determine whether it made sense for Target to pursue the allegations and respond to the litigation on behalf of the board.”59 The SLC conducted an in- vestigation over a period of 21 months, searching databases, interviewing 68 witnesses, receiving information from independent experts and applying the law. 60 On March 30, 2016, the SLC is- sued a 91-page report.61 In reviewing Target’s pre-breach information security program, the SLC stated that after hav- ing formed the Target Information Pro- tection Program (TIP) in late 2007, Tar- get issued its first Information Protection Program Charter in 2008.62
The company’s TIP-related activity was extensive. The company established roles in information security, implement- ed security policies and standards, and developed a proactive program to address security at all levels of Target’s corporate structure.63 The TIP was led by a “senior director-level manager” who was tasked with managing data security and compli- ance and held the “roles of Chief Privacy Officer and HIPAA Security/Privacy
Officer.”64 Before the breach, the TIP also had vendor assessment and manage- ment teams, a cross-functional risk re- view committee, and an intake team to address general security issues.
Target also had a Target Technology Services Program (TTS) that was respon- sible for running Target’s computer sys- tem, with a “standing cybersecurity team that reported to the CIO through both a senior director and a vice president.” 65 In 2008, Target created a Security Op- erations Center, responsible for “around- the-clock management” of Target’s net- work.66 Investigations were handled by Target’s data security program and its cyber intelligence team.67 Moreover, Tar- get trained its employees on its data se- curity requirements on an annual basis, conducted a number of tests to “verify the integrity of its technical systems,” and had a number of other safeguards in place to protect its hardware.68 After the incident, Target made additional changes to its information security program, in- cluding technical enhancements, admin- istrative and structural changes, person- nel changes, and reporting and oversight changes.69
Despite these cybersecurity precau- tions, Target was unable to stop a breach from occurring — something most se- curity experts increasingly view as inevi- table.70 As we know, a third-party HVAC vendor failed to follow industry standards while it accessed Target’s network and ignored countless data-protection soft- ware warnings.71 However, after review- ing the circumstances and Target’s pre- and post-breach cybersecurity programs, the SLC ultimately decided not to pur- sue an action given that it was not in the company’s best interest.72 Defendants moved to dismiss, and the shareholders stipulated to the dismissal of their claims. 3. Home Depot
In 2014, Home Depot experienced a data breach compromising the credit card numbers of 56 million customers, caus- ing roughly $10 billion worth of dam- ages.73 Specifically, “[t]he hackers used a third-party vendor’s user name and password to enter into Home Depot’s network.”74 The shareholder derivative complaint alleged, in relevant part, that
Home Depot’s board “breached their duty of loyalty to Home Depot because [they] failed to institute internal controls sufficient to oversee the risks that Home Depot faced in the event of a breach and because they disbanded a Board of Di- rectors committee that was supposed to have oversight of those risks.”75 How- ever, the shareholders did not make a demand on the board before lodging their complaint. Applying Delaware law, the Georgia district court dismissed the claim holding that the demand was not futile. The court further explained that in order for a demand to be futile under Delaware law, the plaintiffs must show that the directors’ conduct was “so egre- gious on its face that board approval can- not meet the test of business judgment, and a substantial likelihood of director liability therefore exists.” 76
In discussing the duty-of-loyalty claims, the court recognized the “incred- ibly high hurdle” the plaintiffs had to overcome, explaining that “the Plaintiffs essentially need to show with particular- ized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act.” 77
Here, the complaint argued that “when the Board disbanded the Infra- structure Committee, it failed to amend the Audit Committee’s charter to reflect the new responsibilities for data security that had been transferred from the In- frastructure Committee, as required by the Company’s Corporate Governance Guidelines.” 78 In short, the board had failed to give anyone the responsibil- ity to monitor data security. The court found this argument to be “much too formal.”79 Next, “the Plaintiffs repeat- edly acknowledged that there was a plan, but that in the Plaintiffs’ opinion it moved too slowly.” 80 However, the court found that under Delaware law, “as long as the Outside Directors pursued any course of action that was reasonable, they would not have violated their duty of loyalty.” 81 Ultimately, “the Court [held] that the Plaintiffs have failed to show be- yond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the
18 DELAWARE LAWYER SPRING 2020