Shareholder Derivative Suit Following Data Breach Misses Target

On July 7, 2016, Judge Paul A. Magnuson of the United States District Court for the District of Minnesota granted Defendants’ Motions to Dismiss a shareholder class action that had been initiated following a 2013 holiday season data breach involving customers of Target Corporation (“Target,” or “the Company”).  The data breach, which resulted in the release of information of approximately 70 million consumer credit and debit cards, made headlines as one of the biggest privacy hacks at the time.  Initially disclosed to the public in December 2013, with an estimated 40 million credit and debit cards affected, Target subsequently revealed a little less than a month later that additional consumer data, including customers’ names, mailing addresses, phone numbers and email addresses, were also stolen, and increased its initial estimate to 110 million.

Following the announcement and extensive coverage in the media, multiple private litigants initiated shareholder derivative actions against 14 individual defendants on Target’s board and executive management alleging that the Company’s officers and directors (1) failed to properly provide for and oversee an information security program; and (2) failed to give customers prompt and accurate information in disclosing the breach.  Based on these allegations, plaintiffs asserted claims for breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control.

After the commencement of litigation, the Target Board formed a Special Litigation Committee (“SLC”) to investigate the shareholders’ allegations and the suit was stayed pending the conclusion of the investigation.  Over the span of nearly 2 years, the SLC sought to determine whether it was appropriate for Target to pursue plaintiffs’ claims and to respond to the litigation on behalf of the Board and the Company.  Following an intensive review, involving interviewing witnesses, searching databases and reviewing thousands of documents, the SLC concluded in a 91-page March 2016 report that the Company should not pursue the claims, and instead, moved to dismiss the action in May 2016.

As the SLC explained in its motion to dismiss, under Minnesota law, courts defer to a corporation’s special litigation committee’s decision to dismiss a derivative action if it determines that (1) the members of the SLC were disinterested and independent; and (2) that the SLC conducted a good faith investigation.  The SLC demonstrated in its papers that its members were highly qualified, independent and disinterested.  Moreover, the SLC described its robust and comprehensive investigative procedures, which included retaining independent counsel (who had never represented the Company before) and experts, interviewing 68 witnesses, reviewing and analyzing thousands of documents, meeting frequently and considering myriad factors regarding Target’s best interests in deciding whether or not to pursue the claims against the individuals for the data breach.

By order dated July 7, 2016, the court granted the SLC’s motion to dismiss and plaintiffs did not oppose motions to dismiss filed by the individual defendants.   The Target case is significant in that it highlights the significant risks that individual directors and officers, and not only the companies for whom they work, face in connection with data breaches and the importance of oversight over a robust information security system.