- Emergency Consultation Services
- Risk Management Services
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
By: John Goselin and Mike Wolak
With the recent filing of a shareholder derivative action against several directors and officers of The Home Depot following the company’s severe data breach in 2014, questions concerning the adequacy of board oversight over cybersecurity risks will be at the forefront of derivative claims that are expected to increase in frequency following data breaches at publicly-traded companies. Indeed, with cyber-attacks growing in number and strength, directors and officers must incorporate cybersecurity management into their risk oversight functions to ensure they are adequately discharging their fiduciary duties to the corporation and its shareholders.
The derivative complaint, filed in federal court in Atlanta in August 2015, alleges that eleven current and former directors and officers of The Home Depot breached their fiduciary duties of loyalty and good faith by failing to adequately oversee the company’s cybersecurity functions and ensure that information concerning more than 50 million customers was protected. The complaint alleges, among other examples, failure to ensure the use of sufficient firewalls and antivirus software, failure to ensure that network access was monitored, and failure to ensure that customer information was encrypted. The complaint claims the data breach damaged the company by exposing it to massive consumer litigation, regulatory investigations, and millions of dollars in related fees and costs.
While state corporation law, such as Delaware’s which governs the Home Depot litigation, is careful not to permit shareholders to use the duty of oversight to second-guess every well-informed business decision adopted by the board of directors, inadequate oversight over corporate risk can serve as a basis for individual board member liability where (i) the directors consciously failed to implement any reporting or information system or controls; or (ii) the directors, having implemented such system or controls, consciously failed to oversee its operations and thus failed to be informed of risks. The seminal Delaware case defining the scope of the board’s duty of oversight is In re Caremark International Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).
The Home Depot litigation, like the derivative lawsuit filed by shareholders following the Target data breach, is premised on the “inadequate oversight” theory of liability first articulated in Caremark. Experts expect this trend to continue as derivative actions become more common following data breaches. In the wake of this trend, boards must proactively manage cybersecurity risks by implementing and adequately documenting procedures to prevent and prepare for data breaches. With this in mind, companies should consider the following:
With public companies facing a growing threat of cyber-attacks and resulting data breaches, directors and officers will be exposed to an increasing number of claims by shareholders alleging that the board failed to adequately oversee its cybersecurity functions. It is thus critical that boards minimize their liability exposure by incorporating cybersecurity management into their oversight functions and document all aspects of cybersecurity oversight to help ensure that they properly discharge their fiduciary duties.