“Directors’ Decisions Must Be Reasonable, not Perfect” Home Depot’s Shareholder Derivative Litigation Arising from Data Breach Dismissed; Demand Was Not Excused Under Delaware Law
On November 30, 2016, a federal district court dismissed a shareholder derivative complaint against various current and former directors of Home Depot arising from the well-publicized data breach the company suffered between April and September 2014. In re The Home Depot, Inc. Shareholder Derivative Litigation, Civil Action No. 15-CV-2999-TWT (N.D. Ga. Nov. 30, 2016). The complaint asserted claims against the directors for breach of the fiduciary duty of loyalty and corporate waste under state law, and a federal law securities claim under Section 14(a) of the Securities Exchange Act. The decision illustrates important principles of corporate law reflected in Rule 23.1 (under both state and federal law), governing when a plaintiff can bypass the board of directors to assert a derivative claim for injury to the company on the company’s behalf, rather than deferring to the board’s judgment about asserting such a claim, and how these principles may affect litigation arising out of data breaches and alleged failures of director oversight.
In fall 2014, Home Depot learned that it was the victim of hackers and malware and a criminal breach of its payment card data systems during the spring and summer of that year. Derivative litigation against the company’s directors and officers ensued in which the plaintiffs alleged that the fiduciaries failed to adequately oversee the company by not instituting internal controls sufficient to identify the risks that Home Depot may have faced in the event of a data breach. In support, the plaintiffs cited the company’s disbandment of its “Infrastructure Committee” in 2012, which had been charged with oversight of the company’s IT and data security. The plaintiffs also asserted that the company had indicated, in its 2012 proxy statement, that oversight of the company’s IT and data security functions had been given to the Audit Committee, although the Audit Committee’s charter was never amended to reflect that change. Finally, the plaintiffs also noted that the company had admitted, prior to the data breach, that it was out of compliance with strict payment system (PCI-DSS) requirements governing cardholder payments on multiple levels and likely would be out of compliance until early 2015.
Defendants moved to dismiss the complaint, arguing that the plaintiffs were required to make a formal demand on the board to take action on their claims, and that the plaintiffs were not excused from making demand based on their allegations under Delaware law.
The Court Applies Delaware Law to Find Demand Was Not Excused
Applying the internal affairs doctrine, the Court looked to the substantive law of Delaware, where Home Depot is incorporated. The Court observed Delaware’s demand requirement and that no demand was made in this case. Thus, to avoid dismissal, the plaintiffs must have alleged sufficient particularized facts to show that they were excused from making demand—i.e., that demand was futile—under the circumstances.
Where, as here, the allegations concerned director inaction, “demand futility is authorized only where ‘particularized factual allegations of [the] derivative stockholder complaint create a reasonable doubt that, as of the time the complaint is filed, the board of directors could have properly exercised its independent and disinterested business judgment in responding to a demand.’” Rales v. Blasband, 634 A.2d 927, 934 (Del. 1993) (emphasis in original). Here, plaintiffs pursued an argument of director interest, which may be shown by establishing the claims that the directors would be asked to consider pose a substantial likelihood of personal liability for those same directors. But merely being named as a defendant does not suffice. Rather, Delaware law requires the plaintiffs show conduct by the directors asked to consider the demand that is “so egregious on its face that board approval cannot meet the test of business judgment, and a substantial likelihood of liability therefore exists.” Aronson v. Lewis, 473 A.2d 805, 815(Del. 1984).
The Court applied the demand futility test to find that demand on the Board was not excused and thus dismissal was warranted. First, the Court addressed the plaintiff’s duty of loyalty claim for a failure of oversight under Delaware law. The standard for pleading a failure of oversight is stringent, and requires scienter. Plaintiffs must show that the directors either “‘knew they were not discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act.’” In re Citigroup Inc. Shareholder Derivative Litigation, 964 A.2d 106, 123 (Del. Ch. 2009).
The Court found that the plaintiffs could not meet the “incredibly high hurdle” for pleading demand futility based on oversight claims. Op. at 15 of 30. In short, the plaintiffs’ allegations did not establish a complete and utter failure to act by the directors. Whether or not the Audit Committee had the technical authority to oversee IT and data security under the Committee’s charter, the Court discerned that both the Committee and the Board thought the Committee had the authority based on the plaintiffs’ own allegations that the Committee received reports and engaged in briefings to the full Board on the subject. At bottom, the plaintiffs’ acknowledgment that the company had a plan and was implementing a plan to address data security before the breach showed that the Board was fulfilling its duty of loyalty. It is not enough that the plan was unsuccessful or imperfect. Accordingly, demand was not excused for the duty of loyalty claims.
Second, for the allegations of corporate waste, the Court noted that under Delaware law, corporate waste required an exchange so one-sided that no reasonable business person of ordinary, sound judgment, could conclude that the corporation received adequate consideration. Reasoning that there was no “transaction” here, the Court determined that the plaintiffs were really just challenging the board’s exercise of its business judgment. The Court found, however, that the Board’s decision to address data security at a leisurely pace, while “unfortunate,” fell squarely within the Board’s discretion and is protected from judicial second-guessing under the business judgment rule. Op. at 20 of 30. As with duty of loyalty, the Court held that demand was not excused for the corporate waste claims.
Finally, regarding the alleged securities act violations – issuance of 2014 and 2015 proxy statements with alleged insufficient information – the Court found such claims also first required demand on the Board. The Court, however, found that the plaintiffs did not point to specific statements in the proxies that were false or misleading. Moreover, the Court found that even if there were problems with the proxy statements, there could be no causation that would have prevented the harm from the breach. The Court noted that, at the time the proxy statements were issued, the breach was already happening. “The election of directors based on the 2014 Proxy Statement did not cause the harm alleged; rather, the insufficient urgency of the Board to correct the holes in Home Depot’s security did.” Op. at 29 of 30.
This case – and one released from the Delaware Court of Chancery in October, 2016, Reiter v. Fairbank, C.A. No. 11693-CB (Oct. 18, 2016) – continue to highlight the substantial protections afforded directors under Delaware law. When boards of directors take reasonable steps to become informed about company measures to protect data security – even when such measures may, with hindsight, turn out to be insufficient – otherwise disinterested directors generally will not be subjected to personal liability.Share