The December 2013 data security breach on Target’s network, including its point-of-sale systems, was one of the worst on record—affecting up to 70 million customers and approximately 40 million credit and debit card accounts. A number of consumer, bank and shareholder lawsuits were filed, including derivative suits on behalf of the company, later consolidated. Shareholders alleged that Target’s board and particular officers had breached their fiduciary duties to shareholders both before and after the breach: by exercising inadequate internal controls over the company’s cybersecurity policies, hiding the full extent of the breach, and committing waste in failing to stop the breach and manage it appropriately. They sought improved corporate governance structures and a variety of monetary damages.
Thereafter, Target’s board empowered a Special Litigation Committee pursuant to Minnesota law (the company is headquartered in Minneapolis) to investigate the derivative claims. The case was briefly stayed during the committee’s 21-month investigation. The result is a 91-page report published in March (apparently not public) recommending that the company refrain from pursuing derivative action, as it would not be in the company’s best interests.
Based on the report, the committee moved to dismiss the shareholder actions and Target’s officers and directors did the same. This week a judge for the U.S. District Court for the District of Minnesota granted the motions (subject to a 30 day waiting period during which shareholders may intervene to oppose the dismissal). Despite the positive outcome for Target, the case is a good reminder of the full aftermath companies can expect following a data breach, including litigation related to directors’ and officers’ liability, and what they can and should be doing to best prepare themselves.