Judge tosses Target shareholder lawsuit on cyber breachReprints
Following the recommendation of a special litigation committee appointed by Target Corp.'s board of directors, a U.S. District Court judge has dismissed a shareholder derivative lawsuit filed in connection with the company's 2013 cyber breach.
Shareholder plaintiffs in the litigation filed in connection with the data breach, which affected as many as 110 million people, did not oppose the committee's motion to dismiss the litigation, according to the ruling issued July 7 by U.S. District Judge Paul A. Magnuson in St. Paul, Minnesota in Mary Davis et al. v. Gregg W. Steinhafel et al.
The plaintiffs retain the right, though, to seek legal fees and expenses from Target, while Target in turn retains the right to oppose that motion, according to the ruling.
According to court papers in the case, the two-man committee of independent members — a retired judge and a law professor — was appointed by Target's board of director in June 2014 after litigation was filed by six Target shareholders.
One of these lawsuits included a derivative demand that the company investigate and bring actions against the board members and the company's CEO, chief financial officer and chief information officer. The other shareholder lawsuits targeted the board members and officers in five derivative actions. The lawsuits were eventually consolidated.
The lawsuits claimed that Target's officers and directors had failed to properly provide for and oversee an information security program, and failed to give customers prompt and accurate information in disclosing the breach, which they said were the result of their “conscious disregard of their duties and constituted breach of their fiduciary duties to Target.”
The committee investigated the breach over a 21-month period, conducting 73 interviews of 68 individuals. In a 91-page report submitted on March 30, 2016, the committee concluded that it would not be in Target's best interests to pursue claims against the retailer's directors and officers.
The committee cited 39 factors it said it weighed in reaching its conclusion, including the financial expenditures required to litigate the claims and “contractual and legal issues” relating to Target's D&O insurance coverage for claims of breach of fiduciary duty arising out of the data breach.
According to market sources, Target had at least $100 million of cyber insurance, including self-insured retentions, and $65 million of D&O liability coverage.
Also cited were reports by New York-based independent auditor Ernst & Young L.L.P. that, before the breach, there had not been any significant deficiencies or material weakness in Target's information technology general controls, which included security-related IT general controls.
A Target spokesman could not immediately be reached for comment.
Target reached a $39.4 million settlement with banks over the data breach last year.
In addition, in March 2014, the company paid $10 million to settle class action litigation in connection with the breach.