Printed from BusinessInsurance.com

Target case a cyber warning to corporate directors

Posted On: Jul. 18, 2016 12:00 AM CST

A U.S. federal judge's dismissal of a shareholder derivative lawsuit filed in connection with Target Corp.'s 2013 cyber breach is a warning to company directors to keep on top of cyber-related issues, says an expert.

Following the recommendation of a special litigation committee appointed by Target Corp.'s board of directors, U.S. District Judge Paul A. Magnuson in St. Paul, Minnesota, dismissed the litigation in Mary Davis et al. v. Gregg W. Steinhafel et al.

The plaintiffs retain the right, though, to seek legal fees and expenses from Target, while Target in turn retains the right to oppose that motion, according to the July 7 ruling.

According to court papers in the case, the two-man committee of independent members — a retired judge and a law professor — was appointed by Target's board of directors in June 2014 after litigation was filed by Target shareholders.

The committee investigated the breach over a 21-month period, conducting 73 interviews of 68 individuals, before concluding in a 91-page report submitted in March 2016 that it would not be in Target's best interests to pursue claims against the retailer's directors and officers.

Target's latest 10-Q report, filed with the U.S. Securities and Exchange Commission for the period ended April 30, 2016, said the company has so far incurred $291 million of cumulative expenses since the data breach, which was partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $201 million.

This was the second such dismissal of a case. In October 2014, Judge Stanley Chesler of the U.S. District Court in Newark, New Jersey, dismissed similar litigation filed by shareholders of Wyndham Worldwide Corp. in connection with three cyber beaches that occurred at the hotel chain between April 2008 and January 2010.

Judge Chesler held in his ruling that Wyndham's board “had a firm grasp of plaintiff's demand when it determined that pursuing it was not in the corporation's best interest.”

The Federal Trade Commission settled a lawsuit against Wyndham in connection with the cyber breaches in 2015.

The Target ruling illustrates board members “should be well beyond thinking security is just an information technology issue,” said Craig A. Newman, a partner with Patterson, Belknap, Webb & Tyler L.L.P. in New York.

“Board members must have the ability to ask the right questions and, as importantly, assess the answers,” said Mr. Newman.

While they do not have to be experts in data security law, they must exercise oversight of data security, he said.

He added, “The risks are probably going to get more sophisticated and the challenges greater, and from a sitting board member's perspective, it is all about preparing, and making sure all the right questions are being asked and steps are taken at the top to insure that that data security is priority in the organization.”

Kevin M. McGinty, a member of Mintz, Levin, Cohn, Ferris & Popeo P.C. in Boston, said filing shareholder derivative litigation has become standard and is another way for plaintiff attorneys to “step onto the gravy train.”

The plaintiffs' failure in this case to have their case proceed, though, may “discourage derivative actions in future data breach cases,” Mr. McGinty said.