In our November 15, 2016, blog post, “Cybersecurity liability: Delaware has good news for directors,” we discussed an influential case that, while not directly dealing with cybersecurity, outlined the duty of oversight that directors of public and private Delaware corporations owe with regard to legal compliance risks like cybersecurity.
Just two weeks later, a federal court issued an order that made the connection crystal clear. And while in this instance the court sided with the directors, it makes our key takeaways from that previous post all the more prescient.
In In re The Home Depot, Inc. Shareholder Derivative Litigation, No. 1:15-CV-2999-TWT, the U.S. District Court for the Northern District of Georgia addressed claims that Home Depot’s directors failed to exercise proper oversight of the company’s network security, which ultimately led to a massive hack involving the financial information of 56 million Home Depot customers. By order dated November 30, 2016, the court dismissed the plaintiff stockholders’ claims.
By way of background, Home Depot’s board committees were informed prior to the breach that the company was out of compliance with certain standards of protection for data security. Although a plan was in place to bring the company into compliance, at the time of the breach Home Depot’s security systems were “desperately out of date” according to its CEO. Plaintiffs acknowledged that a remediation plan existed, but asserted that the directors moved too slowly to implement it. In essence, the plaintiffs alleged that the board’s plan was not good enough to protect the company.
The court reasoned that the board’s decisions only need to be “reasonable, not perfect.” Acknowledging that more could have been done by the directors, the court concluded that the plaintiffs insufficiently plead bad faith by alleging that the board incorrectly exercised its business judgement and made the “wrong” decision in response to red flags about the company’s deficient data security systems. Citing Delaware case law, the Home Depot court reasoned that to prove bad faith, plaintiffs would have to show that the board took no steps to prevent or remedy the situation and “knowingly and completely failed to undertake their responsibilities.” Here, the Home Depot directors exercised business judgment, even if the resulting actions by the company did not prevent the data breach.
The Reiter v Fairbank decision we covered in our November 15 post dealt with the board’s implementation of procedures around money laundering regulation. The Home Depot case brings the same fiduciary duty analysis to the cybersecurity realm. And the same lessons apply: directors must pay attention to their corporation’s compliance with the legal framework for data security, and they should document those efforts. But this recent case also emphasizes that directors do have latitude to exercise business judgment to tailor a solution to their corporation’s business and available resources. The fact that a hack is successful does not necessarily indicate that directors breached a duty.
Matt Hafter advises clients on a wide range of business and corporate issues, including corporate governance and cybersecurity. Melissa Ventrone is the chair of Thompson Coburn’s Cybersecurity practice.