Home Depot Directors Beat Investors’ Data Breach Suit

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Michael Greene

Dec. 1 — Home Depot Inc. directors and officers Nov. 30 prevailed in a shareholder lawsuit alleging they disregarded their oversight duties in connection with a 2014 data breach that may cost the company billions of dollars ( In re Home Depot Inc. S’holder Derivative Litig. , N.D. Ga., No. 1:15-CV-2999-TWT, 11/30/16 ).

Shareholders in August 2015 filed a derivative action alleging the company had insufficient internal controls over its data security, allowing hackers to steal the financial information of 56 million customers.

The U.S. District Court for the Northern District of Georgia dismissed the claims, finding the shareholders failed to show the directors acted in bad faith. Because there was no bad faith, the shareholders couldn’t initiate their lawsuit under Delaware law—the state in which Home Depot is incorporated—without first asking the board to act, Judge Thomas W. Thrash said.

‘Reasonable, Not Perfect.’

The 2014 breach could cost the Atlanta-based home improvement retailer nearly $10 billion, according to the shareholders. The shareholders argued the board failed to designate anyone to oversee the company’s digital security when it disbanded an “Infrastructure Committee” in 2012.

The court disagreed, finding that the company’s audit committee was supervising the task even though the company never formally amended its internal documents to reflect this change.

The court also rejected the argument that the board didn’t immediately fix a number of alleged deficiencies in the company’s network security. The board approved a plan, to be fully implemented in early 2015, that would have fixed many of Home Depot’s security weaknesses, the court said.

“With the benefit of hindsight, one can safely say that the implementation of the plan was probably too slow, and that the plan probably would not have fixed all of the problems Home Depot had with its security,” Thrash said. However, the directors’ "decisions must be reasonable, not perfect.”

To contact the reporter on this story: Michael Greene in Washington at mGreene@bna.com

To contact the editor responsible for this story: Yin Wilczek at ywilczek@bna.com

For More Information

The opinion is available at //src.bna.com/kr4.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law