Shareholder Sues Home Depot For Records on Massive Data Breach

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Yin Wilczek

June 16 — A shareholder has sued Home Depot Inc. for access to records behind the company's data breach that compromised the payment card information of up to 56 million customers.

Home Depot confirmed in September that its payment data systems had been breached. Hackers stole the credit and debit card information of 56 million customers as well as 53 million customer e-mail addresses.

In a complaint filed June 15 in the Delaware Chancery Court, Cora Frohman alleged that the records she sought would show whether Home Depot's officers and directors breached their fiduciary duties and/or took appropriate action in connection with the breach.

Breached Fiduciary Duties?

“Despite knowledge that such breaches were occurring throughout the retail industry, Home Depot failed to properly protect the sensitive card information from what is now a widely known preventable method of cyber-attack,” Frohman alleged. “There is a credible basis to believe that officers and directors of Home Depot were aware of the risks that the Company faced from a cyber-attack but in breach of their fiduciary duties the Board has failed in its responsibilities to implement systems and internal controls to properly protect the Company from this threat.”

Home Depot spokesman Stephen Holmes told Bloomberg BNA in an e-mail that the company has been “cooperating with and responding to shareholder requests” and will continue to do so moving forward.

“We look forward to resolving the matter,” Holmes said.

The parties stipulated that Home Depot will respond to the complaint by June 23.

The Home Depot incident is one of the largest known attacks on a major retailer. Among other massive incidents, TJX Cos., the parent company of T.J. Maxx, reported a breach in 2007 involving 90 million records.

Facing Class Actions 

According to its latest Form 10-Q, Home Depot faces at least 57 class actions in the U.S. and Canada filed by customers, banks, shareholders and others. The U.S. class actions have been consolidated for pre-trial proceedings in the U.S. District Court for the Northern District of Georgia, the filing states.

Frohman's lawsuit was filed under Section 220 of the Delaware General Corporation Law, which allows a shareholder to inspect a company's books and records for “any proper purpose.”

According to Frohman's complaint, in response to her request for records, Home Depot turned over “510 pages” of information in May that was “incomplete, inconsistent, duplicative” and heavily redacted.

Among other documents, Frohman seeks all board material relating to:

• how the company was first notified of the breach and what steps it took after the notification;

• any discussion or analysis regarding how hackers breached its payment data security systems;

• the cost of the company's payment data security system that was in place in April 2014; and

• any discussion or analysis regarding 2013 and 2014 cyber incidents at other major retailers, and whether Home Depot was doing enough to protect customers from similar breaches.


To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Ryan Tuck at

The complaint is available at

The 10-Q filing is available at

Request Corporate on Bloomberg Law