Judge Tosses out Shareholder Suit Related to Home Depot Breach
Home Depot has scored a victory in the legal fight that followed the retail chain’s 2014 data breach. The retailer’s investors cannot sue its board of directors via a shareholder derivative suit, ruled a federal judge in Georgia, the home state of the chain.
The suit, filed in August 2015, comes from two shareholders—Mary Lou Bennek and Cora Frohman—who claimed that board members failed to initiate security measures that could have prevented the breach, during which 40 million consumers had payment card data stolen, as well as 52 million to 53 million who had their email addresses stolen (there was overlap between the groups). The shareholders criticized the oversight the board exercised over the chain, including the boards’ alleged failure to make sure appropriate security software and firewalls were installed.
U.S. District Judge Thomas W. Thrash, Jr. ruled that the shareholders could not demonstrate that the board “consciously failed to act in the face of a known duty to act,” which means members cannot be held liable. He said the law required the shareholders to have made a “pre-suit” demand to the board to take specific security measures, but that did not happen.
In September 2014, Home Depot announced its systems had been compromised when an intruder used a third-party vendor’s credentials to infiltrate its computer network and access the payment card data of customers who used Home Depot self-checkout terminals between April and September 2014. Since discovering the breach, the company has completed a “major payment security project,” including encrypting payment card data at the POS and rolling out new EMV chip card acceptance technology.
The breach cost the company a total of $261 million in pretax gross expenses, partially offset by $100 million in expected insurance proceeds, according to an SEC filing. Earlier this year, Home Depot agreed to pay nearly $20 million to victims of the company’s 2014 data breach, in a settlement that also required the retail giant to bolster its data security measures.