Judge Thomas W. Thrash Jr. of the U.S. District Court of Georgia permanently shelved a derivative suit brought by shareholders of Home Depot.

Home Depot is a multinational home improvement retailer. In September, 2014, Home Depot suffered a data breach that resulted in $192 million in net losses. This breach followed the widely publicized data breaches at several other major retailers and department stores.

Shareholder plaintiffs argued that defendants should have installed basic network security infrastructure to prevent the breach. Specifically, plaintiffs asserted that Home Depot failed to have a firewall, a properly maintained malware and antivirus software, and a policy to regularly test the network and delete cardholder data. This failure was allegedly a breach of Home Depot's duties of care and loyalty, a waste of corporate assets, and a violation of the Securities Exchange Act, according to plaintiffs.

Judge Thrash found that the suit did not have a leg to stand on. Federal Rule of Civil Procedure Rule 23.1 requires that, in a shareholder derivative case, the complaint explain with particularity the efforts made to obtain action by the board, or reasons for not making the effort. Judge Thrash explained that plaintiffs failed to make a demand on the board or demonstrate that demand would be futile as to the claims made.

Judge Thrash's opinion hammered home the "incredibly high hurdle" posed by the demand requirement under Delaware law. To overcome the requirement, Judge Thrash explained that plaintiffs must "show with particularity facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act." Judge Thrash noted that it was "not surprising" that plaintiffs failed to meet this burden.

In reaching his conclusion, Judge Thrash considered whether the demand requirement was met with respect to each substantive claim.

Regarding the duty of loyalty claim, Judge Thrash explained that it was not enough to merely allege Home Depot was too slow in implementing a security infrastructure plan because even if "one can safely say that the implementation of the plan was probably too slow," the "Directors' decisions must be reasonable, not perfect." Judge Thrash also rejected the position that disbanding the Infrastructure Committee—originally responsible for installing IT security—was a breach of the duty of loyalty. Judge Thrash explained that, because the Audit Committee became responsible for installing IT security, there was "no question that the Board was fulfilling its duty of loyalty to ensure that a reasonable system of reporting existed."

Both the corporate waste and violation of the Securities and Exchange Act claims were dismissed for lack of structural (case) support to excuse demand. Judge Thrash wrote that because there was no "transaction" being challenged as wasteful, the waste claim was really a way to circumvent the business judgment rule and attack the board's discretion "to upgrade Home Depot's security at a leisurely pace." Finally, Judge Thrash found that plaintiff's had failed to meet the pleading requirements to state a claim for a violation of the Securities and Exchange Act.

Home Depot Data Breach Derivative Suit Sent Home

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.