Tag: corporate governance

Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims

Home Depot Data BreachSnatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims. As previously reported, that derivative action was dismissed on November 30, 2016.  That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches. Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal.  The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss.  On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement.  If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach.

The Stipulation of Settlement filed with the court specifies that Home Depot will agree to implement the following nine changes to its information governance practices (which are a checklist of best practices for any business):

  1. Document the duties and responsibilities of the Chief Information Security Officer (“CISO”);

  2. Periodically conduct Table Top “Cyber Exercises” to prepare for emergencies and train personnel to respond to data security threats;

  3. Monitor and periodically assess key indicators of compromise on computer network endpoints;

  4. Maintain and periodically assess the Company’s partnership with a dark web mining service to search for confidential Home Depot information;

  5. Maintain an executive-level committee focused on the Company’s data security;

  6. Receive periodic reports from management regarding the amount of the Company’s IT budget and what percentage of the IT budget is spent on cybersecurity measures;

  7. Maintain an Incident Response Team and an Incident Response Plan;

  8. Maintain membership in at least one Information Sharing and Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO); and

  9. Retain their own IT, data and security experts and consultants as they deem necessary.

It is unknown whether Home Depot had independently contemplated implementing any of these practices in the aftermath of the breach.

The proposed settlement assigns credit for the changes to the derivative action and, by making them part of a court-approved settlement, does allow for judicial enforcement in the event that Home Depot fails to comply with the remediation program.  More significantly, wrapping these practices into the derivative action settlement provides a justification for the shareholders’ counsel to request a fee award of $1,125,000.  Significantly, Home Depot continues to deny any wrongdoing, and the Settlement Agreement expressly states that it may not be construed as evidence or admission of fault, liability or wrongdoing.

The amount of the requested fee award, which is relatively modest by the standards of large scale derivative litigation, suggests that this may have been a nuisance value settlement of an appeal with slim prospects for success.  Given the prior failures of derivative claims in data breach cases, it remains to be seen whether this settlement will encourage shareholders in future data breach cases to attempt to buck the odds by asserting derivative claims.

ARTICLE BY Kevin M. McGinty of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

2016 Year In Review: Corporate Governance Litigation and Regulation

2016 year in review2016 saw many notable developments in corporate governance litigation and related regulatory developments.  In this article, we discuss significant judicial and regulatory developments in the following areas:

  • Mergers and Acquisitions (“M&A”): 2016 was a particularly significant year in M&A litigation.  In Delaware, courts issued important decisions that impose enhanced scrutiny on disclosure-only M&A settlements; confirm the application of the business judgment rule to mergers approved by a fully informed, disinterested, non-coerced shareholder vote; inform the proper composition of special litigation committees; define financial advisors’ liability for breaches of fiduciary duty by their clients; and offer additional guidance for calculating fair value in appraisal proceedings.

  • Controlling Shareholders: Delaware courts issued important decisions clarifying when a person with less than majority stock ownership qualifies as a controller, when a shareholder may bring a quasi-appraisal action in a controlling shareholder going-private merger, and when the business judgment rule applies to controlling shareholder transactions. In New York, the Court of Appeals followed Delaware’s guidance as to when the business judgment rule applies to a controlling shareholder squeeze-out merger.

  • Indemnification and Jurisdiction: Delaware courts issued decisions clarifying which employees qualify as officers for the purpose of indemnification and articulating an updated standard for exercising jurisdiction in Delaware over actions based on conduct undertaken by foreign corporations outside of the state.

  • Shareholder Activism and Proxy Access: Shareholder activists remained busy in 2016, including mounting successful campaigns to replace CEOs and board members at Chipotle and Hertz. Additionally, the SEC’s new interpretation of Rule 14a-8 has limited the ability of management to exclude a shareholder proposal from a proxy statement on the grounds that it conflicts with a management proposal.  Also, some companies have adopted “proxy rights” bylaws, which codify a shareholder’s right to directly nominate board members.

I.  M&A

A.Enhanced Scrutiny of Disclosure-Only Settlements

In January 2016, the Delaware Court of Chancery issued an important decision, In re Trulia, Inc. Stockholder Litigation,1 making clear the court’s renewed scrutiny of—and skepticism towards—so-called disclosure-only settlements of shareholder class actions. In Trulia, shareholders sought to block the merger of real estate websites Zillow and Trulia.  After litigation was commenced, the parties agreed to a settlement in which Trulia would make additional disclosures in proxy materials seeking shareholder approval of the transaction in exchange for a broad release of present and future claims by the class and fees for plaintiffs’ counsel.

Chancellor Bouchard rejected the proposed settlement and criticized disclosure-only settlements as generally unfair to shareholders.  Chancellor Bouchard noted that the Court of Chancery had previously expressed concerns regarding the incentives of plaintiff counsel to settle class action claims in which broad releases were granted in exchange “for a peppercorn and a fee”—i.e., for fees and immaterial disclosures that provided little benefit to shareholders.2  According to the Court, “these settlements rarely yield genuine benefits for stockholders and threaten the loss of potentially valuable claims that have not been investigated with vigor.”3

Continue reading at the National Law Review…

ARTICLE BY Nathan BullAlejandra ContrerasJaclyn A. HallJason M. HalperHyungjoo Han & Adam Magid of Cadwalader, Wickersham & Taft LLP
© Copyright 2017 Cadwalader, Wickersham & Taft LLP