Home Depot Data Breach Derivative Suit Dismissed
A U.S. District Court judge has dismissed a derivative suit that had been filed by shareholders of Home Depot.
Shareholder plaintiffs alleged Home Depot did not have proper network security in place. In their complaint, they claimed Home Depot should have had a firewall, properly maintained malware and antivirus software, and a company policy that required network testing and deleting cardholder data. The plaintiffs claimed this failure breached the company’s duties of care and loyalty, wasted corporate assets and violated the Securities Exchange Act.
Judge Thomas W. Thrash Jr. cited Federal Rule of Civil Procedure Rule 23.1 when he dismissed the case. Rule 23.1 requires shareholders in cases such as these to explain in their complaint what efforts were taken by the board to improve security or describe why the board did not make these efforts.
Thrash explained plaintiffs must “show with particularity facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act.” The judge said it was not enough to prove Home Depot was slow in implementing security procedures.
“Directors’ decisions must be reasonable, not perfect.”
The company settled a lawsuit with cardholders earlier this year that totaled $19.5 million.