On November 30, 2016, The Home Depot, Inc. (Home Depot) got a victory in the shareholders’ derivative suit filed against it for its alleged failure to institute necessary controls to secure its data relating to its 2014 customer data breach. U.S. District Judge Thomas W. Thrash Jr. dismissed all claims against Home Depot: breach of duties of care and loyalty, wasted corporate assets, violations of the Security Exchange Act, and failure to fulfill security standards such as maintaining a firewall, protections against malware, updates to its anti-virus software, and regulatory testing its data security systems.
The data breach compromised financial information of over 56 million Home Depot customers, which led to nearly $10 billion in exposure for Home Depot as a result of this breach. Despite this financial setback, Judge Thrash ruled that shareholders, Mary Lou Bennek and Cora Frohman cannot pursue their suit against current and former Home Depot officers because they could not show beyond a reasonable doubt that the board was actually liable by “consciously fail[ing] to act in the face of a known duty to act.” Judge Thrash said, “This is an incredibly high hurdle for the plaintiffs to overcome, and it is not surprising that they fail to do so.” “In other words, as long as the outside directors pursued any course of action that was reasonable, they would not have violated their duty of loyalty… the board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one,” but was protected by the business judgment rule. Lastly, Judge Thrash said, “the plaintiffs have failed to specify which statements in the 2014 and 2015 proxy statement [required by the Securities Exchange Act] were rendered misleading or false by the omissions, have failed to show the materiality of the Audit Committee omission, and have failed to show causation.”