In a surprise move late last week, Home Depot has agreed to settle a shareholders derivative suit filed against current and former members of the Board of Directors and the Chief Executive Officer and Chief Information Officer (CIO) following a massive data breach that occurred in 2014.

The shareholders allege that former and current board members breached their duty of loyalty to the company by failing to prevent the data breach or to remedy it after it occurred. The breach cost Home Depot $152 million with a total cost exposure predicted at $10 billion.

The settlement requires documenting the responsibilities of the CIO, maintaining an executive committee on data security, and transparency around the budget provided for Cybersecurity measures in the organization.

Of course, in addition to these practices, the proposed settlement provides for the lawyers to receive up to $1.125 million in fees.

The settlement is surprising since the case was initially dismissed by a lower federal court because the shareholders were unable to show at the initial stage that the board members “failed to act in the face of a known duty to act.”

The shareholders appealed to the Eleventh Circuit, and briefings were due shortly.

This is the only case we know of where the Board has settled a shareholders derivative suit following a data breach. The best known case is that of Wyndham Worldwide, which was successful in thwarting the case filed against its board.

Target was also sued by investors following its massive data breach, but that case was also dismissed last summer.

This is a disappointing precedent in the data breach context.