The hurdles for claims against directors for failed oversight in connection with data breaches continue to increase. On July 7, 2016, District of Minnesota Judge Paul Magnuson released derivative claims against top Target executives, ruling that it was not in the best interest of the company to pursue claims against the individual defendants. The claims stemmed from the much-publicized 2013 holiday season Target breach where hackers stole personal data from millions of consumers. Plaintiffs sued the Target directors, alleging that the company “failed to take reasonable steps to maintain its customers’ personal and financial information” and failed “to implement any internal controls at Target designed to detect and prevent such a data breach.” The shareholders’ complaints were consolidated in Minnesota federal court in April 2014.
A special litigation committee—including former Minnesota Supreme Court Chief Justice Kathleen Blatz and University of Minnesota law professor John Matheson, neither of whom were on the board at the time of the breach—undertook a 21-month investigation to pursue whether Target executives did enough to prevent the cyberattack and whether they should be held individually liable for disseminating inaccurate information to consumers after the attack. The committee issued a 91-page report finding that Target should not pursue the claims against the officers and directors, and argued that, under Minnesota law, the court should defer to the committee’s determination. Motions to dismiss from the committee and the individual defendants followed and were granted two months later.