Directors Sued for Cyber Breach

targeted businessman

After disclosure of a recent cyber breach, the company’s board of directors was sued by shareholders in two separate legal actions–derivative lawsuits to be precise.


table-a tableb table-c table-d


In the world of D&O litigation, shareholder derivative suits occupy a very special niche. One key reason why for this is true is that resulting settlements and/or court awards are generally understood to be non-indemnifiable. This means that the individual defendants, the directors and officers, cannot be held harmless by the company but instead would have to pay these amounts out of their own pockets—n the absence of insurance. D&O insurance, to be specific.

This raises the question of just what the recent derivative suits alleged and what they sought.

They Did Us Wrong

Allegations included charges that:

Derivative Suits

A lawsuit, usually by a shareholder of a corporation, brought under State law on behalf of the corporation, to enforce or defend a legal right or claim of the corporation. Made against both individual directors or officers and the company itself, the stated goal of a derivative suit is to put the company back in the position that it would have been in but for the breach of duty by the executives. The corporation is therefore both a defendant and the nominal plaintiff, while the relief which is granted goes to the corporation itself.

Typical allegations include the failure to properly manage or supervise the company and/or conflicts of interest. In the world of D&O liability and insurance, these suits have special significance as settlements and court awards of derivative claims are generally understood to be non-indemnifiable…

The Willis D&O Dictionary

  • The individual board members knew or should have known that the company’s customers were vulnerable to attack and yet failed to implement appropriate security measures [count 56].
  • The individual defendants knew or should have known that the company’s less-than-industry-standard security systems and unreasonably vulnerable technologies would render its customers an aim of attacks by third-parties. The individual defendants, however, failed to take corrective measures to update its systems and technologies [count 59].
  • Officer defendants specifically breached their duty of loyalty by knowingly, recklessly, or with gross negligence failed to implement a system of internal controls to protect customers’ personal and financial information; and for causing or allowing the company to conceal the full scope of the data breach, which ultimately affected at least 70 million customers [count 75].

Let Me Count the Ways…

As a result of these alleged breaches of duty to the organization, the plaintiffs are seeking:

Lost Earnings

The impact of the breach on the company’s bottom line including the “weaker-than-expected sales since the announcement,” [which the plaintiffs contend has lead the company to cut its fourth quarter 2013 adjusted earnings per share (“EPS”) of $1.20 to $1.30, compared to previous guidance of $1.50 to $1.60] [count 60] along with the lost net profit resulting from the firm’s 10% discount offered to U.S. shoppers during the last weekend before Christmas to lure customers [count 61].

Increased Expenses

“Significant sums of money” which has been and will be spent, including but not limited to

  • the costs incurred in defending and settling the consumer class actions filed brought against the Company
  • the costs incurred in assisting and responding to the Secret Service and DOJ investigations into the data breach, including any potential fines that may result
  • the costs resulting from the firm’s own internal investigation into the breach, including, but not limited to, expense for legal, investigative, and consulting fees
  • remediation expenses and capital investments
  • the cost of notifying customers, replacing cards, sorting improper from legitimate charges and reimbursing customers for improper charges
  • the cost providing free credit monitoring to victims of the data breach
  • the compensation and benefits paid to the board members who breached their duties to the firm [count 61]
  • the cost related to instituting chip-based credit cards that will enhance security (from the second suit’s Damages to the Company, 97.)i

Injunctive Relief

Related Publications

If you found this of interest, you may also like:

Order the company to take all necessary actions to reform and improve its corporate governance and internal procedures to comply with applicable laws and to protect the company and its shareholders from a repeat of the these events, including, but not limited to, putting forward for shareholder vote, resolutions for amendments to the company’s by-Laws or articles of incorporation to strengthen corporate controls and disclosure protocols. [Prayer for Relief B]

Plaintiffs’ Legal Fees

[Prayer for Relief C]

Other Equitable Relief

Any other equitable relief as the court may deem just and proper [Prayer for Relief D].

Summing up its demand, the second derivative suit alleged that the company “has sustained significant damages that will likely exceed hundreds of millions of dollars.”ii

Know Your Enemy

Both law firms bringing suit have experience in bringing derivative actions, resulting in settlement dollars or court awards.

Fortunately, derivative suits are covered under directors & officers liability insurance policies, both the traditional forms and the newer A-Side only policies covering non-indemnifiable claims only. While an A-Side policy would probably not cover related defense expenses, they would cover any resulting settlement or court award.

Cyber liability is continuing to evolve rapidly and this expansion into D&O exposure is one that can be expected to continue, especially with the U.S. Securities and Exchange Commission’s recent advice on cyber exposure disclosures.


i Maureen Collier, Derivatively on Behalf of Target Corporation, filed January 29, 2014 in the United States District Court for The District Of Minnesota

ii Maureen Collier, Derivatively on Behalf of Target Corporation, filed January 29, 2014 in the United States District Court for The District Of Minnesota, Page 42

About Ann Longmore

Ann is Executive Vice President of Willis' Executive Risks practice. Based in New York, she has been with the compa…
Categories: Cyber Risk, Directors & Officers

Leave a Reply

Your email address will not be published. Required fields are marked *