Checking in on Target’s Derivative Litigation: 18 Months Later, Directors Remain Stuck in the Checkout Line

Cybersecurity and Privacy   |   Securities Litigation and Enforcement   |   August 10, 2015

Everyone remembers the Target Corporation data breach, one of the worst in history. In late 2013, hackers forced their way into Target’s computer system, accessing the information of approximately 70 million customers, including approximately 40 million credit and debit card accounts. In the evolving cybercrime landscape, those concerned with preventing toxic publicity and minimizing litigation expenses should be mindful of Target’s breach and the litigation that followed.

In early 2014, Target’s shareholders filed four derivative complaints, later consolidated and now pending in the U.S. District Court for the District of Minnesota. They allege that Target’s board of directors and certain officers breached their fiduciary duties and wasted corporate assets by failing to prevent the breach and failing to properly respond to it.

Although the complaint alleges that a demand on the board would be futile because the conduct of the entire board is at issue, Target’s board had appointed a special litigation committee (SLC) in response to a demand from another shareholder not involved in the consolidated litigation. Accordingly, in June 2014, all parties stipulated to “a short stay” to allow the SLC to determine whether and to what extent Target should pursue the litigation. The investigation was anticipated to conclude by December 2014.

Seasoned businesspeople and litigants might be able to predict what happened next. December 2014 came and went, and the stay was extended: first to March 2015, and later to July. In its July 2015 status report, the SLC recounted it had, to date:

  • hired independent counsel;
  • hired expert consultants on corporate governance and technical matters;
  • met, with counsel present, 75 times and conducted almost 60 interviews; and
  • reviewed nearly 100,000 documents and acquired approximately 3,000 more. 

On top of those activities, the SLC anticipates substantial further investigation:

  • Director interviews are not anticipated to complete until late August 2015.
  • Subsequently, the SLC will interview officers and “may conduct additional interviews as well, depending on its analysis of the investigation at that time.”
  • Despite extensive document review, the SLC “continues to request and receive additional and supplemental documents and information from Target and others as issues arise.” 

Currently, the stay has been extended to November 1, 2015. But, if the trend continues, it may be extended even further before the SLC’s report surfaces. Moreover, even if the SLC ultimately concludes the suit is not in the company’s best interests and Target moves to dismiss on that basis, the court may disagree. In deciding whether to dismiss, courts typically look at the independence of the SLC’s members and the reasonableness of the investigation, and may additionally look at the reasonableness of the substantive conclusion itself.

Although we do not yet know the outcome of Target’s derivative litigation, some things are clear. First, Target has undoubtedly expended tremendous resources for the SLC, whose investigation is backward-looking only. Keep in mind, these expenditures became necessary without any judicial findings—a demand letter alleging lax procedures and an inadequate response was enough to trigger them. And all of these costs are on top of the resources spent on the consumer class actions and other fallout from the breach.

Second, companies can take actions before a breach to moderate the costs of any post-breach demand investigation. For example, a company must invest sufficient time and resources to protect itself from cyberattack, but management must also involve the board in the identification of cyber risk, the choices of how to apply finite resources, and the testing and auditing of cyber risk systems. Smart preparation involving the board can help not only to mitigate the risk and damages of a cyberattack, but also to protect the board members from a derivative lawsuit. Although for a company of Target’s size a cyberattack may ultimately be inevitable, the resulting damage and costs can usually be reduced by proactively devoting more attention and resources to risk analysis and involving the board early and often.

Instead, a year and a half has passed since shareholders filed suit, and Target is still wading through its investigation with no end in sight. Beyond the lessons of board engagement and investment in cybersecurity, Target’s protracted investigation provides a third lesson: it is imperative to document the company’s investment and discussions such that they are readily accessible and provable, further minimizing the costs of an investigation.

With cyberattacks on the rise, and given the publicity they inevitably generate, expect to see increased derivative litigation for companies behind the curve on cybersecurity. The smarter buy is to consult counsel and invest in preventative measures to avoid becoming a “Target” in the first place.

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.