The Business Judgment in Cyber Security Decisions

By Karen Painter Randall

The United States District Court for the Northern District of Georgia was recently tasked with determining whether a shareholder derivative action against Home Depot, challenging the adequacy of the company’s cyber security strategy, should be dismissed. The action was filed on the heels of a 2014 data breach in which over 56 million customers’ personal information was stolen by unknown hackers. Prior to the hacking, Home Depot broke up the committee responsible for IT oversight, forming the basis for the shareholders’ actions.

The matter presented interesting questions regarding the interplay of the “business judgment rule” and data breaches. Under the business judgment rule, a business decision by the board of directors can only be challenged if the conduct was “so egregious” that the board’s actions could not have been an exercise of business judgment. In other words, the action of a board can only be challenged if there is no justification whatsoever for the action taken. Judge Thomas W. Thrash, Jr. therefore needed to determine whether the facts alleged by the shareholders in their complaint were sufficient to support a finding that Home Depot’s board had no valid business justification for disbanding the committee responsible for IT oversight, and for responding too slowly in remedying the data security technology.

Judge Thrash determined that the shareholders, in their complaint, basically made Home Depot’s argument for them. Specifically, the shareholders alleged that the board received regular briefings on the data security risk and that it approved some plan to address the risks. Therefore, although Home Depot broke up the committee, the board allegedly approved other plans intended to address the cyber risks and damages. Under the business judgment rule, there is no requirement for the board’s decision to be the best decision possible, or even that the decision is correct. Rather, all that is required is for the board to make an informed business decision. Accordingly, because the facts alleged were insufficient to support the causes of action alleged, the shareholders’ complaint was dismissed. 

What appears to be a favorable ruling for corporate entities may, however, be short lived. With the frequency in which data breaches occur increasing from year to year, the dismantling of a committee responsible for IT oversight may be considered egregious going forward. Accordingly, corporations would be wise to put little weight in the ruling. A corporation’s best defense against similar litigations is to take all reasonable steps to protect against known cyber security risks.