This post discusses new lessons from data breach shareholder derivative litigation including the actions against Target, and in particular allegations that the defendants breached internal control and risk management processes in the retail business. You can also see the text version of this discussion posted below the following video.

The January 29, 2014, complaint against Target for example is against Target, the CEO, CFO, CIO, Directors, and Audit and Corporate Responsibility Committee members for alleged breach of fiduciary duty, gross mismanagement, waste of assets, and abuse of control and ability to influence.  You can find links for a couple of the derivative complaints on the February 3, 2014 post at dandodiary.com.

Although it is 46 pages long the complaint is primarily just a long compilation of general, broad conclusory, and unsupported allegations that should be dismissed on a FRCP 12(b)(6) motion to dismiss for failure to state a claim.

Essentially what plaintiff alleges is that since there was a data breach,and everyone knows that all companies are at risk these days for data breaches, due to their positions of authority and control, including internal controls, and also based on Target statements and internal charter wording, such as the audit committee charter, defendants thus of course just naturally ipso facto must have breached their duties and responsibilities.

This of course isn’t a legally recognized standard of care. Nor do the allegations negate the defendants’ business judgment rule protections or establish breach of a community standard.

On the other hand, the complaint admits that there are at least 19 different standards for data security, and even the primary PCI standard cited by plaintiff is broad, vague and lacks specifics.

Plaintiff also fails to plead specific factual evidence of the data security that Target did have in place, or specific required security actions that it failed to satisfy, or that the individual defendants were specifically responsible for the tasks.

Allegations that internal controls and risk management weren’t sufficient can be made in every situation, but don’t establish breach of a specific community standard. The new COSO internal controls for example contain 17 broad principles that could be alleged to cover almost everything.

Of course it isn’t possible to stop all data breaches. And a data breach isn’t proof of a standard or a breach of duty. The sufficiency of post-breach consumer notification is more of a specific evaluation.

Plaintiff’s complaint does remind us that companies, officers, directors and board committees should be careful about the things that they say that they will do, and in their charters, as those statements might be alleged against them later.

That’s it for now.

Dave Tate, Esq.

Blog posts and videos emphasizing new developments, people’s actions, the crossover in legal, risk, governance, business, accounting and other topic areas, and what it means. Please follow this blog by clicking “Follow” to the left, and you can find my LinkedIn, Twitter and other connections by clicking on the “About This Blog, Me, And My Connections” link above and to the left. Enjoy. Dave Tate, Esq. (and inactive CPA).