Privacy & Information Security Law Blog

Recently, the U.S. District Court for the Northern District of Georgia dismissed a shareholder derivative lawsuit against Home Depot Inc. (“Home Depot”) arising over claims that Home Depot’s directors and officers (the “Defendants”) acted in bad faith and violated their duties of care and loyalty by disregarding their oversight duties in connection with a 2014 data breach. The case is In re Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 1:15-CV-2999-TWT.

The lawsuit, filed in August 2015, alleged that the Defendants violated their duties by maintaining insufficient internal oversight and controls over the company’s data security and by failing to implement and regularly test basic network security infrastructure, including firewalls, malware and antivirus software, leading to the compromise of approximately 56 million payment cards. The presiding judge, Judge Thomas W. Thrash, dismissed the claims based on shareholder plaintiffs’ failure to make a demand on the Board of Directors to take action or show why such a demand would be futile, as is required for shareholder derivative lawsuits under Federal Rule of Civil Procedure Rule 23.1.