Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA
ATLANTA DIVISION IN RE THE HOME DEPOT, INC. SHAREHOLDER DERIVATIVE LITIGATION
LEAD CASE NO. 1:15-CV-2999 TWT
PLAINTIFFS’ MEMORANDUM OF LAW IN OPPOSITION TO DEFENDANTS’ MOTION TO DISMISS
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 1 of 49
ii
TABLE OF CONTENTS
I. INTRODUCTION ........................................................................................... 1
II. STATEMENT OF FACTS .............................................................................. 3
A. Home Depot is Struck by a Foreseeable Cyber Attack ......................... 3
B. The Board Diminished Its Role in Overseeing Data Security Despite Warnings of the Threat Posed by Cyber Attacks ..................... 4
C. The Board Knew Cyber Attacks Against Retailers had Increased in Both Frequency and Severity in the Years Before the Data Breach ........................................................................................... 5
D. Despite Specific Warnings, the Board Allowed Home Depot to Operate with PCI-deficient Data Security in 2014 ............................... 6
1. Home Depot Stored Unencrypted Customer Data ...................... 7
2. Home Depot Did Not Track Users or Scan Its Networks ........... 8
E. The Board Failed to Maintain Internal Controls to Monitor Implementation of Fundamental PCI Security Measures ..................... 9
1. Home Depot’s Firewall Was Ineffective ..................................10
2. Home Depot Deployed Out-of-Date Antivirus Software at the Time of the Data Breach. ................................................11
F. Hackers Exploited the PCI Deficiencies During the Data Breach ......12
G. Adequate Data Security Would Have Prevented the Data Breach .....13
H. The Board Has Taken No Steps to Address Management’s False Statements About Home Depot’s Cyber Security ...............................14
III. ARGUMENT .................................................................................................15
A. The Complaint Adequately Pleads Demand Futility ..........................15
1. The Current Director Defendants Ignored Numerous Red Flags ...................................................................................17
2. The Current Director Defendants Wasted Corporate Assets By Failing to Safeguard Confidential Customer Information ..24
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 2 of 49
iii
3. There is No Demand Requirement for the Section 14(a) Claim ..................................................................25
B. The Complaint States a Claim for Breach of Fiduciary Duty .............26
C. The Claim for Waste Is Adequately Pled ............................................32
D. The Complaint States a Claim for Violation of Section 14(a) ............32
1. The Complaint Identifies the False Statements and Omitted Information with Particularity...................................................33
2. The False Statements and Omissions Regarding Corporate Structure are Material................................................................36
3. The Complaint Adequately Alleges Transaction Causation and Harm to Home Depot .........................................................37
IV. CONCLUSION ..............................................................................................39
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 3 of 49
iv
TABLE OF AUTHORITIES
Cases Page(s)
In re Abbott Labs. Derivative S’holders Litig., 325 F.3d 795 (7th Cir. 2003) .............................................................................. 21
Aronson v. Lewis, 473 A.2d 805 (Del. 1984) ................................................................................... 15
Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009) ........................................................................................ 26
Basic, Inc. v. Levinson, 485 U.S. 224 (1988) ............................................................................................ 36
Beam v. Stewart, 845 A.2d 1040 (Del. 2004) ................................................................................. 17
Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) ............................................................................................ 27
In re Browning-Ferris Indus., Inc. S’holder Derivative Litig., 830 F. Supp. 361 (S.D. Tex. 1993) ..................................................................... 38
Caspian Select Credit Master Fund Ltd. v. Gohl, 2015 Del. Ch. LEXIS 246 (Del. Ch. Sept. 28, 2015) ......................................... 24
In re China Agritech, Inc., 2013 Del. Ch. LEXIS 132 (Del. Ch. May 21, 2013) .......................................... 28
In re Citigroup Inc. S’holder Derivative Litig., 964 A.2d 106 (Del. Ch. 2009) ...................................................................... 25, 30
In re Diamond Foods, Inc. Deriv. Litig., 2012 U.S. Dist. LEXIS 74129 (N.D. Cal. May 29, 2012) .................................. 38
Edward J. Goodman Life Income Trust v. Jabil Circuit, Inc., 594 F.3d 783 (11th Cir. 2010) ............................................................................ 39
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 4 of 49
v
Gantler v. Stephens, 965 A. 2d 695 (Del. 2009) .................................................................................. 29
In re General Motors Company Derivative Litigation, 2015 Del. Ch. LEXIS 179 (Del. Ch. June 26, 2015) .......................................... 31
In re Goldman Sachs Group Shareholder Litigation, 2011 Del. Ch. LEXIS 151 (Del. Ch. October 12, 2011) .................................... 31
Grobow v. Perot, 539 A.2d 180 (Del. 1988) ................................................................................... 22
In re Heartland Payment Systems, Inc. Securities Litigation, 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009) ....................................... 31
Heller v. Kiernan, 2002 Del. Ch. LEXIS 17 (Del. Ch. Feb. 27, 2002) ............................................ 27
Jacobs v. Airlift International, Inc., 440 F. Supp. 540 (S.D. Fla. 1977) ...................................................................... 38
In re JPMorgan Chase Derivative Litigation, 2014 U.S. Dist. LEXIS 151370 (E.D. Cal. Oct. 24, 2014) ................................. 35
Lombard’s, Inc. v. Prince Mfg., Inc., 753 F.2d 974 (11th Cir. 1985) ............................................................................ 27
McPadden v. Sidhu, 964 A.2d 1262 (Del. Ch. 2008) .......................................................................... 28
Michelson v. Duncan, 407 A.2d 211 (Del. 1979) ................................................................................... 24
Mills v. Elec. Auto-Lite Co., 396 U.S. 375 (1970) ............................................................................................ 32
Palkon v. Holmes, 2014 U.S. Dist. LEXIS 148799 (D.N.J. October 20, 2014) ............................... 31
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 5 of 49
vi
Pension Comm. of the Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 446 F. Supp. 2d 163 (S.D.N.Y. 2006) ................................................................ 27
In re Pfizer Inc. S’holder Derivative Litig., 722 F. Supp. 2d 453 (S.D.N.Y. 2010) ................................................................ 22
Quality Foods de Centro America, S.A. v. Latin American Agribusiness Dev. Corp., S.A., 711 F.2d 989 (11th Cir. 1983) ............................................................................ 27
Rales v. Blasband, 634 A.2d 927 (Del. 1993) ................................................................................... 15
Resnik v. Boskin, No. 09-5059 PGS, 2011 WL 689617 (D.N.J. Feb. 17, 2011) ............................ 39
Resnik v. Woertz, 774 F. Supp. 2d 614 (D. Del. 2011).................................................................... 37
Rosenbloom v. Pyott, 765 F.3d 1137 (9th Cir. 2014) ............................................................................ 22
Sandys v. Pincus, 2016 Del. Ch. LEXIS 43 (Del. Ch. Feb. 29, 2016) ............................................ 16
SEC v. Falstaff Brewing Corp., 629 F.2d 62 (D.D.C. 1980) ..................................................................... 33, 34, 37
In re Tower Air, Inc., 416 F.3d 229 (3d. Cir. 2005) .............................................................................. 28
Veeco Instruments, Inc. v. Braun, 434 F. Supp. 2d 267 (S.D.N.Y. 2006) ................................................................ 21
Vides v. Amelio, 265 F. Supp. 2d 273 (S.D.N.Y. 2003) ................................................................ 26
In re Walt Disney Co. Deriv. Litig., 907 A.2d 693 (Del. Ch. 2005) ............................................................................ 29
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 6 of 49
vii
Washtenaw Cty. Emps. Ret. Sys. v. Wells Real Estate Inv. Trust, Inc., 2009 U.S. Dist. LEXIS 53652 (N.D. Ga. March 31, 2008) ............................... 33
Weiss v. Swanson, 948 A.2d 433 (Del. Ch. 2008) ............................................................................ 24
In re Westinghouse Sec. Litig., 832 F. Supp. 989 (W.D. Pa. 1993) ...................................................................... 26
Westmoreland Cnty. Emp. Ret. Sys. v. Parkinson, 727 F.3d 719 (7th Cir. 2013) .............................................................................. 23
Wilson v. Great Am. Indus., Inc., 855 F.2d 987 (2d Cir. 1988) ............................................................................... 32
In re Zoran Corp. Derivative Litig., 511 F. Supp. 2d 986 (N.D. Cal. 2007) .......................................................... 32, 38
Other Authorities
Law of Corp. Officers & Dir.: Indemn. & Ins. § 2:26 Exculpatory Provisions (2015) ................................................................................................ 28
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 7 of 49
I. INTRODUCTION
This is a shareholder derivative action on behalf of nominal defendant The
Home Depot, Inc. (“HD” or “the Company”) against certain of its directors and
officers.1
The cyber attack was foreseeable and resulted directly from the Board of
Directors (the “Board”) and HD’s conscious failure to institute internal controls
sufficient to oversee the risks HD faced in the event of a breach. As revealed by
internal HD corporate documents obtained by Plaintiffs pursuant to 8 Del. C. §
220, these data security matters were squarely within the Board’s purview.
Remarkably, Plaintiffs’ investigation has revealed that in the years preceding the
breach, as the threat to data security was only growing, the Board disbanded a
Board-level committee with specific responsibility for overseeing these risks. As
This case arises out of the 2014 data breach at HD – the largest data
breach in U.S. history to date – involving the unauthorized access to sensitive
financial data of 56 million HD customers. To date, HD has recorded expenses of
over $250 million due to the breach and faces substantial additional exposure.
1 Francis Blake (“Blake”), Matthew Carey (“M. Carey”), Craig Menear (“Menear”), Ari Bousbib, Gregory Brenneman, J. Frank Brown, Albert Carey, Armando Codina, Helena Foulkes, Karen Katen, Mark Vadon, Bonnie Hill (“Hill”), and F. Duane Ackerman (“Ackerman”) are collectively referred to as the “Individual Defendants” or “Defendants.” Bousbib, Brenneman, Brown, Carey, Codina, Foulkes, Katen, Menear and Vadon are collectively referred to as “Current Director Defendants.”
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 8 of 49
2
(or even more) remarkably, the HD data breach involved the same techniques
hackers used in other widely-publicized data breaches – techniques that the Board
was specifically warned about months prior to the attack.
As Plaintiffs allege, the Board knew that a breach of customer personal and
financial information posed a “Top 10 Enterprise Risk,” and knew that the
Company’s data protection systems were deficient and did not satisfy the Payment
Card Industry Data Security Standards (“PCI”), which established a minimum
required level of protection. As the Company’s CEO admitted after the breach
occurred, “if we rewind the tape, our security systems could have been better.
Data security just wasn’t high enough in our mission statement.” He even
acknowledged that HD’s systems were “desperately out of date” at the time of the
attack.
Plaintiffs now sue derivatively on HD’s behalf to remedy these failures,
asserting claims for breach of fiduciary duty, waste of assets, and federal proxy
violations. Defendants move to dismiss the action pursuant to Rule 23.1 and Rule
12(b)(6), but their motion must be denied. Plaintiffs make particularized
allegations based on internal corporate records demonstrating that the defendants
face a substantial likelihood of liability for their conduct. Therefore, demand is
excused and all claims are adequately stated.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 9 of 49
3
II. STATEMENT OF FACTS
A. Home Depot is Struck by a Foreseeable Cyber Attack
In April 2014, hackers infiltrated HD’s network through an unlocked back
door and installed data-stealing software in HD’s point-of-sale (“POS”) system.
¶¶ 7-10, 237.2
The Data Breach fulfilled a warning HD first issued in its annual report filed
with the SEC on April 2, 2009. ¶ 71. That year, and in the years that followed,
HD’s 10-K acknowledged that theft of customer data could damage its reputation
and result in lost sales, fines, and lawsuits. ¶¶ 71-74. HD’s Board assured
customers and investors that HD employed “industry standard” security protocols
“appropriate” under the circumstances. ¶¶ 59, 192. HD’s actions, unfortunately,
did not match its rhetoric.
The hackers exploited known deficiencies in HD’s cyber security
protocols to steal its customers’ financial data (the “Data Breach”). ¶¶ 3, 230. A
third-party security blog first reported the Data Breach in early September 2014
and drew immediate comparisons to the breach suffered by Target, Inc. (“Target”)
several months before. ¶¶ 2, 214, 219, 222. HD eventually confirmed that the
Data Breach exposed over 56 million HD customers to identity theft and would
cost the Company hundreds of millions of dollars. ¶¶ 5, 10, 252.
2 All ¶ citations are to the Verified Consolidated Shareholder Derivative Complaint (the “Complaint”) (ECF No. 41).
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 10 of 49
4
B. The Board Diminished Its Role in Overseeing Data Security Despite Warnings of the Threat Posed by Cyber Attacks
From 2007 to 2012, the Infrastructure Committee – like the Information
Technology Advisory Council before it – was made up of HD Board members
tasked with “providing oversight and leadership for the Company’s information
technology and infrastructure planning process, policies, priorities and objectives.”
¶ 175. On May 1, 2012, the Board disbanded the Infrastructure Committee and
announced that risks it previously oversaw would be assumed by the Audit
Committee and the newly formed Finance Committee. ¶¶ 174, 177-78.
HD’s Corporate Governance Guidelines, however, state that committees can
only act where the Board has delegated authority, and each committee’s duties are
“defined by . . . charters adopted by the Board.” ¶¶ 170-71. The Board never
amended the Audit Committee’s Charter to expand its oversight duties to include
data security, and the Finance Committee Charter was silent on the issue. ¶¶ 179-
82. The Board thus failed to properly task any committee with data oversight.
Instead, the responsibility fell heavily on HD’s Executive Vice President and
Chief Information Officer, M. Carey, who was not equipped to handle the task
despite his exorbitant compensation (¶¶ 154-69) and, under his direction, HD failed
to implement fundamental data security practices that would have locked the
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 11 of 49
5
hackers out of its networks or detected their presence. ¶ 195. The Board took a
hands-off approach to cyber security despite the known risks it presented.
C. The Board Knew Cyber Attacks Against Retailers had Increased in Both Frequency and Severity in the Years Before the Data Breach
By the time HD’s Board learned of a major data breach at Target in late
December 2013, the threat presented by unauthorized access to sensitive customer
data was well recognized. See, e.g., ¶¶ 70-74. In 2007, TJX Companies Inc.
announced hackers had stolen credit and debit card numbers along with other
personal data about its customers, which cost TJX more than $250 million. ¶ 69.
In July 2013, an HD store in Denton, Texas was attacked by hackers who installed
data stealing malware on POS terminals. ¶ 131. Hackers also installed POS
malware at a Company store in Columbia, Maryland, in late 2013. ¶ 102.
On December 20, 2013, M. Carey advised the Board that hackers had
infiltrated Target’s network using a third party vendor’s credentials to gain
unauthorized access. ¶ 76. Once inside, hackers installed malware in Target’s in-
store cash register systems that captured customers’ data each time a payment card
was swiped and secretly saved the information inside the network. Id. Hackers
later retrieved that data and used it to complete fraudulent transactions. Id.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 12 of 49
6
This cyber attack method was known to be common and highly effective.
On January 13, 2014, M. Carey advised the Board of similar attacks at other
retailers. ¶ 77. An FBI report distributed to retailers on January 14, 2014 warned
of the accessibility and affordability of malware on underground forums and the
substantial profits to be made therefrom. ¶ 78. The FBI’s report re-emphasized
the urgency of retailers’ improving security to prevent additional breaches. Id. In
the face of all of this information, the HD Board did nothing to protect HD from
the same fate. The Board, despite these warnings, failed to ensure that HD
maintained even the most basic data security measures.
D. Despite Specific Warnings, the Board Allowed Home Depot to Operate with PCI-deficient Data Security in 2014
At the time of the Data Breach, the Board knew HD did not comply with the
PCI standards for data security, as promulgated by the Payment Card Industry
Security Standards Council. ¶ 13. On February 28, 2013, M. Carey informed the
Board that HD failed to encrypt point-of-sale data, allowed unauthorized access to
customer information and lacked the ability to adequately scan its network (the
“February 2013 Report”) (¶¶ 106-25, 137-53), all of which constituted a breach of
PCI protocol and violated agreements with payment card processors (¶¶ 59, 80).
Instead of immediately fixing the issues, the Board accepted that HD would remain
non-compliant until a “goal” date of February 2015. ¶¶ 116-25, 142, 152-53.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 13 of 49
7
Hackers exploited the gaps in HD’s network well before the upgrades were
completed. ¶ 116.
1. Home Depot Stored Unencrypted Customer Data
PCI mandates that retailers encrypt all cardholder data at the POS to render
it unreadable to unauthorized persons during the payment verification process. ¶
106. The February 2013 Report identified instances of unencrypted customer data
stored on HD’s network, which created an obvious risk that could have been
eliminated through readily available solutions. ¶ 116.
HD began a process of encrypting payment card data in all of its POS
systems in early 2011, but this effort ceased in August 2011. ¶ 112. As a result,
unencrypted credit card numbers remained available. Customer service
representatives emailed credit card and driver’s license numbers in plain text, the
roofing, siding and window department unnecessarily allowed access to full credit
card numbers, and the flooring department needlessly made credit card numbers
accessible to certain employees for seven days after a transaction. ¶ 116.
While the February 2013 Report proposed modifications to these deficient
practices, each modification fell short of PCI requirements. ¶¶ 117-19. Even
under the best case scenario, full encryption of customer data was not expected to
be completed until early 2015. On February 27, 2014, M. Carey reaffirmed that
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 14 of 49
8
HD would remain non-compliant with PCI encryption standards throughout most,
if not all, of its fiscal year ending February 2015. ¶¶ 117, 120-21.
2. Home Depot Did Not Track Users or Scan Its Networks
Despite being a critical aspect of cyber security, the February 2013 Report
revealed to the Board that HD did not track or monitor access to cardholder data as
required by PCI. ¶ 139. HD should have assigned unique identification numbers
to each individual with access to its systems. ¶ 137. HD permitted super-user
access to many of its systems – i.e. access across its network – by providing
individuals with a shared password. ¶ 140. This system prevented HD from
removing users who no longer needed access and left it unable to identify or track
who was accessing the systems. ¶ 140. M. Carey told the Board in February 2014
that super-user access would not be fixed until 2015. ¶ 142.
PCI requires companies to conduct quarterly system scans for unusual
activity, including at POS terminals, to identify items that need remediation. ¶
144. From 2011 to 2014, HD only scanned a small percentage of its stores for
vulnerabilities (less than 10%), and only a small percentage of the computers at
each of those stores were monitored. ¶¶ 146-47. The February 2013 Report also
confirmed technical limitations were preventing HD from properly monitoring its
systems. ¶¶ 144-53. HD did not deploy software to reduce the tedious process of
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 15 of 49
9
manually scanning its systems, and it lacked the bandwidth needed to upload
security logs from its POS terminals for proper review at headquarters. ¶¶ 148-49.
The February 2013 Report acknowledged that deficiencies in tracking and
scanning were not expected to be fixed until at least mid to late 2014, and there
were no plans to rescan systems to determine if the fixes worked. ¶ 150. M.
Carey’s February 27, 2014, report to the Board further showed that HD’s data
security system required “enhancements” to comply with PCI in the areas of
vulnerability scanning and third-party assessments of its systems. ¶ 152.
These shortcomings ultimately allowed hackers to enter the system and
remain undetected within HD’s network for months. Indeed, in its 2015 Form 10-
K report, HD acknowledged that “the forensic investigator working on behalf of
the payment card networks alleged that we were not in compliance with certain of
[the PCI] standards at the time of the 2014 data breach.” ¶ 261.
E. The Board Failed to Maintain Internal Controls to Monitor Implementation of Fundamental PCI Security Measures
HD also failed to maintain adequate firewall and antivirus protection on its
network. ¶¶ 91-105, 126-36. Management instead ignored a multitude of
warnings and operated HD with out-of-date and disabled security features, which
violated PCI and HD’s contractual arrangements with payment card companies.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 16 of 49
10
Id. The Board failed to implement controls to ensure even the most basic security
features properly functioned. ¶¶ 191, 193-96.
1. Home Depot’s Firewall Was Ineffective
PCI 2.0 standards required effective firewalls to be implemented on systems
that transmit or store cardholder data. ¶ 84. Although Symantec’s Endpoint
Protection 11.0 included a firewall that blocked threats to computer networks by
preventing unauthorized access (¶¶ 93-95), HD disabled Symantec’s firewall in
favor of an antiquated and outdated Windows-based firewall. ¶¶ 94-96.
Since at least 2011, HD’s IT employees had warned M. Carey that using the
old Windows firewall rendered HD’s computer systems vulnerable to hackers and
urged that HD activate Symantec’s firewall. ¶ 98. On February 28, 2013, M.
Carey told the Audit Committee that during 2012 HD’s firewall setup presented a
risk of “a severe or catastrophic adverse effect on organizational operations,
organizational assets, or individuals.” ¶¶ 98-99. No system was in place, however,
for the Board to confirm management would fix the problem.
In August 2013, Visa warned HD about network intrusions at retailers using
Windows firewalls. ¶ 100. Two months later, FishNet Security urged HD to
employ Symantec’s secure firewall – a warning it repeated in February 2014. ¶¶
101, 104. These warnings – which were not conveyed to the Board – went
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 17 of 49
11
unheeded as the Endpoint firewall remained disabled during the Data Breach. ¶
195.
2. Home Depot Deployed Out-of-Date Antivirus Software at the Time of the Data Breach.
PCI required that retailers maintain up-to-date antivirus and antispyware
software to prevent hackers from installing malware that would enable them to
steal customer data. ¶ 126. HD utilized Symantec’s Endpoint Protection 11.0
antivirus and antispyware software to detect and stop malicious programs from
entering a protected network. ¶ 127. In 2011, Symantec updated its Endpoint
Protection antivirus software because the “threat landscape had changed
significantly” and the new product would better protect users against the
“explosion in malware scope and complexity.” ¶ 128. But HD did not upgrade.
In July 2014, while the Data Breach was ongoing, HD had Symantec
perform a “health check” on its computer systems. ¶ 136. The health check
identified the use the out-of-date antivirus software on POS terminals as a critical
issue, but HD continued to rely on software that had reached the end of its
“product life cycle” in early 2014. ¶¶ 126-36. After the attack, Bloomberg
Business reported that HD “had chosen to keep the extra security measure
deactivated even though it was designed specifically to spot the kind of malicious
software” used in the Data Breach. ¶ 135. HD’s internal controls were not
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 18 of 49
12
sufficient to inform the Board of these significant issues or ensure compliance with
basic data security protocols. ¶¶ 194-98.
F. Hackers Exploited the PCI Deficiencies During the Data Breach
On September 2, 2014, security blogger Brian Krebs of “Krebs on Security”
reported that banks were seeing evidence of fraud on customer accounts linked to
use at HD and that the U.S. Secret Service believed HD’s computer systems likely
had been breached. ¶ 214. HD issued a statement on its website that it was
“looking into some unusual activity” and that it would provide “further information
as soon as possible.” ¶ 214. HD then remained silent for nearly a week.
Krebs, on the other hand, published running updates about the Data Breach.
On September 7, 2014, Krebs reported that HD’s POS system had been
compromised by data stealing malware known as BlackPOS, which, while
customized for HD’s system, was the same malware used against Target. ¶ 219.
On November 6, 2014, HD confirmed the hackers employed the same
methods as the Target attackers and revealed that a file containing approximately
53 million email addresses was compromised. ¶ 237. Just as with Target, the
hackers used a third party vendor’s credentials to bypass HD’s firewall, gain super-
user access to HD’s network, and ultimately reach its POS system. Id. They
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 19 of 49
13
installed malware to record customers’ unencrypted financial information and
stored the data in a hidden location within HD’s own network. ¶ 8.
G. Adequate Data Security Would Have Prevented the Data Breach
Although a PCI compliant system would have stopped the hackers at each
step of the Data Breach (¶ 84), HD’s security was so deficient that it did not even
know about the intrusion until a third party revealed it. ¶¶ 10, 211. The Board’s
failure to implement internal controls to ensure compliance with rules governing
payment card transactions, industry standards for data security, various state and
federal laws and HD’s own commitments, policies and procedures constituted bad
faith and allowed the Data Breach to remain undetected for months. ¶¶ 4, 6-10, 66,
195, 210.
Before the Data Breach, the Board knew HD needed to (a) implement
stronger security-threat detection software; (b) upgrade HD’s security operations
center; (c) install regularly updated security patches; (d) upgrade software on HD’s
POS terminals; and (e) implement technology to encrypt payment card data on its
POS terminals. ¶ 263. HD had the ability to make these improvements
immediately but the Board’s failure to do so predictably led to the largest cyber
attack yet. ¶ 264.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 20 of 49
14
In a news release following HD’s disclosure of the Data Breach, then CEO
Blake admitted HD had given data security short shrift: “If we rewind the tape,
our security systems could have been better. Data security just wasn’t high enough
in our mission statement.” ¶ 233. As Blake admitted, HD’s systems were
“desperately out of date” at the time of the attack. ¶ 234.
The Board, instead, knowingly allowed HD to operate without internal
controls to oversee compliance with basic data security, such as firewall and
antivirus software, which enabled the Data Breach. ¶ 195. When the Board did
receive information showing security deficiencies – including PCI non-compliance
– it took a hands off approach and deferred to managements’ facially inadequate
solutions and, as explained below, often contradictory information. ¶ 203. The
Board’s conscious decision to not act in the face of known threats constitutes bad
faith.
H. The Board Has Taken No Steps to Address Management’s False Statements About Home Depot’s Cyber Security
M. Carey informed the Audit Committee on November 21, 2013, that HD
“encrypt[s] and tokenize[s] all of our credit card numbers.” ¶ 158. Three months
later, however, M. Carey contradicted that statement and admitted that one of HD’s
objectives for 2014 was to install point-to-point encryption of payment card data to
comply with PCI requirements. Id. The task was scheduled for completion in
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 21 of 49
15
February 2015, but after the Data Breach, HD installed encryption technology at
the remaining 75% of its stores in just 11 days. ¶¶ 125, 239, 267.
On February 27, 2014, M. Carey claimed that “all point of sale payment card
data [has been] segmented from all other devices” since 2010. ¶ 155. This critical
aspect of cyber security is required by PCI and would have prevented the Data
Breach. ¶ 157. Yet the same presentation showed that the Company’s POS
terminals were connected to store servers which were connected to the Internet. ¶
156. Thus, as of February 27, 2014, the Board knew the POS terminals were not
segmented from all other devices and/or the internet. Id.
According to the 2015 Proxy, despite making false statements, M. Carey
received a total of $3,611,441 in compensation in 2014. ¶ 166. M. Carey also sold
239,626 shares of his HD stock in March 2014 for $19.6 million. ¶ 168.
III. ARGUMENT
A. The Complaint Adequately Pleads Demand Futility
Delaware courts apply one of two tests to determine whether demand on the
board is excused. The first test applies to cases where a decision of the board is
being challenged, Aronson v. Lewis, 473 A.2d 805, 814 (Del. 1984), and the
second test applies to claims of board inaction, Rales v. Blasband, 634 A.2d 927,
933 (Del. 1993). Here, Plaintiffs challenge the Board’s conduct and believe that
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 22 of 49
16
the Aronson test is therefore the proper test. In any event, Delaware courts have
held that the “Rales test functionally covers the same ground as the Aronson test in
determining the impartiality of directors.” Sandys v. Pincus, 2016 Del. Ch. LEXIS
43, at *36 (Del. Ch. Feb. 29, 2016).
To challenge director impartiality and establish demand futility, plaintiffs
may demonstrate any of the following: (i) a director may have a personal interest
in considering a plaintiff’s litigation demand because the director obtained a
financial benefit from the challenged transaction not shared by the stockholders
generally, raising the risk of liability for self-dealing; (ii) a director may have a
personal interest in considering a plaintiff’s litigation demand because the director
otherwise faces a substantial risk of liability in the litigation, such as for approving
the challenged transaction in bad faith so as to be susceptible to a non-exculpated
claim for breach of fiduciary duty; or (iii) a director may lack independence from
someone who is at risk of liability under those first two categories because the
director is controlled by or beholden to such person. Id., at *36-37.
To make the required showing, Delaware courts strongly encourage the use
by stockholders of 8 Del. C. § 220 to obtain information to support demand futility
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 23 of 49
17
allegations. That is precisely what Plaintiffs have done.3
1. The Current Director Defendants Ignored Numerous Red Flags
With the benefit of HD’s
internal records, Plaintiffs have more than sufficiently pled particularized factual
allegations demonstrating that the Current Director Defendants acted in bad faith,
breached their duty of loyalty by failing to act in the face of a known duty to act,
causing HD to issue false and misleading proxy statements in violation of Section
14(a), and rewarding individuals responsible for causing HD to incur substantial
corporate losses. Accordingly, Plaintiffs have established that the Current Director
Defendants, who comprise a majority of the Board, face a substantial likelihood of
liability, thus rendering demand upon them as futile.
Despite red flags indicating that HD’s data security measures were
inadequate and outdated, the Board failed to require expedited implementation of
critical security measures including encryption of customer data, essential
upgrades to its security software, implementation of an adequate firewall, and full
compliance with PCI, as required by HD’s contracts. Additionally, the Board’s
decision to disband the Infrastructure Committee, which was specifically designed
3 See Beam v. Stewart, 845 A.2d 1040, 1056 (Del. 2004) (Delaware courts “have continually advised plaintiffs who seek to plead facts establishing demand futility that the plaintiffs might successfully have used a Section 220 books and records inspection to uncover such facts.”).
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 24 of 49
18
to oversee and manage HD’s IT and data security, at a time when the Board was
aware of the escalating risk that a data breach posed to the Company, served no
valid business purpose and constituted bad faith. ¶¶ 69-72, 177, 270-71.
As early as February 2013 (more than a year before the Data Breach), the
majority of the Current Director Defendants knew of the following critical
vulnerabilities in HD’s data security systems: (a) HD’s firewall was inadequate;
(b) all PCI related vulnerabilities were not identified or tracked; and (c) less than
10% of computers were being scanned and reported on for vulnerabilities, and re-
scanning high-risk vulnerabilities was not taking place. These problems would not
be remediated until at least mid- to late-2014. ¶¶ 99, 116, 139, 150, 200-04.
Subsequently, on August 22, 2013, the Audit Committee learned that an
internal audit “identified gaps” in HD’s data protection systems related to the
granting of privileged access to its systems and that issue received an audit grade
of red/yellow. ¶¶ 141, 205. Then, on November 21, 2013, the Audit Committee
learned that a recent scan of the HD’s systems found 57 critical exploitable
vulnerabilities that remained unresolved, and that HD was currently scanning only
10% of its stores. ¶¶ 86, 151. The meeting participants also received HD’s cyber
security report card that included a yellow rating for PCI compliance, which
remained unchanged during 2014 and 2015. ¶ 86.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 25 of 49
19
A month later on December 20, 2013, the Board learned details regarding
the Target data breach and that the credit/debit accounts of 40 million Target
customers had been impacted. ¶ 76. Then on January 13, 2014, the Board was
alerted to a string of breaches, similar to the one that had affected Target, which
had occurred at other major retailers. ¶ 77. In February 2014, the Audit
Committee and full Board were provided an update on consumer data security,
including the recent breach at Target, and were told that HD still was not in
compliance with PCI, and would remain out of compliance through most, if not all,
of its fiscal year ending on February 1, 2015. ¶¶ 87-88, 120-21, 142, 152, 207.
The areas of PCI non-compliance concerned encryption, super-user access, critical
upgrades to control network access, vulnerability scanning, and third-party
assessments of HD’s systems. Id. Further, on August 14, 2014, the Audit
Committee was advised that three out of the four PCI compliance assessments
were last performed in October 2013 (rendering them stale), HD customers’
payment card data was still being transmitted using unencrypted “plain text,” and
that an audit of HD’s payment processing applications was not scheduled to occur
until sometime between December 2014 and February 2015. ¶¶ 122, 153, 209.
The Board intentionally disregarded these escalating red flags and
consciously caused and allowed HD to remain out of compliance with PCI, which
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 26 of 49
20
enabled the Data Breach. For example, the massive data breach at Target,
announced in December 2013, and the subsequent string of similar breaches at
other retailers, constituted a huge red flag that the Board needed to take immediate
action and quickly to update and improve HD’s data security systems, which
remained vulnerable to the same sort of attacks that had been launched on the other
retailers. ¶¶ 103, 262. Yet, despite being informed of these attacks and the
probability of a similar attack on HD’s systems, the Board sat on its hands and
allowed the Data Breach to occur. Not surprisingly, it was later reported that the
Data Breach bore many similarities to the one that occurred at Target and, in fact,
that the malware used by the HD hackers was a variant of the malware used in the
Target breach. ¶¶ 219, 222.
The Board knew that the PCI requirements were “baseline” standards that
merely consisted of a “minimum set of requirements” ¶ 79. The Board’s failure to
ensure that HD’s security systems complied with the minimum level of protection
established by PCI is conduct so egregious on its face that a substantial likelihood
of director liability exists. The “red flags” were more like flashing neon signs
warning the Board that HD’s woefully inadequate data security systems presented
a substantial and material risk to the Company. The Current Director Defendants
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 27 of 49
21
thus face a substantial likelihood of liability for breaching their fiduciary duty of
good faith and, accordingly, demand against them would have been futile.
Many cases find demand futility established under such, and even far less
egregious, circumstances. See In re Abbott Labs. Derivative S’holders Litig., 325
F.3d 795, 809 (7th Cir. 2003) (“Given the extensive paper trail in Abbott
concerning the violations and the inferred awareness of the problems, the facts
support a reasonable assumption that there was a ‘sustained and systematic failure
of the board to exercise oversight,’ in this case intentional in that the directors
knew of the violations of law, took no steps in an effort to prevent or remedy the
situation, and that failure to take any action for such an inordinate amount of time
resulted in substantial corporate losses, establishing a lack of good faith . . .
directors’ decision to not act was not made in good faith and was contrary to the
best interests of the company.”); Veeco Instruments, Inc. v. Braun, 434 F. Supp. 2d
267, 277-78 (S.D.N.Y. 2006) (allegations that the audit committee met 27 times
during 2003 and 2004 yet took no action to strengthen the existing system or
implement a new system of internal accounting controls until more than a year had
passed and after substantial harm had already been done to the company and that
the audit committee permitted additional violations to occur after being put on
notice twice raised a reasonable doubt that the director-committee members were
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 28 of 49
22
disinterested and capable of objectively deciding whether or not to prosecute the
litigation on the corporation’s behalf); In re Pfizer Inc. S’holder Derivative Litig.,
722 F. Supp. 2d 453, 462 (S.D.N.Y. 2010) (majority of the directors “face a
substantial likelihood of personal liability because they deliberately disregarded
reports of [Pfizer’s] illegal marketing practices eventually resulting in the 2009
settlement”).
Contrary to Defendants’ argument, Plaintiffs are not required to provide
director-by-director factual allegations to meet their burden of establishing demand
futility. Pfizer, 722 F. Supp. 2d at 461 (allegations that “a majority of the director
defendants served on the board for a period that covers the dates of every ‘red flag’
alleged to have been brought to the Board’s attention” sufficiently demonstrated a
substantial likelihood that a majority of the board faced personal liability);
Rosenbloom v. Pyott, 765 F.3d 1137, 1151 n.13 (9th Cir. 2014) (“because Plaintiffs
repeatedly allege that a majority of the Board was involved in all (or nearly all) of
the programs and decisions at issue. When appropriate, courts may evaluate
demand futility by looking to the whole board of directors rather than going one by
one through its ranks.”). Rather, demand futility is evaluated based on the facts of
each particular case. Grobow v. Perot, 539 A.2d 180, 186 (Del. 1988), overruled
on other grounds, Brehm v. Eisner, 746 A.2d 244 (Del. 2000).
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 29 of 49
23
Here, the Complaint sets forth the dates of each board and/or committee
meeting, the names of the board members and/or committee members who
attended the meetings, and the specific information that was presented and/or
discussed at each meeting. These particularized allegations are more than
sufficient to show that the majority of the Current Director Defendants had actual
knowledge of HD’s data security issues and failed to take any action to remediate
the problems. See Westmoreland Cnty. Emp. Ret. Sys. v. Parkinson, 727 F.3d 719,
728 (7th Cir. 2013) (inference of director knowledge not necessary “since the
complaint alleges particularized facts (e.g. meeting dates and minutes) indicating
that the directors were intimately involved in overseeing the remedial effort[s].”).
The fact that Defendant Menear joined the Board after the Data Breach does
not make him disinterested for demand purposes. Prior to becoming CEO and
President of HD and joining the Board, Menear was an executive officer of HD
and served as President of the its retail division where he was responsible for
oversight of, among other things, HD’s online business activities. ¶ 27. While
serving in that role, Menear attended an Audit Committee meeting in August 2014,
where he learned the details concerning HD’s data security and PCI deficiencies.
¶¶ 122, 153, 209. Menear thus breached his fiduciary duty of loyalty owed by
officers by failing to take action to address the deficiencies. See Caspian Select
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 30 of 49
24
Credit Master Fund Ltd. v. Gohl, 2015 Del. Ch. LEXIS 246, at *37 (Del. Ch. Sept.
28, 2015) (corporate officers do not benefit from the protections of an exculpatory
charter provision under Delaware law).
Thus, Plaintiffs have adequately pled particularized factual allegations
demonstrating that the Current Director Defendants, based upon their attendance at
certain board and/or committee meetings, had knowledge of HD’s inadequate data
security measures dating back more than a year prior to the Data Breach and
consciously chose not to expedite the implementation of critical security measures
resulting in substantial losses to HD. Accordingly, the Current Director
Defendants face a substantial likelihood of liability for breaching their fiduciary
duties to HD, thereby rendering demand futile.
2. The Current Director Defendants Wasted Corporate Assets By Failing to Safeguard Confidential Customer Information
HD’s inadequate corporate structure and Board oversight failures led to the
waste of corporate assets. Waste occurs when corporate assets are diverted for
“improper or unnecessary purposes.” Michelson v. Duncan, 407 A.2d 211, 217
(Del. 1979). A claim for waste survives a motion to dismiss unless “there is no
reasonably conceivable set of facts under which [the plaintiff] could prove a claim
of waste.” Weiss v. Swanson, 948 A.2d 433, 450 (Del. Ch. 2008). Here, Plaintiffs’
particularized allegations demonstrate that HD wasted up to $10 billion responding
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 31 of 49
25
to the Data Breach. ¶ 235. Moreover, HD also wasted the value of its proprietary,
confidential customer data, which HD’s Code of Business Conduct recognizes as
an important organizational asset. ¶¶ 57, 99, 201.
The Board also wasted corporate assets in awarding M. Carey lavish,
undeserved compensation. See § II(H), supra. M. Carey is still employed and is
one of the top ten highest paid CIOs in the country, taking home over $23.2 million
in 2014 from compensation and HD stock sales. ¶¶ 166, 168-69. According to the
2015 Proxy, in establishing base salaries for the named executive officers for
Fiscal 2014, the Leadership Development & Compensation Committee increased
M. Carey’s salary based on a number of factors, including his performance over
the previous year. Yet, the Board has not recovered any portion of M. Carey’s
compensation. ¶ 167. These allegations are sufficient under Rule 23.1 to show the
Current Director Defendants committed waste, excusing demand with respect to
the claims. See In re Citigroup Inc. S’holder Derivative Litig., 964 A.2d 106, 137-
38 (Del. Ch. 2009).
3. There is No Demand Requirement for the Section 14(a) Claim
Defendants argue that Plaintiffs fail to allege demand futility as to the
Section 14(a) claim. However, courts are split on the question of whether demand
futility requirements are even applicable to Section 14(a) claims. Vides v. Amelio,
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 32 of 49
26
265 F. Supp. 2d 273, 276 (S.D.N.Y. 2003) (“under Delaware law and federal
policy, there is no need for prior demand upon the board of directors with respect
to the claim of misstatements and omissions in the proxy statement”); In re
Westinghouse Sec. Litig., 832 F. Supp. 989, 998 (W.D. Pa. 1993) (business
judgment rule not applicable to proxy claims). Contrary to Defendants’ argument,
the Eleventh Circuit has not yet considered this issue. In any event, given that
Plaintiffs have established demand futility on the related claims based on the same
essential facts, there is no basis to claim that the Current Director Defendants could
evaluate the Section 14(a) claim in a disinterested fashion.4
B. The Complaint States a Claim for Breach of Fiduciary Duty
Furthermore, as
explained below, the Complaint states a Section 14(a) claim against the directors,
necessarily rendering them interested in the subject matter of the litigation.
In addition to Rule 23.1, Defendants also move to dismiss Plaintiffs’ claims
under Rule 12(b)(6). A complaint should be dismissed under Rule 12(b)(6) only
where it appears that the facts alleged fail to state a “plausible” claim for relief.
Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009). A complaint survives a Rule
12(b)(6) motion even if it is “improbable” that a plaintiff would be able to prove
those facts, and even if the possibility of recovery is “remote and unlikely.” Bell 4 Should the Court require demand futility allegations particular to the Section 14(a) claim, Plaintiffs respectfully request leave to amend on this point.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 33 of 49
27
Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007). The court must accept the facts
pleaded as true and construe them in the light most favorable to the plaintiff.
Quality Foods de Centro America, S.A. v. Latin American Agribusiness Dev.
Corp., S.A., 711 F.2d 989, 994-95 (11th Cir. 1983). Notice pleading is all that is
required. Lombard’s, Inc. v. Prince Mfg., Inc., 753 F.2d 974, 975 (11th Cir. 1985).
To allege a claim for breach of fiduciary duty under Delaware law, a
plaintiff must plead that a fiduciary duty exists and that a fiduciary breached it.
See e.g. Heller v. Kiernan, 2002 Del. Ch. LEXIS 17, at *9 (Del. Ch. Feb. 27,
2002). Plaintiffs allege that the Individual Defendants, as officers and directors of
HD, acted in bad faith and in breach of their duty of loyalty by knowingly violating
their fiduciary duties of management and oversight. ¶¶ 291-93. “Where a plaintiff
alleges a breach of fiduciary duty by conduct not amounting to fraud, such as
breach of a duty of care, disclosure, or loyalty, the general pleading standards set
out by Rule 8(a) of the Federal Rules of Civil Procedure, not the heightened
standards of Rule 9(b), apply.” Pension Comm. of the Univ. of Montreal Pension
Plan v. Banc of Am. Sec., LLC, 446 F. Supp. 2d 163, 196 (S.D.N.Y. 2006).
As explained above, Plaintiffs’ allegations against the Current Director
Defendants indicate bad faith, thereby raising a substantial likelihood of each
director’s liability for breach of the duty of loyalty. Under these circumstances, the
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 34 of 49
28
Court need not engage in further analysis on whether a claim has been stated. A
complaint that pleads a substantial threat of liability for purposes of Rule 23.1
“will also survive a 12(b)(6) motion to dismiss.” McPadden v. Sidhu, 964 A.2d
1262, 1270 (Del. Ch. 2008). Where directors “face a substantial threat of liability
on the plaintiffs’ claims for purposes of Rule 23.1, it follows that the complaint
states a claim against these directors for purposes of Rule 12(b)(6).” In re China
Agritech, Inc., 2013 Del. Ch. LEXIS 132, at *70 (Del. Ch. May 21, 2013).5
Contrary to defendants’ argument, the exculpation clause in HD’s Certificate
of Incorporation does not provide a basis to dismiss Plaintiffs’ claims. Plaintiffs
state claims against the directors for bad faith conduct and breach of the duty of
loyalty, which expressly cannot be exculpated under 8 Del. C. Section 102(b)(7).
In any event, it is well established that exculpatory provisions are affirmative
defenses and generally will not form the basis for dismissal under Rule 12(b)(6).
6
5 For the same reason, the breach of fiduciary duty claims are adequately stated against former Directors Hill and Ackerman. The Complaint contains numerous allegations based on internal records concerning red flags presented to these defendants while they served on the Board, and their conduct in failing to respond to them. Regarding Hill, see ¶¶ 121, 152, 208; regarding Ackerman, see ¶¶ 87-88, 121-22, 132, 141-42, 151-53, 155, 163, 205-09.
6 See Law of Corp. Officers & Dir.: Indemn. & Ins. § 2:26 Exculpatory Provisions (2015) (“Federal courts, on the other hand, have refused to dismiss breach of duty cases at the motion stage on the ground that exculpatory clauses are in the nature of an affirmative defense, requiring discovery.”); see also In re Tower Air, Inc., 416 F.3d 229, 242 (3d. Cir. 2005) (declining to consider an exculpatory provision at the
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 35 of 49
29
This result is particularly appropriate here, given that Plaintiffs’ allegations are
based upon internal corporate records obtained under 8 Del. C. § 220.
Plaintiffs also state claims against the Individuals Defendants who served as
corporate officers at relevant times – namely defendants Menear, Blake and M.
Carey. Under Delaware law, “corporate officers owe fiduciary duties that are
identical to those owed by corporate directors” – including the “fiduciary duties of
care and loyalty.” Gantler v. Stephens, 965 A. 2d 695, 708-09 (Del. 2009). Officer
liability may attach where the defendant acted with “gross negligence.” In re Walt
Disney Co. Deriv. Litig., 907 A.2d 693, 750 (Del. Ch. 2005). As previously
discussed, Plaintiffs adequately allege that Defendant Menear (current CEO and
President) and Defendant Blake (former CEO) breached their fiduciary duties to
HD in their capacities as directors. These allegations necessarily suffice to state
claims against these defendants in their capacities as officers as well.
With respect to Defendant M. Carey (the only Individual Defendant who did
not also serve as a director), Plaintiffs’ allegations demonstrate that he served as
the CIO leading up to the Data Breach and that HD did not implement fundamental
data security practices that would have detected and prevented the Data Breach
under his direction. Since at least 2011, HD employees warned M. Carey that use motion to dismiss stage because, inter alia, “the protection of an exculpatory charter provision appears to be in the nature of an affirmative defense.”).
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 36 of 49
30
of Windows firewall rendered HD’s computer systems vulnerable to hackers and
urged that HD activate Symantec’s firewall. ¶ 98. M. Carey was aware of massive
data breaches at other large retailers. ¶¶ 76-77. M. Carey even made false and
misleading statements to the Board concerning the effectiveness of the HD’s data
security policies, which were in truth materially degraded at all relevant times –
while receiving millions of dollars in compensation. ¶¶ 154-69. Defendants
respond to these allegations by arguing their version of the facts, which is improper
at this stage of the case. Plaintiffs’ allegations show, at the very least, “gross
negligence” by M. Carey and are sufficient at the pleading stage.
Defendants cite various distinguishable cases in support of their motion, and
which only serve to demonstrate the strength of Plaintiffs’ claims. For example,
defendants rely on In re Citigroup Shareholder Derivative Litigation, 964 A.2d
106 (2009). In that case, plaintiffs asserted derivative claims seeking recovery
from Citigroup’s officers and directors to compensate for losses suffered by the
company in the financial crisis. The court rejected allegations of breach of
fiduciary duty where purported “red flags” risk amounted to “little more than
portions of public documents that reflected the worsening conditions in the
subprime mortgage market and in the economy generally.” Id. at 128. In contrast,
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 37 of 49
31
the Individual Defendants’ knowledge of HD’s degraded data security environment
is supported by specific reference to its own internal corporate records.
Similarly, in In re General Motors Company Derivative Litigation, 2015
Del. Ch. LEXIS 179 (Del. Ch. June 26, 2015), plaintiffs asserted derivative claims
arising out of GM’s now infamous ignition switch disaster. No allegation was
made that the GM board knew of or received warnings about the ignition switch
problem, and instead plaintiffs alleged the company’s risk oversight function was
deficient. The court held that while the directors may have done a “poor job”
overseeing a “poorly-managed corporation,” this was insufficient to create a
substantial likelihood of liability. Id., at *58-59. In contrast, Plaintiffs’ allegations
here (supported by Board-level documents) show that all of the officers and
directors specifically knew about serious gaps in HD’s data security and the
imminent threat at hand, which led directly to a foreseeable adverse event.7
7 Defendants’ other cases are distinguishable. Palkon v. Holmes, 2014 U.S. Dist. LEXIS 148799 (D.N.J. October 20, 2014) was a “demand refused” case in which the court specifically stated that it would “not reach” the merits of underlying allegations regarding alleged network security problems. In addition, the allegations in that case were not based on internal corporate documents, as they are here. In re Heartland Payment Systems, Inc. Securities Litigation, 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009) was not even a shareholder derivative action, but rather a securities class action in which the court was merely discussing whether a particular challenged statement was false and misleading. In In re Goldman Sachs Group Shareholder Litigation, 2011 Del. Ch. LEXIS 151 (Del. Ch. October 12, 2011), the court rejected allegations that compensation policies
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 38 of 49
32
C. The Claim for Waste Is Adequately Pled
Plaintiffs allege waste against the directors based upon damages to the
Company resulting from the Data Breach, the loss of value of operational assets
(confidential customer information), and executive compensation. Since these
allegations suffice to establish demand futility as to the waste claim under the more
stringent Rule 23.1 pleading standard, Plaintiffs’ waste allegations are sufficient
for Rule 12(b)(6) purposes and must proceed.
D. The Complaint States a Claim for Violation of Section 14(a)
Section 14(a) prohibits companies and individuals from issuing misleading
proxy statements. See Mills v. Elec. Auto-Lite Co., 396 U.S. 375, 383 (1970). To
show a violation, a plaintiff must allege that (1) the proxy statement contained a
material misstatement or omission, and (2) that the proxy statement was the
transactional cause of the harm about which plaintiff complains. Id. at 384-85; In
re Zoran Corp. Derivative Litig., 511 F. Supp. 2d 986, 1016 (N.D. Cal. 2007). A
defendant need not act intentionally or with scienter to violate Section 14(a);
instead, allegations demonstrating negligence are sufficient. See Wilson v. Great
Am. Indus., Inc., 855 F.2d 987, 995 (2d Cir. 1988). Courts in this district have
that encouraged aggressive risk taking amounted to a “red flag” to the board. These allegations are not even remotely analogous to the allegations of conscious disregard made here.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 39 of 49
33
recognized the PSLRA’s heightened pleading requirements do not apply to Section
14(a) absent fraud. Washtenaw Cty. Emps. Ret. Sys. v. Wells Real Estate Inv. Trust,
Inc., 2009 U.S. Dist. LEXIS 53652, at *10 (N.D. Ga. March 31, 2008). But even if
Plaintiffs were required to plead the elements of a Section 14(a) violation with
particularity under the PSLRA, the allegations here suffice.
1. The Complaint Identifies the False Statements and Omitted Information with Particularity
Before its dissolution in 2012, the Infrastructure Committee Charter
obligated its members to oversee “enterprise-wide information and data security
policies[.]” ¶ 176. The Board caused HD to claim in its 2012 Proxy Statement
that “risks related to our infrastructure that were previously overseen by the
Infrastructure Committee will now be overseen by the Audit Committee and
Finance Committee” but failed to actually take the required steps to authorize such
a change. ¶¶ 180-83. When the Board allowed this to go uncorrected, they
omitted material information. By repeating this claim in the 2015 Proxy Statement
(¶ 186), they misrepresented HD’s corporate governance structure in violation of
Section 14(a). See SEC v. Falstaff Brewing Corp., 629 F.2d 62, 75 (D.D.C. 1980)
Defendants do not dispute that HD’s By-Laws and charters exclusively
define the authority of its committees. ¶¶ 170-71. Nor do they argue that the
Audit Committee charter was ever amended to expressly task the Audit Committee
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 40 of 49
34
with any of the eight items delineated by the Infrastructure Committee – or even
suggest that Audit Committee Charter mentions data or IT security at all. ¶¶ 176,
180-81. Defendants instead argue that the Board did, in fact, oversee IT security.
Def. Mem. at 31-32.8
In Falstaff, the court held that statements creating a “false impression that
the board of directors was exercising careful oversight of [a] company’s finances”
were misleading under Section 14(a). Falstaff, 629 F.2d at 75. The proxy
statement in Falstaff claimed the company maintained an audit committee, but the
facts showed the committee never “met or functioned.” Id. The court rejected
defendants’ argument that “even if not functioning as a formal committee, the
named individuals were overseeing the company’s finances and thus the statement
was not false.” Id. The court reasoned that “formal entities such as committees
create at least the impression of great care and precision through detailed review
and oversight.” Id.
But this is not enough.
Plaintiffs’ allegations here are analogous. By claiming the Audit Committee
was delegated “primary oversight responsibility for risks related to IT and data
security” (¶ 186), the Board created a false impression of “great care and
8 All “Def. Mem.” citations are to the Memorandum in Support of Defendants’ Motion to Dismiss the Verified Consolidated Shareholder Derivative Complaint (ECF No. 45-1).
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 41 of 49
35
precision” which, in reality, did not exist.9
Defendants argue in a footnote that the Audit Committee Charter’s catchall
provisions sufficiently authorize the committee to oversee data security risks. Def.
Mem. at 31, n.15. This overly broad reading of the charter’s language is belied by
the 2015 Proxy Statement itself. ¶¶ 180-182, 186. The 2015 Proxy Statement
distinguishes between the “responsibility for overseeing risk assessment and
management, including the Company’s major financial exposures and compliance”
and “risks related to information technology and data privacy and security.” ¶ 186.
If these risks were not understood by HD to be materially different, the statement
regarding IT security would be repetitive and superfluous, further illustrating the
falsity of the statements about the Audit Committee’s authority.
Instead, the Board allowed HD to
operate computer systems that were “desperately out of date” (¶ 183), and failed to
maintain even the most basic IT security measures such as adequate firewalls or
up-to-date antivirus software which – if properly overseen by the Audit Committee
– would have prevented the Data Breach.
10
9 In re JPMorgan Chase Derivative Litigation, 2014 U.S. Dist. LEXIS 151370 (E.D. Cal. Oct. 24, 2014) is distinguishable. In that case, the plaintiffs took issue with the effectiveness of the Board’s oversight, while here Plaintiffs allege the Board misrepresented the authority of the Audit Committee to act at all.
10 Likewise, Defendants’ suggestion that the Board can expand committee oversight of unrelated topics as it “deems necessary and appropriate” would nullify
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 42 of 49
36
2. The False Statements and Omissions Regarding Corporate Structure are Material
Defendants separately argue that the challenged statements and omissions
are not alleged to be material. Def. Mem. at 32-33. Defendants’ argument ignores
Plaintiffs’ allegations that the misrepresented facts had great importance to
stockholders being asked to vote on HD’s leadership, executive compensation, and
corporate governance. ¶¶ 183-84, 187-88. A fact is material if a reasonable
stockholder would view it as “having significantly altered the ‘total mix’ of
information made available.” Basic, Inc. v. Levinson, 485 U.S. 224, 231-32
(1988). The determination of materiality is a fact-specific inquiry that does not
require any allegation that stockholders would have changed their vote if provided
accurate information, as defendants suggest. Id.
Here, the significance of data security to HD and its stockholders is not
disputed. See, e.g., ¶ 13 (recognizing unauthorized access to customer data posed
“Top 10 Enterprise Risk”). The Target data breach placed data security in the
forefront of investors’ minds, and the Board itself recognized that the Target attack
ratcheted up the need for effective cyber-security oversight for retailers
everywhere. See, e.g., ¶¶ 75, 77, 100, 120, 207. At the same time, however, the
the limitations imposed on committee responsibilities by the By-Laws and Corporate Governance Guidelines. ¶¶ 170-72.
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 43 of 49
37
Board misrepresented HD’s structural ability to oversee data security while asking
stockholders to re-elect incumbent directors who falsely presented themselves as
having taken appropriate steps to address the risks presented by cyber threats. ¶¶
178, 180, 183, 185, 190. Misrepresentations about such important matters of
corporate governance cannot be considered immaterial as a matter of law at this
stage of the proceeding. See Falstaff, 629 F.2d at 75 (recognizing importance of
formal committee structure to shareholders).
3. The Complaint Adequately Alleges Transaction Causation and Harm to Home Depot
Defendants argue the allegations fail to show transaction causation or an
economic loss caused by the proxy statements. Def. Mem. at 34-36. The
Complaint, however, alleges both. The misleading proxy solicitations allowed the
Company to operate during those years without any committee tasked with data
security oversight. ¶¶ 183-84, 188-89. On the basis of this misinformation,
directors denied stockholders the opportunity to insist on an appropriate corporate
structure thereby securing their own re-election. ¶¶ 183, 185-86, 188-90. The
resulting damages that flowed from HD’s structural failures facilitated by the
proxy statements are thus compensable under Section 14(a). See Resnik v. Woertz,
774 F. Supp. 2d 614, 632 (D. Del. 2011) (derivative claim stated where harm
flowed from “interfering with proper governance on [the company’s] behalf that
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 44 of 49
38
follows the free and informed exercise of the stockholders’ right to vote for
directors and for compensation plans”).11
Indeed, the harm suffered by HD because of this inadequate corporate
structure procured through the election of directors responsible for its creation is
extensive and ongoing. Not only has the Company already expended more than
$250 million as a result of the Data Breach (¶ 5), the Data Breach harmed a
valuable operational asset - the inherent value in confidential customer data. ¶¶ 99,
201. The Court should be hesitant to find a lack of damages where the
misrepresentations implicate the Company’s corporate structure, not simply the
Defendants’ breaches of fiduciary duty. See In re Zoran Corp. Derivative Litig.,
511 F. Supp. 2d at 1016.
12
11 Defendants’ cases regarding causation are not applicable here. In Diamond Foods, the court held that allegations of “subsequent mismanagement” cannot form the basis for liability under Section 14(a). See In re Diamond Foods, Inc. Deriv. Litig., 2012 U.S. Dist. LEXIS 74129, at *20 (N.D. Cal. May 29, 2012). Unlike Diamond, Plaintiffs here allege the harm suffered by HD was ongoing at the time each proxy statement was issued. Likewise, while mismanagement certainly is relevant to Plaintiffs’ fiduciary duty claims, Browning-Ferris is not applicable because the Section 14(a) claim here addresses the discrete fact that HD’s corporate structure contributed to the harm. This constitutes a fact “that, if proved, establish[es] a duty to disclose the specified omissions” under Section 14(a), which goes beyond “simply” alleging that harm was caused by directors who would not be elected but for the proxy violations. C.f., In re Browning-Ferris Indus., Inc. S'holder Derivative Litig., 830 F. Supp. 361, 370 (S.D. Tex. 1993).
12 Plaintiffs’ specific allegations of harm distinguish this case from Jacobs v. Airlift International, Inc., 440 F. Supp. 540, 543 (S.D. Fla. 1977), in which the plaintiff
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 45 of 49
39
Finally, and contrary to Defendants’ assertion, the fact “the data breach was
underway by the time the 2014 Proxy was issued, and had been disclosed and
remediated well before the 2015 Proxy solicitation was disseminated to
stockholders” does not undermine the alleged injury to the Company. Def. Mem. at
36. To date, the Board still has failed to delegate the Audit Committee with proper
authority to oversee data security. ¶ 180. Through this ligation, Plaintiffs seek to
remedy the ongoing threat facing HD. See, e.g., ¶ 17.
IV. CONCLUSION
For the foregoing reasons, Defendants’ motion to dismiss should be denied
in its entirety. If it is granted in any respect, Plaintiffs request leave to amend.
merely parroted the language of Mills without alleging any injury. Other cases that Defendants rely upon are similarly distinguishable because here, Plaintiffs allege economic injury directly attributable to corporate structure that was made possible by the re-election of directors, not just the misconduct of the Board itself. See Edward J. Goodman Life Income Trust v. Jabil Circuit, Inc., 594 F.3d 783, 789 (11th Cir. 2010); Resnik v. Boskin, No. 09-5059 PGS, 2011 WL 689617, at *3 (D.N.J. Feb. 17, 2011).
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 46 of 49
40
Dated: June 30, 2016 Respectfully submitted,
/s Marshall P. Dees HOLZER & HOLZER, LLC Corey D. Holzer Ga. Bar No. 364698 Marshall P. Dees Ga. Bar No. 105776 1200 Ashwood Parkway, Suite 410 Atlanta, GA 30338 Telephone: (770) 392-0090 Facsimile: (770) 392-0029 Liaison Counsel for Plaintiffs
FARUQI & FARUQI, LLP Stuart J. Guber Ga. Bar No. 141879 Timothy J. Peter 101 Greenwood Avenue, Suite 600 Jenkintown, PA 19046 Telephone: (215) 277-5770 Facsimile: (215)277-5771
FARUQI & FARUQI, LLP Nina M. Varindani 685 Third Avenue, 26th Floor New York, New York 10017 Telephone: (212) 983-9330 Facsimile: (212) 983-9331
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 47 of 49
41
SCHUBERT JONCKHEER & KOLBE LLP Robert C. Schubert Willem F. Jonckheer Miranda P. Kolbe 3 Embarcadero Center, Suite 1650 San Francisco, CA 94111 Telephone: (415) 788-4220 Facsimile: (415) 788-0161 Lead Counsel for Plaintiffs Kenneth B. Hodges III Georgia Bar No. 359155 2719 Buford Highway NE Atlanta, Georgia 30324 Telephone: (404) 692-0488 Facsimile: (404) 759-6783
Counsel for Plaintiff Bennek
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 48 of 49
42
CERTIFICATE OF SERVICE AND TYPE
Pursuant to Local Rule 7.1D, the undersigned counsel for Plaintiffs hereby
certifies that the foregoing has been prepared with a font size and point selection
(Times New Roman, 14 pt.) which was approved by the Court, and that on this 30th
day of June 2016, the foregoing was electronically filed with the Clerk of Court
using the CM/ECF system which will automatically send email notification of such
filing to counsel of record.
/s Marshall P. Dees Marshall P. Dees Georgia Bar No. 105776
Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 49 of 49