IN THE UNITED STATES DISTRICT COURT IN RE …static.reuters.com/resources/media/editorial/20161201/...2016/12/01 · 2 All citations are to the Verified Consolidated Shareholder Derivative

IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA

ATLANTA DIVISION IN RE THE HOME DEPOT, INC. SHAREHOLDER DERIVATIVE LITIGATION

LEAD CASE NO. 1:15-CV-2999 TWT

PLAINTIFFS’ MEMORANDUM OF LAW IN OPPOSITION TO DEFENDANTS’ MOTION TO DISMISS

Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 1 of 49

ii

TABLE OF CONTENTS

I. INTRODUCTION ........................................................................................... 1

II. STATEMENT OF FACTS .............................................................................. 3

A. Home Depot is Struck by a Foreseeable Cyber Attack ......................... 3

B. The Board Diminished Its Role in Overseeing Data Security Despite Warnings of the Threat Posed by Cyber Attacks ..................... 4

C. The Board Knew Cyber Attacks Against Retailers had Increased in Both Frequency and Severity in the Years Before the Data Breach ........................................................................................... 5

D. Despite Specific Warnings, the Board Allowed Home Depot to Operate with PCI-deficient Data Security in 2014 ............................... 6

1. Home Depot Stored Unencrypted Customer Data ...................... 7

2. Home Depot Did Not Track Users or Scan Its Networks ........... 8

E. The Board Failed to Maintain Internal Controls to Monitor Implementation of Fundamental PCI Security Measures ..................... 9

1. Home Depot’s Firewall Was Ineffective ..................................10

2. Home Depot Deployed Out-of-Date Antivirus Software at the Time of the Data Breach. ................................................11

F. Hackers Exploited the PCI Deficiencies During the Data Breach ......12

G. Adequate Data Security Would Have Prevented the Data Breach .....13

H. The Board Has Taken No Steps to Address Management’s False Statements About Home Depot’s Cyber Security ...............................14

III. ARGUMENT .................................................................................................15

A. The Complaint Adequately Pleads Demand Futility ..........................15

1. The Current Director Defendants Ignored Numerous Red Flags ...................................................................................17

2. The Current Director Defendants Wasted Corporate Assets By Failing to Safeguard Confidential Customer Information ..24


iii

3. There is No Demand Requirement for the Section 14(a) Claim ..................................................................25

B. The Complaint States a Claim for Breach of Fiduciary Duty .............26

C. The Claim for Waste Is Adequately Pled ............................................32

D. The Complaint States a Claim for Violation of Section 14(a) ............32

1. The Complaint Identifies the False Statements and Omitted Information with Particularity...................................................33

2. The False Statements and Omissions Regarding Corporate Structure are Material................................................................36

3. The Complaint Adequately Alleges Transaction Causation and Harm to Home Depot .........................................................37

IV. CONCLUSION ..............................................................................................39


iv

TABLE OF AUTHORITIES

Cases Page(s)

In re Abbott Labs. Derivative S’holders Litig., 325 F.3d 795 (7th Cir. 2003) .............................................................................. 21

Aronson v. Lewis, 473 A.2d 805 (Del. 1984) ................................................................................... 15

Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009) ........................................................................................ 26

Basic, Inc. v. Levinson, 485 U.S. 224 (1988) ............................................................................................ 36

Beam v. Stewart, 845 A.2d 1040 (Del. 2004) ................................................................................. 17

Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) ............................................................................................ 27

In re Browning-Ferris Indus., Inc. S’holder Derivative Litig., 830 F. Supp. 361 (S.D. Tex. 1993) ..................................................................... 38

Caspian Select Credit Master Fund Ltd. v. Gohl, 2015 Del. Ch. LEXIS 246 (Del. Ch. Sept. 28, 2015) ......................................... 24

In re China Agritech, Inc., 2013 Del. Ch. LEXIS 132 (Del. Ch. May 21, 2013) .......................................... 28

In re Citigroup Inc. S’holder Derivative Litig., 964 A.2d 106 (Del. Ch. 2009) ...................................................................... 25, 30

In re Diamond Foods, Inc. Deriv. Litig., 2012 U.S. Dist. LEXIS 74129 (N.D. Cal. May 29, 2012) .................................. 38

Edward J. Goodman Life Income Trust v. Jabil Circuit, Inc., 594 F.3d 783 (11th Cir. 2010) ............................................................................ 39


v

Gantler v. Stephens, 965 A. 2d 695 (Del. 2009) .................................................................................. 29

In re General Motors Company Derivative Litigation, 2015 Del. Ch. LEXIS 179 (Del. Ch. June 26, 2015) .......................................... 31

In re Goldman Sachs Group Shareholder Litigation, 2011 Del. Ch. LEXIS 151 (Del. Ch. October 12, 2011) .................................... 31

Grobow v. Perot, 539 A.2d 180 (Del. 1988) ................................................................................... 22

In re Heartland Payment Systems, Inc. Securities Litigation, 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009) ....................................... 31

Heller v. Kiernan, 2002 Del. Ch. LEXIS 17 (Del. Ch. Feb. 27, 2002) ............................................ 27

Jacobs v. Airlift International, Inc., 440 F. Supp. 540 (S.D. Fla. 1977) ...................................................................... 38

In re JPMorgan Chase Derivative Litigation, 2014 U.S. Dist. LEXIS 151370 (E.D. Cal. Oct. 24, 2014) ................................. 35

Lombard’s, Inc. v. Prince Mfg., Inc., 753 F.2d 974 (11th Cir. 1985) ............................................................................ 27

McPadden v. Sidhu, 964 A.2d 1262 (Del. Ch. 2008) .......................................................................... 28

Michelson v. Duncan, 407 A.2d 211 (Del. 1979) ................................................................................... 24

Mills v. Elec. Auto-Lite Co., 396 U.S. 375 (1970) ............................................................................................ 32

Palkon v. Holmes, 2014 U.S. Dist. LEXIS 148799 (D.N.J. October 20, 2014) ............................... 31


vi

Pension Comm. of the Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 446 F. Supp. 2d 163 (S.D.N.Y. 2006) ................................................................ 27

In re Pfizer Inc. S’holder Derivative Litig., 722 F. Supp. 2d 453 (S.D.N.Y. 2010) ................................................................ 22

Quality Foods de Centro America, S.A. v. Latin American Agribusiness Dev. Corp., S.A., 711 F.2d 989 (11th Cir. 1983) ............................................................................ 27

Rales v. Blasband, 634 A.2d 927 (Del. 1993) ................................................................................... 15

Resnik v. Boskin, No. 09-5059 PGS, 2011 WL 689617 (D.N.J. Feb. 17, 2011) ............................ 39

Resnik v. Woertz, 774 F. Supp. 2d 614 (D. Del. 2011).................................................................... 37

Rosenbloom v. Pyott, 765 F.3d 1137 (9th Cir. 2014) ............................................................................ 22

Sandys v. Pincus, 2016 Del. Ch. LEXIS 43 (Del. Ch. Feb. 29, 2016) ............................................ 16

SEC v. Falstaff Brewing Corp., 629 F.2d 62 (D.D.C. 1980) ..................................................................... 33, 34, 37

In re Tower Air, Inc., 416 F.3d 229 (3d. Cir. 2005) .............................................................................. 28

Veeco Instruments, Inc. v. Braun, 434 F. Supp. 2d 267 (S.D.N.Y. 2006) ................................................................ 21

Vides v. Amelio, 265 F. Supp. 2d 273 (S.D.N.Y. 2003) ................................................................ 26

In re Walt Disney Co. Deriv. Litig., 907 A.2d 693 (Del. Ch. 2005) ............................................................................ 29


vii

Washtenaw Cty. Emps. Ret. Sys. v. Wells Real Estate Inv. Trust, Inc., 2009 U.S. Dist. LEXIS 53652 (N.D. Ga. March 31, 2008) ............................... 33

Weiss v. Swanson, 948 A.2d 433 (Del. Ch. 2008) ............................................................................ 24

In re Westinghouse Sec. Litig., 832 F. Supp. 989 (W.D. Pa. 1993) ...................................................................... 26

Westmoreland Cnty. Emp. Ret. Sys. v. Parkinson, 727 F.3d 719 (7th Cir. 2013) .............................................................................. 23

Wilson v. Great Am. Indus., Inc., 855 F.2d 987 (2d Cir. 1988) ............................................................................... 32

In re Zoran Corp. Derivative Litig., 511 F. Supp. 2d 986 (N.D. Cal. 2007) .......................................................... 32, 38

Other Authorities

Law of Corp. Officers & Dir.: Indemn. & Ins. § 2:26 Exculpatory Provisions (2015) ................................................................................................ 28


I. INTRODUCTION

This is a shareholder derivative action on behalf of nominal defendant The

Home Depot, Inc. (“HD” or “the Company”) against certain of its directors and

officers.1

The cyber attack was foreseeable and resulted directly from the Board of

Directors (the “Board”) and HD’s conscious failure to institute internal controls

sufficient to oversee the risks HD faced in the event of a breach. As revealed by

internal HD corporate documents obtained by Plaintiffs pursuant to 8 Del. C. §

220, these data security matters were squarely within the Board’s purview.

Remarkably, Plaintiffs’ investigation has revealed that in the years preceding the

breach, as the threat to data security was only growing, the Board disbanded a

Board-level committee with specific responsibility for overseeing these risks. As

This case arises out of the 2014 data breach at HD – the largest data

breach in U.S. history to date – involving the unauthorized access to sensitive

financial data of 56 million HD customers. To date, HD has recorded expenses of

over $250 million due to the breach and faces substantial additional exposure.

1 Francis Blake (“Blake”), Matthew Carey (“M. Carey”), Craig Menear (“Menear”), Ari Bousbib, Gregory Brenneman, J. Frank Brown, Albert Carey, Armando Codina, Helena Foulkes, Karen Katen, Mark Vadon, Bonnie Hill (“Hill”), and F. Duane Ackerman (“Ackerman”) are collectively referred to as the “Individual Defendants” or “Defendants.” Bousbib, Brenneman, Brown, Carey, Codina, Foulkes, Katen, Menear and Vadon are collectively referred to as “Current Director Defendants.”


2

(or even more) remarkably, the HD data breach involved the same techniques

hackers used in other widely-publicized data breaches – techniques that the Board

was specifically warned about months prior to the attack.

As Plaintiffs allege, the Board knew that a breach of customer personal and

financial information posed a “Top 10 Enterprise Risk,” and knew that the

Company’s data protection systems were deficient and did not satisfy the Payment

Card Industry Data Security Standards (“PCI”), which established a minimum

required level of protection. As the Company’s CEO admitted after the breach

occurred, “if we rewind the tape, our security systems could have been better.

Data security just wasn’t high enough in our mission statement.” He even

acknowledged that HD’s systems were “desperately out of date” at the time of the

attack.

Plaintiffs now sue derivatively on HD’s behalf to remedy these failures,

asserting claims for breach of fiduciary duty, waste of assets, and federal proxy

violations. Defendants move to dismiss the action pursuant to Rule 23.1 and Rule

12(b)(6), but their motion must be denied. Plaintiffs make particularized

allegations based on internal corporate records demonstrating that the defendants

face a substantial likelihood of liability for their conduct. Therefore, demand is

excused and all claims are adequately stated.


3

II. STATEMENT OF FACTS

A. Home Depot is Struck by a Foreseeable Cyber Attack

In April 2014, hackers infiltrated HD’s network through an unlocked back

door and installed data-stealing software in HD’s point-of-sale (“POS”) system.

¶¶ 7-10, 237.2

The Data Breach fulfilled a warning HD first issued in its annual report filed

with the SEC on April 2, 2009. ¶ 71. That year, and in the years that followed,

HD’s 10-K acknowledged that theft of customer data could damage its reputation

and result in lost sales, fines, and lawsuits. ¶¶ 71-74. HD’s Board assured

customers and investors that HD employed “industry standard” security protocols

“appropriate” under the circumstances. ¶¶ 59, 192. HD’s actions, unfortunately,

did not match its rhetoric.

The hackers exploited known deficiencies in HD’s cyber security

protocols to steal its customers’ financial data (the “Data Breach”). ¶¶ 3, 230. A

third-party security blog first reported the Data Breach in early September 2014

and drew immediate comparisons to the breach suffered by Target, Inc. (“Target”)

several months before. ¶¶ 2, 214, 219, 222. HD eventually confirmed that the

Data Breach exposed over 56 million HD customers to identity theft and would

cost the Company hundreds of millions of dollars. ¶¶ 5, 10, 252.

2 All ¶ citations are to the Verified Consolidated Shareholder Derivative Complaint (the “Complaint”) (ECF No. 41).


4

B. The Board Diminished Its Role in Overseeing Data Security Despite Warnings of the Threat Posed by Cyber Attacks

From 2007 to 2012, the Infrastructure Committee – like the Information

Technology Advisory Council before it – was made up of HD Board members

tasked with “providing oversight and leadership for the Company’s information

technology and infrastructure planning process, policies, priorities and objectives.”

¶ 175. On May 1, 2012, the Board disbanded the Infrastructure Committee and

announced that risks it previously oversaw would be assumed by the Audit

Committee and the newly formed Finance Committee. ¶¶ 174, 177-78.

HD’s Corporate Governance Guidelines, however, state that committees can

only act where the Board has delegated authority, and each committee’s duties are

“defined by . . . charters adopted by the Board.” ¶¶ 170-71. The Board never

amended the Audit Committee’s Charter to expand its oversight duties to include

data security, and the Finance Committee Charter was silent on the issue. ¶¶ 179-

82. The Board thus failed to properly task any committee with data oversight.

Instead, the responsibility fell heavily on HD’s Executive Vice President and

Chief Information Officer, M. Carey, who was not equipped to handle the task

despite his exorbitant compensation (¶¶ 154-69) and, under his direction, HD failed

to implement fundamental data security practices that would have locked the


5

hackers out of its networks or detected their presence. ¶ 195. The Board took a

hands-off approach to cyber security despite the known risks it presented.

C. The Board Knew Cyber Attacks Against Retailers had Increased in Both Frequency and Severity in the Years Before the Data Breach

By the time HD’s Board learned of a major data breach at Target in late

December 2013, the threat presented by unauthorized access to sensitive customer

data was well recognized. See, e.g., ¶¶ 70-74. In 2007, TJX Companies Inc.

announced hackers had stolen credit and debit card numbers along with other

personal data about its customers, which cost TJX more than $250 million. ¶ 69.

In July 2013, an HD store in Denton, Texas was attacked by hackers who installed

data stealing malware on POS terminals. ¶ 131. Hackers also installed POS

malware at a Company store in Columbia, Maryland, in late 2013. ¶ 102.

On December 20, 2013, M. Carey advised the Board that hackers had

infiltrated Target’s network using a third party vendor’s credentials to gain

unauthorized access. ¶ 76. Once inside, hackers installed malware in Target’s in-

store cash register systems that captured customers’ data each time a payment card

was swiped and secretly saved the information inside the network. Id. Hackers

later retrieved that data and used it to complete fraudulent transactions. Id.


6

This cyber attack method was known to be common and highly effective.

On January 13, 2014, M. Carey advised the Board of similar attacks at other

retailers. ¶ 77. An FBI report distributed to retailers on January 14, 2014 warned

of the accessibility and affordability of malware on underground forums and the

substantial profits to be made therefrom. ¶ 78. The FBI’s report re-emphasized

the urgency of retailers’ improving security to prevent additional breaches. Id. In

the face of all of this information, the HD Board did nothing to protect HD from

the same fate. The Board, despite these warnings, failed to ensure that HD

maintained even the most basic data security measures.

D. Despite Specific Warnings, the Board Allowed Home Depot to Operate with PCI-deficient Data Security in 2014

At the time of the Data Breach, the Board knew HD did not comply with the

PCI standards for data security, as promulgated by the Payment Card Industry

Security Standards Council. ¶ 13. On February 28, 2013, M. Carey informed the

Board that HD failed to encrypt point-of-sale data, allowed unauthorized access to

customer information and lacked the ability to adequately scan its network (the

“February 2013 Report”) (¶¶ 106-25, 137-53), all of which constituted a breach of

PCI protocol and violated agreements with payment card processors (¶¶ 59, 80).

Instead of immediately fixing the issues, the Board accepted that HD would remain

non-compliant until a “goal” date of February 2015. ¶¶ 116-25, 142, 152-53.


7

Hackers exploited the gaps in HD’s network well before the upgrades were

completed. ¶ 116.

1. Home Depot Stored Unencrypted Customer Data

PCI mandates that retailers encrypt all cardholder data at the POS to render

it unreadable to unauthorized persons during the payment verification process. ¶

106. The February 2013 Report identified instances of unencrypted customer data

stored on HD’s network, which created an obvious risk that could have been

eliminated through readily available solutions. ¶ 116.

HD began a process of encrypting payment card data in all of its POS

systems in early 2011, but this effort ceased in August 2011. ¶ 112. As a result,

unencrypted credit card numbers remained available. Customer service

representatives emailed credit card and driver’s license numbers in plain text, the

roofing, siding and window department unnecessarily allowed access to full credit

card numbers, and the flooring department needlessly made credit card numbers

accessible to certain employees for seven days after a transaction. ¶ 116.

While the February 2013 Report proposed modifications to these deficient

practices, each modification fell short of PCI requirements. ¶¶ 117-19. Even

under the best case scenario, full encryption of customer data was not expected to

be completed until early 2015. On February 27, 2014, M. Carey reaffirmed that


8

HD would remain non-compliant with PCI encryption standards throughout most,

if not all, of its fiscal year ending February 2015. ¶¶ 117, 120-21.

2. Home Depot Did Not Track Users or Scan Its Networks

Despite being a critical aspect of cyber security, the February 2013 Report

revealed to the Board that HD did not track or monitor access to cardholder data as

required by PCI. ¶ 139. HD should have assigned unique identification numbers

to each individual with access to its systems. ¶ 137. HD permitted super-user

access to many of its systems – i.e. access across its network – by providing

individuals with a shared password. ¶ 140. This system prevented HD from

removing users who no longer needed access and left it unable to identify or track

who was accessing the systems. ¶ 140. M. Carey told the Board in February 2014

that super-user access would not be fixed until 2015. ¶ 142.

PCI requires companies to conduct quarterly system scans for unusual

activity, including at POS terminals, to identify items that need remediation. ¶

144. From 2011 to 2014, HD only scanned a small percentage of its stores for

vulnerabilities (less than 10%), and only a small percentage of the computers at

each of those stores were monitored. ¶¶ 146-47. The February 2013 Report also

confirmed technical limitations were preventing HD from properly monitoring its

systems. ¶¶ 144-53. HD did not deploy software to reduce the tedious process of


9

manually scanning its systems, and it lacked the bandwidth needed to upload

security logs from its POS terminals for proper review at headquarters. ¶¶ 148-49.

The February 2013 Report acknowledged that deficiencies in tracking and

scanning were not expected to be fixed until at least mid to late 2014, and there

were no plans to rescan systems to determine if the fixes worked. ¶ 150. M.

Carey’s February 27, 2014, report to the Board further showed that HD’s data

security system required “enhancements” to comply with PCI in the areas of

vulnerability scanning and third-party assessments of its systems. ¶ 152.

These shortcomings ultimately allowed hackers to enter the system and

remain undetected within HD’s network for months. Indeed, in its 2015 Form 10-

K report, HD acknowledged that “the forensic investigator working on behalf of

the payment card networks alleged that we were not in compliance with certain of

[the PCI] standards at the time of the 2014 data breach.” ¶ 261.

E. The Board Failed to Maintain Internal Controls to Monitor Implementation of Fundamental PCI Security Measures

HD also failed to maintain adequate firewall and antivirus protection on its

network. ¶¶ 91-105, 126-36. Management instead ignored a multitude of

warnings and operated HD with out-of-date and disabled security features, which

violated PCI and HD’s contractual arrangements with payment card companies.


10

Id. The Board failed to implement controls to ensure even the most basic security

features properly functioned. ¶¶ 191, 193-96.

1. Home Depot’s Firewall Was Ineffective

PCI 2.0 standards required effective firewalls to be implemented on systems

that transmit or store cardholder data. ¶ 84. Although Symantec’s Endpoint

Protection 11.0 included a firewall that blocked threats to computer networks by

preventing unauthorized access (¶¶ 93-95), HD disabled Symantec’s firewall in

favor of an antiquated and outdated Windows-based firewall. ¶¶ 94-96.

Since at least 2011, HD’s IT employees had warned M. Carey that using the

old Windows firewall rendered HD’s computer systems vulnerable to hackers and

urged that HD activate Symantec’s firewall. ¶ 98. On February 28, 2013, M.

Carey told the Audit Committee that during 2012 HD’s firewall setup presented a

risk of “a severe or catastrophic adverse effect on organizational operations,

organizational assets, or individuals.” ¶¶ 98-99. No system was in place, however,

for the Board to confirm management would fix the problem.

In August 2013, Visa warned HD about network intrusions at retailers using

Windows firewalls. ¶ 100. Two months later, FishNet Security urged HD to

employ Symantec’s secure firewall – a warning it repeated in February 2014. ¶¶

101, 104. These warnings – which were not conveyed to the Board – went


11

unheeded as the Endpoint firewall remained disabled during the Data Breach. ¶

195.

2. Home Depot Deployed Out-of-Date Antivirus Software at the Time of the Data Breach.

PCI required that retailers maintain up-to-date antivirus and antispyware

software to prevent hackers from installing malware that would enable them to

steal customer data. ¶ 126. HD utilized Symantec’s Endpoint Protection 11.0

antivirus and antispyware software to detect and stop malicious programs from

entering a protected network. ¶ 127. In 2011, Symantec updated its Endpoint

Protection antivirus software because the “threat landscape had changed

significantly” and the new product would better protect users against the

“explosion in malware scope and complexity.” ¶ 128. But HD did not upgrade.

In July 2014, while the Data Breach was ongoing, HD had Symantec

perform a “health check” on its computer systems. ¶ 136. The health check

identified the use the out-of-date antivirus software on POS terminals as a critical

issue, but HD continued to rely on software that had reached the end of its

“product life cycle” in early 2014. ¶¶ 126-36. After the attack, Bloomberg

Business reported that HD “had chosen to keep the extra security measure

deactivated even though it was designed specifically to spot the kind of malicious

software” used in the Data Breach. ¶ 135. HD’s internal controls were not


12

sufficient to inform the Board of these significant issues or ensure compliance with

basic data security protocols. ¶¶ 194-98.

F. Hackers Exploited the PCI Deficiencies During the Data Breach

On September 2, 2014, security blogger Brian Krebs of “Krebs on Security”

reported that banks were seeing evidence of fraud on customer accounts linked to

use at HD and that the U.S. Secret Service believed HD’s computer systems likely

had been breached. ¶ 214. HD issued a statement on its website that it was

“looking into some unusual activity” and that it would provide “further information

as soon as possible.” ¶ 214. HD then remained silent for nearly a week.

Krebs, on the other hand, published running updates about the Data Breach.

On September 7, 2014, Krebs reported that HD’s POS system had been

compromised by data stealing malware known as BlackPOS, which, while

customized for HD’s system, was the same malware used against Target. ¶ 219.

On November 6, 2014, HD confirmed the hackers employed the same

methods as the Target attackers and revealed that a file containing approximately

53 million email addresses was compromised. ¶ 237. Just as with Target, the

hackers used a third party vendor’s credentials to bypass HD’s firewall, gain super-

user access to HD’s network, and ultimately reach its POS system. Id. They


13

installed malware to record customers’ unencrypted financial information and

stored the data in a hidden location within HD’s own network. ¶ 8.

G. Adequate Data Security Would Have Prevented the Data Breach

Although a PCI compliant system would have stopped the hackers at each

step of the Data Breach (¶ 84), HD’s security was so deficient that it did not even

know about the intrusion until a third party revealed it. ¶¶ 10, 211. The Board’s

failure to implement internal controls to ensure compliance with rules governing

payment card transactions, industry standards for data security, various state and

federal laws and HD’s own commitments, policies and procedures constituted bad

faith and allowed the Data Breach to remain undetected for months. ¶¶ 4, 6-10, 66,

195, 210.

Before the Data Breach, the Board knew HD needed to (a) implement

stronger security-threat detection software; (b) upgrade HD’s security operations

center; (c) install regularly updated security patches; (d) upgrade software on HD’s

POS terminals; and (e) implement technology to encrypt payment card data on its

POS terminals. ¶ 263. HD had the ability to make these improvements

immediately but the Board’s failure to do so predictably led to the largest cyber

attack yet. ¶ 264.


14

In a news release following HD’s disclosure of the Data Breach, then CEO

Blake admitted HD had given data security short shrift: “If we rewind the tape,

our security systems could have been better. Data security just wasn’t high enough

in our mission statement.” ¶ 233. As Blake admitted, HD’s systems were

“desperately out of date” at the time of the attack. ¶ 234.

The Board, instead, knowingly allowed HD to operate without internal

controls to oversee compliance with basic data security, such as firewall and

antivirus software, which enabled the Data Breach. ¶ 195. When the Board did

receive information showing security deficiencies – including PCI non-compliance

– it took a hands off approach and deferred to managements’ facially inadequate

solutions and, as explained below, often contradictory information. ¶ 203. The

Board’s conscious decision to not act in the face of known threats constitutes bad

faith.

H. The Board Has Taken No Steps to Address Management’s False Statements About Home Depot’s Cyber Security

M. Carey informed the Audit Committee on November 21, 2013, that HD

“encrypt[s] and tokenize[s] all of our credit card numbers.” ¶ 158. Three months

later, however, M. Carey contradicted that statement and admitted that one of HD’s

objectives for 2014 was to install point-to-point encryption of payment card data to

comply with PCI requirements. Id. The task was scheduled for completion in


15

February 2015, but after the Data Breach, HD installed encryption technology at

the remaining 75% of its stores in just 11 days. ¶¶ 125, 239, 267.

On February 27, 2014, M. Carey claimed that “all point of sale payment card

data [has been] segmented from all other devices” since 2010. ¶ 155. This critical

aspect of cyber security is required by PCI and would have prevented the Data

Breach. ¶ 157. Yet the same presentation showed that the Company’s POS

terminals were connected to store servers which were connected to the Internet. ¶

156. Thus, as of February 27, 2014, the Board knew the POS terminals were not

segmented from all other devices and/or the internet. Id.

According to the 2015 Proxy, despite making false statements, M. Carey

received a total of $3,611,441 in compensation in 2014. ¶ 166. M. Carey also sold

239,626 shares of his HD stock in March 2014 for $19.6 million. ¶ 168.

III. ARGUMENT

A. The Complaint Adequately Pleads Demand Futility

Delaware courts apply one of two tests to determine whether demand on the

board is excused. The first test applies to cases where a decision of the board is

being challenged, Aronson v. Lewis, 473 A.2d 805, 814 (Del. 1984), and the

second test applies to claims of board inaction, Rales v. Blasband, 634 A.2d 927,

933 (Del. 1993). Here, Plaintiffs challenge the Board’s conduct and believe that


16

the Aronson test is therefore the proper test. In any event, Delaware courts have

held that the “Rales test functionally covers the same ground as the Aronson test in

determining the impartiality of directors.” Sandys v. Pincus, 2016 Del. Ch. LEXIS

43, at *36 (Del. Ch. Feb. 29, 2016).

To challenge director impartiality and establish demand futility, plaintiffs

may demonstrate any of the following: (i) a director may have a personal interest

in considering a plaintiff’s litigation demand because the director obtained a

financial benefit from the challenged transaction not shared by the stockholders

generally, raising the risk of liability for self-dealing; (ii) a director may have a

personal interest in considering a plaintiff’s litigation demand because the director

otherwise faces a substantial risk of liability in the litigation, such as for approving

the challenged transaction in bad faith so as to be susceptible to a non-exculpated

claim for breach of fiduciary duty; or (iii) a director may lack independence from

someone who is at risk of liability under those first two categories because the

director is controlled by or beholden to such person. Id., at *36-37.

To make the required showing, Delaware courts strongly encourage the use

by stockholders of 8 Del. C. § 220 to obtain information to support demand futility


17

allegations. That is precisely what Plaintiffs have done.3

1. The Current Director Defendants Ignored Numerous Red Flags

With the benefit of HD’s

internal records, Plaintiffs have more than sufficiently pled particularized factual

allegations demonstrating that the Current Director Defendants acted in bad faith,

breached their duty of loyalty by failing to act in the face of a known duty to act,

causing HD to issue false and misleading proxy statements in violation of Section

14(a), and rewarding individuals responsible for causing HD to incur substantial

corporate losses. Accordingly, Plaintiffs have established that the Current Director

Defendants, who comprise a majority of the Board, face a substantial likelihood of

liability, thus rendering demand upon them as futile.

Despite red flags indicating that HD’s data security measures were

inadequate and outdated, the Board failed to require expedited implementation of

critical security measures including encryption of customer data, essential

upgrades to its security software, implementation of an adequate firewall, and full

compliance with PCI, as required by HD’s contracts. Additionally, the Board’s

decision to disband the Infrastructure Committee, which was specifically designed

3 See Beam v. Stewart, 845 A.2d 1040, 1056 (Del. 2004) (Delaware courts “have continually advised plaintiffs who seek to plead facts establishing demand futility that the plaintiffs might successfully have used a Section 220 books and records inspection to uncover such facts.”).


18

to oversee and manage HD’s IT and data security, at a time when the Board was

aware of the escalating risk that a data breach posed to the Company, served no

valid business purpose and constituted bad faith. ¶¶ 69-72, 177, 270-71.

As early as February 2013 (more than a year before the Data Breach), the

majority of the Current Director Defendants knew of the following critical

vulnerabilities in HD’s data security systems: (a) HD’s firewall was inadequate;

(b) all PCI related vulnerabilities were not identified or tracked; and (c) less than

10% of computers were being scanned and reported on for vulnerabilities, and re-

scanning high-risk vulnerabilities was not taking place. These problems would not

be remediated until at least mid- to late-2014. ¶¶ 99, 116, 139, 150, 200-04.

Subsequently, on August 22, 2013, the Audit Committee learned that an

internal audit “identified gaps” in HD’s data protection systems related to the

granting of privileged access to its systems and that issue received an audit grade

of red/yellow. ¶¶ 141, 205. Then, on November 21, 2013, the Audit Committee

learned that a recent scan of the HD’s systems found 57 critical exploitable

vulnerabilities that remained unresolved, and that HD was currently scanning only

10% of its stores. ¶¶ 86, 151. The meeting participants also received HD’s cyber

security report card that included a yellow rating for PCI compliance, which

remained unchanged during 2014 and 2015. ¶ 86.


19

A month later on December 20, 2013, the Board learned details regarding

the Target data breach and that the credit/debit accounts of 40 million Target

customers had been impacted. ¶ 76. Then on January 13, 2014, the Board was

alerted to a string of breaches, similar to the one that had affected Target, which

had occurred at other major retailers. ¶ 77. In February 2014, the Audit

Committee and full Board were provided an update on consumer data security,

including the recent breach at Target, and were told that HD still was not in

compliance with PCI, and would remain out of compliance through most, if not all,

of its fiscal year ending on February 1, 2015. ¶¶ 87-88, 120-21, 142, 152, 207.

The areas of PCI non-compliance concerned encryption, super-user access, critical

upgrades to control network access, vulnerability scanning, and third-party

assessments of HD’s systems. Id. Further, on August 14, 2014, the Audit

Committee was advised that three out of the four PCI compliance assessments

were last performed in October 2013 (rendering them stale), HD customers’

payment card data was still being transmitted using unencrypted “plain text,” and

that an audit of HD’s payment processing applications was not scheduled to occur

until sometime between December 2014 and February 2015. ¶¶ 122, 153, 209.

The Board intentionally disregarded these escalating red flags and

consciously caused and allowed HD to remain out of compliance with PCI, which


20

enabled the Data Breach. For example, the massive data breach at Target,

announced in December 2013, and the subsequent string of similar breaches at

other retailers, constituted a huge red flag that the Board needed to take immediate

action and quickly to update and improve HD’s data security systems, which

remained vulnerable to the same sort of attacks that had been launched on the other

retailers. ¶¶ 103, 262. Yet, despite being informed of these attacks and the

probability of a similar attack on HD’s systems, the Board sat on its hands and

allowed the Data Breach to occur. Not surprisingly, it was later reported that the

Data Breach bore many similarities to the one that occurred at Target and, in fact,

that the malware used by the HD hackers was a variant of the malware used in the

Target breach. ¶¶ 219, 222.

The Board knew that the PCI requirements were “baseline” standards that

merely consisted of a “minimum set of requirements” ¶ 79. The Board’s failure to

ensure that HD’s security systems complied with the minimum level of protection

established by PCI is conduct so egregious on its face that a substantial likelihood

of director liability exists. The “red flags” were more like flashing neon signs

warning the Board that HD’s woefully inadequate data security systems presented

a substantial and material risk to the Company. The Current Director Defendants


21

thus face a substantial likelihood of liability for breaching their fiduciary duty of

good faith and, accordingly, demand against them would have been futile.

Many cases find demand futility established under such, and even far less

egregious, circumstances. See In re Abbott Labs. Derivative S’holders Litig., 325

F.3d 795, 809 (7th Cir. 2003) (“Given the extensive paper trail in Abbott

concerning the violations and the inferred awareness of the problems, the facts

support a reasonable assumption that there was a ‘sustained and systematic failure

of the board to exercise oversight,’ in this case intentional in that the directors

knew of the violations of law, took no steps in an effort to prevent or remedy the

situation, and that failure to take any action for such an inordinate amount of time

resulted in substantial corporate losses, establishing a lack of good faith . . .

directors’ decision to not act was not made in good faith and was contrary to the

best interests of the company.”); Veeco Instruments, Inc. v. Braun, 434 F. Supp. 2d

267, 277-78 (S.D.N.Y. 2006) (allegations that the audit committee met 27 times

during 2003 and 2004 yet took no action to strengthen the existing system or

implement a new system of internal accounting controls until more than a year had

passed and after substantial harm had already been done to the company and that

the audit committee permitted additional violations to occur after being put on

notice twice raised a reasonable doubt that the director-committee members were


22

disinterested and capable of objectively deciding whether or not to prosecute the

litigation on the corporation’s behalf); In re Pfizer Inc. S’holder Derivative Litig.,

722 F. Supp. 2d 453, 462 (S.D.N.Y. 2010) (majority of the directors “face a

substantial likelihood of personal liability because they deliberately disregarded

reports of [Pfizer’s] illegal marketing practices eventually resulting in the 2009

settlement”).

Contrary to Defendants’ argument, Plaintiffs are not required to provide

director-by-director factual allegations to meet their burden of establishing demand

futility. Pfizer, 722 F. Supp. 2d at 461 (allegations that “a majority of the director

defendants served on the board for a period that covers the dates of every ‘red flag’

alleged to have been brought to the Board’s attention” sufficiently demonstrated a

substantial likelihood that a majority of the board faced personal liability);

Rosenbloom v. Pyott, 765 F.3d 1137, 1151 n.13 (9th Cir. 2014) (“because Plaintiffs

repeatedly allege that a majority of the Board was involved in all (or nearly all) of

the programs and decisions at issue. When appropriate, courts may evaluate

demand futility by looking to the whole board of directors rather than going one by

one through its ranks.”). Rather, demand futility is evaluated based on the facts of

each particular case. Grobow v. Perot, 539 A.2d 180, 186 (Del. 1988), overruled

on other grounds, Brehm v. Eisner, 746 A.2d 244 (Del. 2000).


23

Here, the Complaint sets forth the dates of each board and/or committee

meeting, the names of the board members and/or committee members who

attended the meetings, and the specific information that was presented and/or

discussed at each meeting. These particularized allegations are more than

sufficient to show that the majority of the Current Director Defendants had actual

knowledge of HD’s data security issues and failed to take any action to remediate

the problems. See Westmoreland Cnty. Emp. Ret. Sys. v. Parkinson, 727 F.3d 719,

728 (7th Cir. 2013) (inference of director knowledge not necessary “since the

complaint alleges particularized facts (e.g. meeting dates and minutes) indicating

that the directors were intimately involved in overseeing the remedial effort[s].”).

The fact that Defendant Menear joined the Board after the Data Breach does

not make him disinterested for demand purposes. Prior to becoming CEO and

President of HD and joining the Board, Menear was an executive officer of HD

and served as President of the its retail division where he was responsible for

oversight of, among other things, HD’s online business activities. ¶ 27. While

serving in that role, Menear attended an Audit Committee meeting in August 2014,

where he learned the details concerning HD’s data security and PCI deficiencies.

¶¶ 122, 153, 209. Menear thus breached his fiduciary duty of loyalty owed by

officers by failing to take action to address the deficiencies. See Caspian Select


24

Credit Master Fund Ltd. v. Gohl, 2015 Del. Ch. LEXIS 246, at *37 (Del. Ch. Sept.

28, 2015) (corporate officers do not benefit from the protections of an exculpatory

charter provision under Delaware law).

Thus, Plaintiffs have adequately pled particularized factual allegations

demonstrating that the Current Director Defendants, based upon their attendance at

certain board and/or committee meetings, had knowledge of HD’s inadequate data

security measures dating back more than a year prior to the Data Breach and

consciously chose not to expedite the implementation of critical security measures

resulting in substantial losses to HD. Accordingly, the Current Director

Defendants face a substantial likelihood of liability for breaching their fiduciary

duties to HD, thereby rendering demand futile.

2. The Current Director Defendants Wasted Corporate Assets By Failing to Safeguard Confidential Customer Information

HD’s inadequate corporate structure and Board oversight failures led to the

waste of corporate assets. Waste occurs when corporate assets are diverted for

“improper or unnecessary purposes.” Michelson v. Duncan, 407 A.2d 211, 217

(Del. 1979). A claim for waste survives a motion to dismiss unless “there is no

reasonably conceivable set of facts under which [the plaintiff] could prove a claim

of waste.” Weiss v. Swanson, 948 A.2d 433, 450 (Del. Ch. 2008). Here, Plaintiffs’

particularized allegations demonstrate that HD wasted up to $10 billion responding


25

to the Data Breach. ¶ 235. Moreover, HD also wasted the value of its proprietary,

confidential customer data, which HD’s Code of Business Conduct recognizes as

an important organizational asset. ¶¶ 57, 99, 201.

The Board also wasted corporate assets in awarding M. Carey lavish,

undeserved compensation. See § II(H), supra. M. Carey is still employed and is

one of the top ten highest paid CIOs in the country, taking home over $23.2 million

in 2014 from compensation and HD stock sales. ¶¶ 166, 168-69. According to the

2015 Proxy, in establishing base salaries for the named executive officers for

Fiscal 2014, the Leadership Development & Compensation Committee increased

M. Carey’s salary based on a number of factors, including his performance over

the previous year. Yet, the Board has not recovered any portion of M. Carey’s

compensation. ¶ 167. These allegations are sufficient under Rule 23.1 to show the

Current Director Defendants committed waste, excusing demand with respect to

the claims. See In re Citigroup Inc. S’holder Derivative Litig., 964 A.2d 106, 137-

38 (Del. Ch. 2009).

3. There is No Demand Requirement for the Section 14(a) Claim

Defendants argue that Plaintiffs fail to allege demand futility as to the

Section 14(a) claim. However, courts are split on the question of whether demand

futility requirements are even applicable to Section 14(a) claims. Vides v. Amelio,


26

265 F. Supp. 2d 273, 276 (S.D.N.Y. 2003) (“under Delaware law and federal

policy, there is no need for prior demand upon the board of directors with respect

to the claim of misstatements and omissions in the proxy statement”); In re

Westinghouse Sec. Litig., 832 F. Supp. 989, 998 (W.D. Pa. 1993) (business

judgment rule not applicable to proxy claims). Contrary to Defendants’ argument,

the Eleventh Circuit has not yet considered this issue. In any event, given that

Plaintiffs have established demand futility on the related claims based on the same

essential facts, there is no basis to claim that the Current Director Defendants could

evaluate the Section 14(a) claim in a disinterested fashion.4

B. The Complaint States a Claim for Breach of Fiduciary Duty

Furthermore, as

explained below, the Complaint states a Section 14(a) claim against the directors,

necessarily rendering them interested in the subject matter of the litigation.

In addition to Rule 23.1, Defendants also move to dismiss Plaintiffs’ claims

under Rule 12(b)(6). A complaint should be dismissed under Rule 12(b)(6) only

where it appears that the facts alleged fail to state a “plausible” claim for relief.

Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009). A complaint survives a Rule

12(b)(6) motion even if it is “improbable” that a plaintiff would be able to prove

those facts, and even if the possibility of recovery is “remote and unlikely.” Bell 4 Should the Court require demand futility allegations particular to the Section 14(a) claim, Plaintiffs respectfully request leave to amend on this point.


27

Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007). The court must accept the facts

pleaded as true and construe them in the light most favorable to the plaintiff.

Quality Foods de Centro America, S.A. v. Latin American Agribusiness Dev.

Corp., S.A., 711 F.2d 989, 994-95 (11th Cir. 1983). Notice pleading is all that is

required. Lombard’s, Inc. v. Prince Mfg., Inc., 753 F.2d 974, 975 (11th Cir. 1985).

To allege a claim for breach of fiduciary duty under Delaware law, a

plaintiff must plead that a fiduciary duty exists and that a fiduciary breached it.

See e.g. Heller v. Kiernan, 2002 Del. Ch. LEXIS 17, at *9 (Del. Ch. Feb. 27,

2002). Plaintiffs allege that the Individual Defendants, as officers and directors of

HD, acted in bad faith and in breach of their duty of loyalty by knowingly violating

their fiduciary duties of management and oversight. ¶¶ 291-93. “Where a plaintiff

alleges a breach of fiduciary duty by conduct not amounting to fraud, such as

breach of a duty of care, disclosure, or loyalty, the general pleading standards set

out by Rule 8(a) of the Federal Rules of Civil Procedure, not the heightened

standards of Rule 9(b), apply.” Pension Comm. of the Univ. of Montreal Pension

Plan v. Banc of Am. Sec., LLC, 446 F. Supp. 2d 163, 196 (S.D.N.Y. 2006).

As explained above, Plaintiffs’ allegations against the Current Director

Defendants indicate bad faith, thereby raising a substantial likelihood of each

director’s liability for breach of the duty of loyalty. Under these circumstances, the


28

Court need not engage in further analysis on whether a claim has been stated. A

complaint that pleads a substantial threat of liability for purposes of Rule 23.1

“will also survive a 12(b)(6) motion to dismiss.” McPadden v. Sidhu, 964 A.2d

1262, 1270 (Del. Ch. 2008). Where directors “face a substantial threat of liability

on the plaintiffs’ claims for purposes of Rule 23.1, it follows that the complaint

states a claim against these directors for purposes of Rule 12(b)(6).” In re China

Agritech, Inc., 2013 Del. Ch. LEXIS 132, at *70 (Del. Ch. May 21, 2013).5

Contrary to defendants’ argument, the exculpation clause in HD’s Certificate

of Incorporation does not provide a basis to dismiss Plaintiffs’ claims. Plaintiffs

state claims against the directors for bad faith conduct and breach of the duty of

loyalty, which expressly cannot be exculpated under 8 Del. C. Section 102(b)(7).

In any event, it is well established that exculpatory provisions are affirmative

defenses and generally will not form the basis for dismissal under Rule 12(b)(6).

6

5 For the same reason, the breach of fiduciary duty claims are adequately stated against former Directors Hill and Ackerman. The Complaint contains numerous allegations based on internal records concerning red flags presented to these defendants while they served on the Board, and their conduct in failing to respond to them. Regarding Hill, see ¶¶ 121, 152, 208; regarding Ackerman, see ¶¶ 87-88, 121-22, 132, 141-42, 151-53, 155, 163, 205-09.

6 See Law of Corp. Officers & Dir.: Indemn. & Ins. § 2:26 Exculpatory Provisions (2015) (“Federal courts, on the other hand, have refused to dismiss breach of duty cases at the motion stage on the ground that exculpatory clauses are in the nature of an affirmative defense, requiring discovery.”); see also In re Tower Air, Inc., 416 F.3d 229, 242 (3d. Cir. 2005) (declining to consider an exculpatory provision at the


https://advance.lexis.com/document/?pdmfid=1000516&crid=98325708-ed8e-4698-8edb-34d4c41c048d&pddocfullpath=%2Fshared%2Fdocument%2Fcases%2Furn%3AcontentItem%3A58G5-0891-F04C-G006-00000-00&pddocid=urn%3AcontentItem%3A58G5-0891-F04C-G006-00000-00&pdcontentcomponentid=5077&pdshepid=urn%3AcontentItem%3A58F2-9XD1-DXC8-71DD-00000-00&pdteaserkey=sr0&ecomp=bnLhk&earg=sr0&prid=f745a5b4-9157-4ddc-9119-569c8e7fde11�

https://advance.lexis.com/document/?pdmfid=1000516&crid=98325708-ed8e-4698-8edb-34d4c41c048d&pddocfullpath=%2Fshared%2Fdocument%2Fcases%2Furn%3AcontentItem%3A58G5-0891-F04C-G006-00000-00&pddocid=urn%3AcontentItem%3A58G5-0891-F04C-G006-00000-00&pdcontentcomponentid=5077&pdshepid=urn%3AcontentItem%3A58F2-9XD1-DXC8-71DD-00000-00&pdteaserkey=sr0&ecomp=bnLhk&earg=sr0&prid=f745a5b4-9157-4ddc-9119-569c8e7fde11�

29

This result is particularly appropriate here, given that Plaintiffs’ allegations are

based upon internal corporate records obtained under 8 Del. C. § 220.

Plaintiffs also state claims against the Individuals Defendants who served as

corporate officers at relevant times – namely defendants Menear, Blake and M.

Carey. Under Delaware law, “corporate officers owe fiduciary duties that are

identical to those owed by corporate directors” – including the “fiduciary duties of

care and loyalty.” Gantler v. Stephens, 965 A. 2d 695, 708-09 (Del. 2009). Officer

liability may attach where the defendant acted with “gross negligence.” In re Walt

Disney Co. Deriv. Litig., 907 A.2d 693, 750 (Del. Ch. 2005). As previously

discussed, Plaintiffs adequately allege that Defendant Menear (current CEO and

President) and Defendant Blake (former CEO) breached their fiduciary duties to

HD in their capacities as directors. These allegations necessarily suffice to state

claims against these defendants in their capacities as officers as well.

With respect to Defendant M. Carey (the only Individual Defendant who did

not also serve as a director), Plaintiffs’ allegations demonstrate that he served as

the CIO leading up to the Data Breach and that HD did not implement fundamental

data security practices that would have detected and prevented the Data Breach

under his direction. Since at least 2011, HD employees warned M. Carey that use motion to dismiss stage because, inter alia, “the protection of an exculpatory charter provision appears to be in the nature of an affirmative defense.”).


30

of Windows firewall rendered HD’s computer systems vulnerable to hackers and

urged that HD activate Symantec’s firewall. ¶ 98. M. Carey was aware of massive

data breaches at other large retailers. ¶¶ 76-77. M. Carey even made false and

misleading statements to the Board concerning the effectiveness of the HD’s data

security policies, which were in truth materially degraded at all relevant times –

while receiving millions of dollars in compensation. ¶¶ 154-69. Defendants

respond to these allegations by arguing their version of the facts, which is improper

at this stage of the case. Plaintiffs’ allegations show, at the very least, “gross

negligence” by M. Carey and are sufficient at the pleading stage.

Defendants cite various distinguishable cases in support of their motion, and

which only serve to demonstrate the strength of Plaintiffs’ claims. For example,

defendants rely on In re Citigroup Shareholder Derivative Litigation, 964 A.2d

106 (2009). In that case, plaintiffs asserted derivative claims seeking recovery

from Citigroup’s officers and directors to compensate for losses suffered by the

company in the financial crisis. The court rejected allegations of breach of

fiduciary duty where purported “red flags” risk amounted to “little more than

portions of public documents that reflected the worsening conditions in the

subprime mortgage market and in the economy generally.” Id. at 128. In contrast,


31

the Individual Defendants’ knowledge of HD’s degraded data security environment

is supported by specific reference to its own internal corporate records.

Similarly, in In re General Motors Company Derivative Litigation, 2015

Del. Ch. LEXIS 179 (Del. Ch. June 26, 2015), plaintiffs asserted derivative claims

arising out of GM’s now infamous ignition switch disaster. No allegation was

made that the GM board knew of or received warnings about the ignition switch

problem, and instead plaintiffs alleged the company’s risk oversight function was

deficient. The court held that while the directors may have done a “poor job”

overseeing a “poorly-managed corporation,” this was insufficient to create a

substantial likelihood of liability. Id., at *58-59. In contrast, Plaintiffs’ allegations

here (supported by Board-level documents) show that all of the officers and

directors specifically knew about serious gaps in HD’s data security and the

imminent threat at hand, which led directly to a foreseeable adverse event.7

7 Defendants’ other cases are distinguishable. Palkon v. Holmes, 2014 U.S. Dist. LEXIS 148799 (D.N.J. October 20, 2014) was a “demand refused” case in which the court specifically stated that it would “not reach” the merits of underlying allegations regarding alleged network security problems. In addition, the allegations in that case were not based on internal corporate documents, as they are here. In re Heartland Payment Systems, Inc. Securities Litigation, 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009) was not even a shareholder derivative action, but rather a securities class action in which the court was merely discussing whether a particular challenged statement was false and misleading. In In re Goldman Sachs Group Shareholder Litigation, 2011 Del. Ch. LEXIS 151 (Del. Ch. October 12, 2011), the court rejected allegations that compensation policies


32

C. The Claim for Waste Is Adequately Pled

Plaintiffs allege waste against the directors based upon damages to the

Company resulting from the Data Breach, the loss of value of operational assets

(confidential customer information), and executive compensation. Since these

allegations suffice to establish demand futility as to the waste claim under the more

stringent Rule 23.1 pleading standard, Plaintiffs’ waste allegations are sufficient

for Rule 12(b)(6) purposes and must proceed.

D. The Complaint States a Claim for Violation of Section 14(a)

Section 14(a) prohibits companies and individuals from issuing misleading

proxy statements. See Mills v. Elec. Auto-Lite Co., 396 U.S. 375, 383 (1970). To

show a violation, a plaintiff must allege that (1) the proxy statement contained a

material misstatement or omission, and (2) that the proxy statement was the

transactional cause of the harm about which plaintiff complains. Id. at 384-85; In

re Zoran Corp. Derivative Litig., 511 F. Supp. 2d 986, 1016 (N.D. Cal. 2007). A

defendant need not act intentionally or with scienter to violate Section 14(a);

instead, allegations demonstrating negligence are sufficient. See Wilson v. Great

Am. Indus., Inc., 855 F.2d 987, 995 (2d Cir. 1988). Courts in this district have

that encouraged aggressive risk taking amounted to a “red flag” to the board. These allegations are not even remotely analogous to the allegations of conscious disregard made here.


33

recognized the PSLRA’s heightened pleading requirements do not apply to Section

14(a) absent fraud. Washtenaw Cty. Emps. Ret. Sys. v. Wells Real Estate Inv. Trust,

Inc., 2009 U.S. Dist. LEXIS 53652, at *10 (N.D. Ga. March 31, 2008). But even if

Plaintiffs were required to plead the elements of a Section 14(a) violation with

particularity under the PSLRA, the allegations here suffice.

1. The Complaint Identifies the False Statements and Omitted Information with Particularity

Before its dissolution in 2012, the Infrastructure Committee Charter

obligated its members to oversee “enterprise-wide information and data security

policies[.]” ¶ 176. The Board caused HD to claim in its 2012 Proxy Statement

that “risks related to our infrastructure that were previously overseen by the

Infrastructure Committee will now be overseen by the Audit Committee and

Finance Committee” but failed to actually take the required steps to authorize such

a change. ¶¶ 180-83. When the Board allowed this to go uncorrected, they

omitted material information. By repeating this claim in the 2015 Proxy Statement

(¶ 186), they misrepresented HD’s corporate governance structure in violation of

Section 14(a). See SEC v. Falstaff Brewing Corp., 629 F.2d 62, 75 (D.D.C. 1980)

Defendants do not dispute that HD’s By-Laws and charters exclusively

define the authority of its committees. ¶¶ 170-71. Nor do they argue that the

Audit Committee charter was ever amended to expressly task the Audit Committee


34

with any of the eight items delineated by the Infrastructure Committee – or even

suggest that Audit Committee Charter mentions data or IT security at all. ¶¶ 176,

180-81. Defendants instead argue that the Board did, in fact, oversee IT security.

Def. Mem. at 31-32.8

In Falstaff, the court held that statements creating a “false impression that

the board of directors was exercising careful oversight of [a] company’s finances”

were misleading under Section 14(a). Falstaff, 629 F.2d at 75. The proxy

statement in Falstaff claimed the company maintained an audit committee, but the

facts showed the committee never “met or functioned.” Id. The court rejected

defendants’ argument that “even if not functioning as a formal committee, the

named individuals were overseeing the company’s finances and thus the statement

was not false.” Id. The court reasoned that “formal entities such as committees

create at least the impression of great care and precision through detailed review

and oversight.” Id.

But this is not enough.

Plaintiffs’ allegations here are analogous. By claiming the Audit Committee

was delegated “primary oversight responsibility for risks related to IT and data

security” (¶ 186), the Board created a false impression of “great care and

8 All “Def. Mem.” citations are to the Memorandum in Support of Defendants’ Motion to Dismiss the Verified Consolidated Shareholder Derivative Complaint (ECF No. 45-1).


35

precision” which, in reality, did not exist.9

Defendants argue in a footnote that the Audit Committee Charter’s catchall

provisions sufficiently authorize the committee to oversee data security risks. Def.

Mem. at 31, n.15. This overly broad reading of the charter’s language is belied by

the 2015 Proxy Statement itself. ¶¶ 180-182, 186. The 2015 Proxy Statement

distinguishes between the “responsibility for overseeing risk assessment and

management, including the Company’s major financial exposures and compliance”

and “risks related to information technology and data privacy and security.” ¶ 186.

If these risks were not understood by HD to be materially different, the statement

regarding IT security would be repetitive and superfluous, further illustrating the

falsity of the statements about the Audit Committee’s authority.

Instead, the Board allowed HD to

operate computer systems that were “desperately out of date” (¶ 183), and failed to

maintain even the most basic IT security measures such as adequate firewalls or

up-to-date antivirus software which – if properly overseen by the Audit Committee

– would have prevented the Data Breach.

10

9 In re JPMorgan Chase Derivative Litigation, 2014 U.S. Dist. LEXIS 151370 (E.D. Cal. Oct. 24, 2014) is distinguishable. In that case, the plaintiffs took issue with the effectiveness of the Board’s oversight, while here Plaintiffs allege the Board misrepresented the authority of the Audit Committee to act at all.

10 Likewise, Defendants’ suggestion that the Board can expand committee oversight of unrelated topics as it “deems necessary and appropriate” would nullify


36

2. The False Statements and Omissions Regarding Corporate Structure are Material

Defendants separately argue that the challenged statements and omissions

are not alleged to be material. Def. Mem. at 32-33. Defendants’ argument ignores

Plaintiffs’ allegations that the misrepresented facts had great importance to

stockholders being asked to vote on HD’s leadership, executive compensation, and

corporate governance. ¶¶ 183-84, 187-88. A fact is material if a reasonable

stockholder would view it as “having significantly altered the ‘total mix’ of

information made available.” Basic, Inc. v. Levinson, 485 U.S. 224, 231-32

(1988). The determination of materiality is a fact-specific inquiry that does not

require any allegation that stockholders would have changed their vote if provided

accurate information, as defendants suggest. Id.

Here, the significance of data security to HD and its stockholders is not

disputed. See, e.g., ¶ 13 (recognizing unauthorized access to customer data posed

“Top 10 Enterprise Risk”). The Target data breach placed data security in the

forefront of investors’ minds, and the Board itself recognized that the Target attack

ratcheted up the need for effective cyber-security oversight for retailers

everywhere. See, e.g., ¶¶ 75, 77, 100, 120, 207. At the same time, however, the

the limitations imposed on committee responsibilities by the By-Laws and Corporate Governance Guidelines. ¶¶ 170-72.


37

Board misrepresented HD’s structural ability to oversee data security while asking

stockholders to re-elect incumbent directors who falsely presented themselves as

having taken appropriate steps to address the risks presented by cyber threats. ¶¶

178, 180, 183, 185, 190. Misrepresentations about such important matters of

corporate governance cannot be considered immaterial as a matter of law at this

stage of the proceeding. See Falstaff, 629 F.2d at 75 (recognizing importance of

formal committee structure to shareholders).

3. The Complaint Adequately Alleges Transaction Causation and Harm to Home Depot

Defendants argue the allegations fail to show transaction causation or an

economic loss caused by the proxy statements. Def. Mem. at 34-36. The

Complaint, however, alleges both. The misleading proxy solicitations allowed the

Company to operate during those years without any committee tasked with data

security oversight. ¶¶ 183-84, 188-89. On the basis of this misinformation,

directors denied stockholders the opportunity to insist on an appropriate corporate

structure thereby securing their own re-election. ¶¶ 183, 185-86, 188-90. The

resulting damages that flowed from HD’s structural failures facilitated by the

proxy statements are thus compensable under Section 14(a). See Resnik v. Woertz,

774 F. Supp. 2d 614, 632 (D. Del. 2011) (derivative claim stated where harm

flowed from “interfering with proper governance on [the company’s] behalf that


38

follows the free and informed exercise of the stockholders’ right to vote for

directors and for compensation plans”).11

Indeed, the harm suffered by HD because of this inadequate corporate

structure procured through the election of directors responsible for its creation is

extensive and ongoing. Not only has the Company already expended more than

$250 million as a result of the Data Breach (¶ 5), the Data Breach harmed a

valuable operational asset - the inherent value in confidential customer data. ¶¶ 99,

201. The Court should be hesitant to find a lack of damages where the

misrepresentations implicate the Company’s corporate structure, not simply the

Defendants’ breaches of fiduciary duty. See In re Zoran Corp. Derivative Litig.,

511 F. Supp. 2d at 1016.

12

11 Defendants’ cases regarding causation are not applicable here. In Diamond Foods, the court held that allegations of “subsequent mismanagement” cannot form the basis for liability under Section 14(a). See In re Diamond Foods, Inc. Deriv. Litig., 2012 U.S. Dist. LEXIS 74129, at *20 (N.D. Cal. May 29, 2012). Unlike Diamond, Plaintiffs here allege the harm suffered by HD was ongoing at the time each proxy statement was issued. Likewise, while mismanagement certainly is relevant to Plaintiffs’ fiduciary duty claims, Browning-Ferris is not applicable because the Section 14(a) claim here addresses the discrete fact that HD’s corporate structure contributed to the harm. This constitutes a fact “that, if proved, establish[es] a duty to disclose the specified omissions” under Section 14(a), which goes beyond “simply” alleging that harm was caused by directors who would not be elected but for the proxy violations. C.f., In re Browning-Ferris Indus., Inc. S'holder Derivative Litig., 830 F. Supp. 361, 370 (S.D. Tex. 1993).

12 Plaintiffs’ specific allegations of harm distinguish this case from Jacobs v. Airlift International, Inc., 440 F. Supp. 540, 543 (S.D. Fla. 1977), in which the plaintiff


39

Finally, and contrary to Defendants’ assertion, the fact “the data breach was

underway by the time the 2014 Proxy was issued, and had been disclosed and

remediated well before the 2015 Proxy solicitation was disseminated to

stockholders” does not undermine the alleged injury to the Company. Def. Mem. at

36. To date, the Board still has failed to delegate the Audit Committee with proper

authority to oversee data security. ¶ 180. Through this ligation, Plaintiffs seek to

remedy the ongoing threat facing HD. See, e.g., ¶ 17.

IV. CONCLUSION

For the foregoing reasons, Defendants’ motion to dismiss should be denied

in its entirety. If it is granted in any respect, Plaintiffs request leave to amend.

merely parroted the language of Mills without alleging any injury. Other cases that Defendants rely upon are similarly distinguishable because here, Plaintiffs allege economic injury directly attributable to corporate structure that was made possible by the re-election of directors, not just the misconduct of the Board itself. See Edward J. Goodman Life Income Trust v. Jabil Circuit, Inc., 594 F.3d 783, 789 (11th Cir. 2010); Resnik v. Boskin, No. 09-5059 PGS, 2011 WL 689617, at *3 (D.N.J. Feb. 17, 2011).


40

Dated: June 30, 2016 Respectfully submitted,

/s Marshall P. Dees HOLZER & HOLZER, LLC Corey D. Holzer Ga. Bar No. 364698 Marshall P. Dees Ga. Bar No. 105776 1200 Ashwood Parkway, Suite 410 Atlanta, GA 30338 Telephone: (770) 392-0090 Facsimile: (770) 392-0029 Liaison Counsel for Plaintiffs

FARUQI & FARUQI, LLP Stuart J. Guber Ga. Bar No. 141879 Timothy J. Peter 101 Greenwood Avenue, Suite 600 Jenkintown, PA 19046 Telephone: (215) 277-5770 Facsimile: (215)277-5771

FARUQI & FARUQI, LLP Nina M. Varindani 685 Third Avenue, 26th Floor New York, New York 10017 Telephone: (212) 983-9330 Facsimile: (212) 983-9331


41

SCHUBERT JONCKHEER & KOLBE LLP Robert C. Schubert Willem F. Jonckheer Miranda P. Kolbe 3 Embarcadero Center, Suite 1650 San Francisco, CA 94111 Telephone: (415) 788-4220 Facsimile: (415) 788-0161 Lead Counsel for Plaintiffs Kenneth B. Hodges III Georgia Bar No. 359155 2719 Buford Highway NE Atlanta, Georgia 30324 Telephone: (404) 692-0488 Facsimile: (404) 759-6783

Counsel for Plaintiff Bennek


42

CERTIFICATE OF SERVICE AND TYPE

Pursuant to Local Rule 7.1D, the undersigned counsel for Plaintiffs hereby

certifies that the foregoing has been prepared with a font size and point selection

(Times New Roman, 14 pt.) which was approved by the Court, and that on this 30th

day of June 2016, the foregoing was electronically filed with the Clerk of Court

using the CM/ECF system which will automatically send email notification of such

filing to counsel of record.

/s Marshall P. Dees Marshall P. Dees Georgia Bar No. 105776


Documents

IN THE UNITED STATES DISTRICT COURT IN RE …static.reuters.com/resources/media/editorial/20161201/...2016/12/01 · 2 All citations are to the Verified Consolidated Shareholder Derivative