Skip to content Skip to navigation

Target Data Breach Shareholder Lawsuit

In mid-December, 2013, Target announced that hackers had stolen credit and debit card information on 70 million customers. Much of security law deals with one basic question:  Did members of the board of directors fulfill their duties to shareholders?  This suit alleges that the Board breached their respective duties to shareholders.

Hackers embedded cheap “off the shelve” malware onto the point of sale terminals used in Target stores.  All credit card information is encrypted before it is transmitted from the point of sale terminal to the financial institutions for verification. The sensitive information is briefly stored in the point of sale terminal in plain text.  By placing the malware on the point of sale terminal, the hackers took advantage of this security lapse.  By the way, you or I could buy this malware online for $1,800!  It is highly unlikely the hackers could get the actual pin numbers of a debit card as this number has an entirely separate encryption protocol.)

Basic questions about the oversight by the board of directors

Assuming the brief description above proves to be true, shareholders can ask a series of questions to the board of directors.  

  • How active has the board of directors been in the past to address the risk of a cyber attack?
  • Did the board insist on cyber insurance?  Was the notion of purchasing this type of insurance discussed at the board level?
  • What board committee was assigned the task of overseeing cyber risk and what do the minutes of those committee meetings reveal about the level of board oversight?
  • Did the board insist the company have a chief security officer who reports outside of the IT organization?
  • DId the board have policies about hiring outside providers and contractors and did the board insist on a review of the cyber security policies of those outside firms?


Current Case Status: 
This case is stayed pending a report from the committee appointed by the Board of Directors to review the cyber security policies of the company. It is due on March 17, 2015.
Article Type: