Caremark Claim for Positive Violation of Law

Gail Weinstein is senior counsel, Steven Epstein and Andrea Gede-Lange are partners at Fried, Frank, Harris, Shriver & Jacobson LLP. This post is based on a Fried Frank memorandum by Ms. Weinstein, Mr. Epstein, Ms. Gede-Lange, Brian T. Mangino, David L. Shaw, and Shant P. Manoukian, and is part of the Delaware law series; links to other posts in the series are available here.

In In re Facebook, Inc. Section 220 Litigation (May 30, 2019), the Delaware Court of Chancery held in favor of Facebook, Inc. shareholders who were seeking to review certain books and records of the company in connection with the 2016 Cambridge Analytica data breach. The shareholders were seeking inspection of the books and records to bolster breach of fiduciary duty claims that they made in pending derivative shareholder litigation. According to the court, the company knew as early as 2015 that Cambridge Analytica, a British political consulting firm, had misappropriated potentially millions of Facebook users’ data, but the company “did not disclose this security breach to its users upon discovery or at any time thereafter” and users “first learned of the breach when they read or heard about it in the news” in 2018. The company’s stock price then dropped 19% (“wiping out” $120 billion of shareholder wealth)—“one of the sharpest single-day market value declines in history,” the court noted. Vice Chancellor Slights found that the shareholders had met their burden of proof of demonstrating a “credible basis” from which the court could infer that “mismanagement, waste or wrongdoing” occurred at the board level that permitted the data breaches to occur. The court observed that the “credible basis” standard applicable in a Section 220 action “imposes the lowest burden of proof known in our law,” while a Caremark claim implicates a high burden of proof (including evidence of bad faith) and “is possibly the most difficult theory upon which a plaintiff might hope to win a judgment.” The court emphasized that the decision in this Section 220 action involved no “merits assessment” of the Caremark claim.

The decision is of interest for the court’s observation that a company’s positive violation of law, a regulatory mandate or a consent decree, will bolster a Caremark claim by shareholders against the board. The court noted that, at the time of the data breach, the company was subject to a Consent Decree under which it had agreed (and so was “under a positive obligation to take specific steps”) “to protect its users’ private data.” The court noted that Delaware courts generally view “stockholder allegations that a board failed to oversee the company’s obligation to comply with positive law, or positive regulatory mandates, more favorably in the Caremark paradigm than allegations that a board failed to oversee the company’s efforts generally to avoid business risk.” By providing “some evidence” that the board failed to oversee Facebook’s compliance with the Consent Decree resulting in unauthorized access to its users’ private data and attendant consequences to the Company,” the plaintiff-shareholders “sustained their minimal burden to demonstrate a credible basis of wrongdoing justifying the inspection of certain of the Company’s books and records,” the court wrote.

The court also rejected the company’s “implicit suggestion” that the court could not decide the books and records issue without first deciding whether there was sufficient evidence to justify the Caremark claim. The low burden to justify a books and records request is not “altered” by the higher standard of proof applicable to a Caremark claim, the court stated.

Among the company actions that the court noted were the following: (i) The company discovered the Cambridge Analytica data breach in 2015 “but elected not conduct an audit concerning the scope of that breach.” (ii) The company did not notify the FTC “or any other outside party of the massive intrusion into its users privacy data.” The company provided the personal data of its users to many third parties, without informing its users that it was doing so (even though most of them had not given permission for their data to be shared) and without “monitor[ing] the behavior of these third parties” with respect to use of the data to which they were allowed access. (iii) The company’s key executives told the Chief Security Officer not to provide certain information to the board about various issues relating to the company’s alleged failures to comply with obligations imposed on it. (iv) Various governmental agency investigations uncovered improper policies and procedures at the company and likely violations of the Consent Decree.

Both comments and trackbacks are currently closed.