Boards Should Care More About Recent “Caremark” Claims and Cybersecurity

Posted by Paul Ferrillo (McDermott Will & Emery LLP), Bob Zukis (USC), and Christophe Veltsos (Minnesota State University), on
Tuesday, September 15, 2020
Comments Off on Boards Should Care More About Recent “Caremark” Claims and Cybersecurity print this page Print
, , , , , , , ,
More from: , , ,

Paul Ferrillo is partner at McDermott Will & Emery LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and Christophe Veltsos is a professor at Minnesota State University. This post is part of the Delaware law series; links to other posts in the series are available here. Related research from the Program on Corporate Governance includes Monetary Liability for Breach of the Duty of Care? by Holger Spamann (discussed on the Forum here).

There have been several cases in the last two years relating to the landmark Caremark case that established the key precedent surrounding the role and performance of corporate director responsibilities and director liability when it comes to the exercise of risk oversight.

In many of the cases, there is a clear roadmap for plaintiff’s attorneys and claims that is leading straight to cybersecurity litigation. The ongoing failures of most corporate boards to satisfactorily oversee cybersecurity risk could generate a Caremark-type claim.

As advisors, instructors, litigators, observers and advocates for digital and cybersecurity governance reform over much of the last decade, we share the opinion that boardrooms have generally been behind the learning curve in sufficiently understanding and overseeing this critical business risk and its implications to corporate stakeholders. The stage is now being set for litigation to step in and hold corporate boards and directors to new levels of corporate and personal accountability; to hold them accountable for what they’ve failed to do.

Caring About Caremark

When reviewing the new cases since 2019 discussing and applying each prong of the landmark Caremark decision [1] (“Caremark”), personal liability should be at the forefront of every corporate director’s mind. Specifically, they question “Could a Caremark oversight claim against my company’s board of directors be alleged after a major cybersecurity breach which has caused damage to the company and its investors?”

The answer is of course, “yes,” and it’s our opinion that it not only could, but it will be. The next logical question from a director is then, “Ok, so what can the company and I do to avoid this problem?” Fortunately, there are some tactics that are relatively easy to implement that can address these issues, and we’ll answer this question later in the article.

Blue Bell Creameries Provides A Roadmap For Cybersecurity Liability

Marchand v. Barnhill [2], a Supreme Court of Delaware case involved board conduct (or lack of “any conduct”) related to monitoring food safety oversight at the company. The core issue for any food manufacturing company.

The company was regulated by the Federal Food and Drug Administration since it made an American favorite—ice cream and sherbet. Food safety was one critical issue that a reasonable person would think that the directors did not have the luxury of ignoring.

However, a lack of boardroom oversight caused Blue Bell Creameries, following the deaths of three customers, to later order a nationwide recall of its products (ice cream) and to shut down its plants. This caused a material monetary loss to investors through the loss of market capitalization. According to Chief Judge Leo Strine, the presiding judge in Delaware Supreme Court, Blue Bell’s corporate board seemed little concerned (if at all concerned) about food safety based upon the well-pled facts of the complaint as presented by plaintiff’s attorneys.

Before getting to the facts of the case, Chief Judge Strine laid out the Caremark standard. First he noted the “state of mind requirement” set forth under Caremark and Stone v. Ritter [3], an earlier Supreme Court of Delaware Court Case. Noting that “Failing to make that good faith effort breaches the duty of loyalty [which] can expose a director to liability.” [4]

In order for a plaintiff to prevail on a Caremark claim, the plaintiff must show that a fiduciary acted in bad faith—“the state of mind traditionally used to define the mindset of a disloyal director.”

Bad faith is established under Caremark when the directors completely fail to implement any report or information system or controls, or having implemented such a system of controls, consciously fail to monitor or oversee its operations thus disabling themselves from being informed of risk or problems requiring their attention. In short, to satisfy their duty of loyalty, directors must make a good faith effort to improve an oversight system and then monitor it.  [5]

The facts requiring the Court to uphold the Caremark claim against the Blue Bell Creameries directors were rather clear according to Chief Judge Strine. Indeed, the complaint alleged that before the listeria outbreak, the company had:

  1. No board committee that addressed food safety.
  2. No regular process or protocols that required management to keep the board apprised of food safety compliance practices, or reports existed.
  3. No schedule for the board to consider on a regular basis, such as quarterly or biannually, any key food safety risks existed.
  4. During a key period leading up to the deaths of three customers, management received reports that contained what could be considered red, or at least yellow, flags, and the board minutes of the relevant period revealed no evidence that these were disclosed to the board.
  5. The board was given certain favorable information about food safety by management, but was not given important reports that presented a much different picture; and
  6. The board meetings are devoid of any suggestion that there were any regular discussions of food safety issues.

Marchand at 823. On these facts, CJ Strine held, “Although Caremark is a tough standard for the plaintiffs to meet, the plaintiff has met it here…in Blue Bell’s case, food safety was essential and mission critical. The complaint pled facts supporting a fair inference that no board level system of monitoring or reporting on food safety existed” Id. At 824.

Blue Bell Creameries Opens The Door For A Caremark-like Cybersecurity Claim of Bad Faith against Directors

There are a line of cases following Blue Bell Creameries that all support the likely application of Caremark to a cybersecurity claim. Consider the following hypothetical scenarios:

1. The “Absence” of Board oversight: The Company is regulated by the FTC and various state data protection and privacy laws. But either the board does not want to know about cybersecurity or does not care (or maybe doesn’t even know enough about cybersecurity, and thus doesn’t feel it needs to care because its “an IT problem”).

This board doesn’t get regular reports about cybersecurity from management. Or it’s the board that doesn’t have any cybersecurity skills in the boardroom and can’t provide meaningful oversight and interactions with the IT management.

This board may spend a token amount of time per board meeting on cybersecurity, but there is no evidence of such in the board minutes.

2. Inadequate oversight. The company is highly regulated by the SEC, among many other state and international regulators. Under the company’s governance structure, the board committee where cybersecurity is charged is the Audit Committee (which is already very busy with public, periodic reporting requirement issues).

The committee gets (knowingly) unfavorable comments, reviews, or information concerning unreported significant breaches and doesn’t know enough to follow through with questions or concerns, but does follow through with “not much of anything.” See e.gIn Re Clovis Oncology Derivative Litigation [6], (the board knew management was incorrectly reporting responses and violating the RECIST protocol).

The Audit Committee meets quarterly to review periodic disclosures, but only receives bi-annual reports from the Company’s CIO or CISO.

Worse yet, the board knows that the company is highly regulated from a data privacy perspective, but it doesn’t request periodic reports or assessments on the company’s compliance with SEC regulations, or its compliance with other applicable laws like the NY Shield Act, or California’s CCPA, or GDPR. Nor does it get reports on all significant breaches which the company has faced in the quarter that it is reviewing.

The directors on the audit committee also don’t receive annual training on current issues in digital and cybersecurity risk oversight. They also have ignored the fact that their IT department is under-manned and under-resourced, and have not set aside enough budget ever to fulfill the CISO’s needs.

Under either scenario, the board that doesn’t seem to care, that doesn’t know enough to know what it needs to care about, or knowingly disregards bad facts or bad reports is potentially liable of committing bad faith director conduct under applicable Delaware Caselaw.

The Board doesn’t need to be perfect when it comes to cybersecurity oversight and compliance (nobody is perfect) but it cannot act in “conscious disregard of its duties.” See In re MetLife Derivative Litigation [7]. Highly public data breaches have put every corporate director and boardroom on notice, but most corporate boards are still not taking actions that would support the effective application of their duties to these issues. Cybersecurity is hard enough, and is a significant risk that could potential sink market capitalization or the company, or cause it to file for bankruptcy.

How Does A Board Satisfy Its “Good Faith” Duties Regarding Cybersecurity.

Here is what we think the evolving Delaware case law teaches us about what boards can do to meet the “good faith” standard and protect themselves. The boardroom approach to effective digital and cybersecurity risk oversight involves boardroom competencies, boardroom structure and the boardroom approach to understanding risk, including systemic risk.

  1. A “good faith” cybersecurity board is a well-trained one. Cybersecurity is a complex and dynamic environment. A full board that receives annual digital and cybersecurity risk oversight training is not only better able to do their job, it’s a strong indicator of the board being proactive in fulfilling its good faith responsibilities.
  2. Boards are also adding digital directors to the boardroom that understand cybersecurity risk and the other IT issues that they need to govern. Having the skills and competencies to pro-actively govern is the judicial standard, this cannot be simply dialed in. Asking questions isn’t good enough, directors need to understand the answers.
  3. The more mature boardrooms have technology and cybersecurity focused committees that can apply the time and focus to these complex issues. A common, although poor practice is to put cybersecurity risk oversight into the audit committee. Salesforce and Oracle are facing a $10 billion class-action lawsuit driven by GDPR. They both task their audit committees with data and cybersecurity risk oversight. Given the cases we cited, it might make sense today to have a specially designated committee to be “in charge” of cybersecurity risk oversight.
  4. Boards MUST set aside time for cybersecurity. Having the competencies and committee focus will force this. But regardless, this is a standing boardroom agenda item that needs to be used effectively to ask informed questions and ensure follow up of the management team on cybersecurity issues.
  5. Boards, and cybersecurity committees where they exist, should get quarterly reports and assessments, whether from the company itself or external experts. Also, regular regulatory compliance reports should also be conducted indicating if the company is in compliance with the rapidly developing regulatory landscape in America and internationally.

Cybersecurity risk, in many respects is evolving into the FDA risks that were faced, and not dealt with in Blue Bell Creameries and Clovis Oncology. It’s becoming a critical issue that is table stakes for every company and corporate board to understand and oversee.

Not paying adequate attention to this universal and calamitous risk, is setting up companies to fail in plaintiffs escalating assaults. But also note that under the business judgement rule, “good counts” so long as the board acts reasonably and on an informed basis. “Good faith” as a standard, demands boardroom action on a reasonable and informed basis. We think many examples of good faith conduct are contained in our 5 steps mentioned above

Cybersecurity risk can succeed against the best protected companies, but 100% security is not the goal nor is it possible. As courts continue to focus upon board conduct, and as the cybersecurity ecosystem continues to worsen for US public companies, we think there is little doubt that there will be a Caremark-type cyber derivative claim in the near future. Indeed, as many cybersecurity breaches end with a stock drop, this is a perfect storm of opportunity for plaintiff’s attorneys. General Counsel’s and corporate boards need to raise their protective “umbrellas” to take steps to navigate the cybersecurity litigation storm that is rapidly approaching.

Endnotes

1(698 A.2d 959 (Del Ch. 1996 (CJ Allen)(go back)

2(“Blue Bell Creameries”), 212 A.3d 805 (2019) (C.J. Strine)(go back)

3911 A.D.2d 362 (2006) (J. Holland)(go back)

4See Marchand, at 821.(go back)

5See Marchand, at 821.(go back)

6No. 2017-0222 (Del.Ch.Ct. VC Slights) at p. 38-39(go back)

7(No. 2019-0452) (Del.Ch.Ct VC Glasscock, Aug. 17, 2020) at pg 49-50(go back)

Both comments and trackbacks are currently closed.