A Director’s Duty of Oversight after Marchand in “Caremark” Case

Gregory A. Markel and Daphne Morduchowitz are partners and Matthew C. Catalano is an associate at Seyfarth Shaw LLP. This post is based on their Seyfarth Shaw memorandum, and is part of the Delaware law series; links to other posts in the series are available here. Related research from the Program on Corporate Governance includes Monetary Liability for Breach of the Duty of Care? by Holger Spamann (discussed on the Forum here).

Fundamental Delaware corporate governance principles provide directors with the ultimate authority to manage corporations. Delaware’s business judgement rule protects directors who exercise that authority in good faith and with reasonable care, from liability, even if with the benefit of hindsight the actions taken resulted in an unfortunate result. This rule encourages directors to operate in good faith in the interests of the corporation and its shareholders and with reasonable care under the facts and circumstances as then known and also incentivizes highly competent individuals to serve as company directors by minimizing the litigation risks of being a director if he or she operates in good faith.

In order to achieve these purposes and to encourage the success of Delaware corporations, the board must create or approve a reasoned approach to maintaining a reasonable system for causing information to be transmitted to the board concerning material issues for the business of the company and significant risks to that business. If such a reasonable system is created in good faith, and monitored in good faith, under Delaware law, the board will be protected from claims of lack of oversight.

In 2019, in the Marchand case, the Delaware Supreme Court, in an opinion by then Chief Justice Strine, speaking for the entire Court, en banc, set forth standards that must be met by a plaintiff asserting a lack of oversight claim in order to avoid dismissal of his/her claim. The Marchand opinion helps bring clarity to what has been described in Caremark as the steep hurdle for plaintiffs to succeed in what has come to be known by many as a “Caremark claim” (hereinafter “Caremark Cases”). See Marchand v. Barnhill, 212 A.3d 805 (Del. 2019); In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 970 (Del. Ch. 1996). The authors of this article do not believe that the Marchand decision is in material conflict with Caremark and later cases presenting similar issues. Nor do we believe that Marchand significantly changed Caremark’s teaching. One of several common threads in the opinions addressing oversight claims is that it is very difficult for a plaintiff to succeed on a Caremark claim.

What Marchand does do is bring additional focus on the need for a board of directors to act in a way consistent with general principles of corporate governance: that is in good faith to create systems to provide the board members with information they need to manage a corporation in a way consistent with their duties of loyalty and care. The system need not be perfect, but rather the board should, in good faith, believe the system is reasonably configured and reasonably likely to supply information to the board that the board believes it needs to properly respond to those issues and risks facing the particular corporation. In reaching a decision on what is necessary information, a board should look broadly at significant issues and risks for the corporation in question and create an information gathering and monitoring system designed with such risks, issues and with the unique characteristics of their company in mind.

An excerpt from Marchand summarizes the en banc Supreme Court’s position:

Although Caremark may not require as much as some commentators wish, it does require that a board make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks. In Blue Bell’s case, food safety was essential and mission critical. The complaint pled facts supporting a fair inference that no board-level system of monitoring or reporting on food safety existed.

If Caremark means anything, it is that a corporate board must make a good faith effort to exercise its duty of care. A failure to make that effort constitutes a breach of duty of loyalty. Where, as here, a plaintiff has followed our admonishment to seek out relevant books and records and then uses those books and records to plead facts supporting a fair inference that no reasonable compliance system and protocols were established as to the obviously most central consumer safety and legal compliance issue facing the company, that the board’s lack of efforts resulted in it not receiving official notices of food safety deficiencies for several years, and that, as a failure to take remedial action, the company exposed consumers to listeria-infected ice cream, resulting in the death and injury of company customers, the plaintiff has met his onerous pleading burden and is entitled to discovery to prove out his claim.
—Marchand, 212 A.3d at 824.

In the following sections of this post we will explain how Marchand’s teaching compares with other selected cases decided before and after Marchand on the standard plaintiffs must meet to survive a motion to dismiss in a Caremark case, the pleading standard for Caremark cases we think the unanimous en banc court arrived at and discuss current-day board challenges in dealing with modern issues such as cybersecurity. Finally, we will also set out advice to boards on avoiding oversight liabilities.

The Delaware Court of Chancery Articulates Standard For Oversight Claims in In re Caremark

In its 1996 In re Caremark decision, the Delaware Court of Chancery articulated a standard of liability with respect to a board of directors’ oversight failures. The Delaware Court of Chancery explained that such oversight duties stem from a directors’ duty to act in good faith and to be “reasonably informed concerning the corporation.” Caremark, 698 A.2d at 970. The Delaware Court of Chancery concluded that in order to fulfill the obligation to be reasonably informed, the board must first assure itself “that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as matter of ordinary operations.” Id. The Delaware Court of Chancery then articulated a high pleading standard for breach of fiduciary duty claims based on an oversight failure, which require allegations of “systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.” Id. at 971. The utter failure to implement any system was not the only example of a systematic failure contemplated by the Delaware Court of Chancery in Caremark that could meet the high pleading standard. Another would be to institute an obviously unreasonable or inadequate system, or to implement a system of reporting and then fail to monitor the reported risks.

The Delaware Court of Chancery emphasized that Caremark claims are “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment” and explained the public policy reasons for “a demanding test of liability in the oversight context” such as the desire to incentivize board service by qualified individuals and to act as a “stimulus for good faith performance of duty by such directors.” Id. at 967, 971. Courts have also noted a reluctance to use hindsight to second-guess good-faith board decisions with respect to oversight.

Following the Caremark decision, plaintiffs frequently faced difficulty meeting the demanding test for liability, and oversight claims were often dismissed.

The Delaware Supreme Court Adopts the Caremark Standard in Stone v. Ritter

In 2006, in Stone v. Ritter, the Delaware Supreme Court adopted the Delaware Court of Chancery’s Caremark standard concluding that in order to sustain an oversight claim, a plaintiff must allege an oversight failure such as (a) a failure by the directors “to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously fail[ing] to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).

The Delaware Supreme Court acknowledged that a good faith exercise of oversight responsibility “may not invariably prevent employees from violating criminal laws, or from causing the corporation to incur significant financial liability, or both” and reiterated that, in the absence of red flags, oversight is measured by the directors’ actions to ensure reasonable reporting and not a hindsight evaluation of what might have been done to prevent an incident. Id. at 373.

Like the Delaware Court of Chancery, the Delaware Supreme Court explained that oversight claims extend from a duty to act in good faith. As a result, the Delaware Supreme Court concluded that “imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations.” Id. This language leaves unclear whether significant negligence on the part of the board would be actionable and how the oversight duty could be reconciled with the duty of care. We think that former Chief Justice Strine’s opinion for the full Court in Marchand is a more clearly stated opinion, well-written and thoughtful.

The Delaware Supreme Court Upholds Caremark Standard But Denies Motion to Dismiss Oversight Claims in Marchand v. Barnhill

In June 2019, an en banc panel of the Delaware Supreme Court clarified the pleading requirements for Caremark claims in Marchand v. Barnhill. 212 A.3d at 805. In Marchand, the Delaware Supreme Court reversed the Delaware Court of Chancery’s dismissal of Caremark claims finding that the complaint alleged facts supporting a reasonable inference that the board “failed to implement any system to monitor [the company’s] food safety performance or compliance.” Id. at 809.

While many viewed the Marchand decision as a shift in the law and a lowering of the pleading requirement for oversight claims, we believe Marchand is consistent with the ruling in Caremark. First, the Delaware Supreme Court in Marchand acknowledged the difficulty in pleading these claims. The Marchand decision reiterated that the board has a duty to exercise oversight and to monitor “the corporation’s operational viability, legal compliance, and financial performance” by making a good faith “attempt to assure a reasonable information and reporting system exists” and then taking steps to monitor and oversee the system. Id. The Marchand court clarified that failures to either (i) implement reasonable systems or (ii) to monitor the existing systems are “act[s] of bad faith in breach of the duty of loyalty.” Id. In other words, implementing a system that is not reasonable under the circumstances could expose a board to liability as could the failure to monitor the system.

The Delaware Supreme Court noted that directors have “great discretion to design context- and industry-specific approaches tailored to their companies business and resources” and are, as would be expected under the business judgment rule, given deference even where illegal and harmful activities were not prevented as long as the board made good faith efforts to implement and monitor reasonable compliance and reporting systems.

Notably, the plaintiff in Marchand had used a books and record inspection under Section 220 of the Delaware General Corporation Law (DGCL) to plead facts demonstrating that the board had not addressed food and safety issues. The use of a Section 220 demand to evaluate breach of fiduciary claims was mentioned favorably in Marchand.

Recent Decisions Show Caremark Pleading Remains Difficult, But Not Impossible, Particularly Where Allegations of Oversight Failure Relate to Important or High Risk Functions Within a Business

Following the Marchand decision, a number of Caremark oversight claims have survived motion to dismiss challenges. See, e.g., In re Clovis Oncology Derivative Litigation, 2019 WL 4850188 (Del. Ch. Oct. 1, 2019) (permitting Caremark claim to proceed where complaint alleged that the board failed to monitor its compliance system leading to missed red flags in mission-critical oncology drug trials). This can be explained by the facts at issue in the cases—including those relating to so called “mission-critical” aspects of the business (such as food safety in the Marchand case)—and the increase in pre-suit Section 220 books and record inspections in recent years that have resulted in more substantive allegations.

For example, in an August 2020 decision in Teamsters Local 443 Health Services & Insurance Plan v. Chou, et. al., the Delaware Court of Chancery reiterated the formidable burden of pleading oversight claims but allowed the Caremark claims to proceed based on the allegations that the board ignored red flags and failed to monitor compliance and safety, a critical issue for a company operating in a highly regulated industry. No. CV 2019-0816-SG, 2020 WL 5028065, at *1 (Del. Ch. Aug. 24, 2020). As in Marchand, Plaintiffs in the case availed themselves of books and records inspection rights to bolster their allegations.

Similarly, in September the Delaware Court of Chancery permitted a Caremark claim to proceed against Boeing’s directors following two fatal airplane crashes based on another set of allegations involving, inter alia, concessions by a former director regarding the board’s failures with respect to safety oversight, a “mission-critical” issue for an aircraft company. See In re Boeing Co. Derivative Litig., No. CV 2019-0907-MTZ, 2021 WL 4059934, at *25 (Del. Ch. Sept. 7, 2021). Even in permitting the claims to go forward, the Delaware Court of Chancery re-iterated that a Caremark claim is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” Id. at *24 (quoting Caremark, 698 A.2d at 967).

Boeing plaintiffs, like plaintiffs in Marchand and Teamsters Local 443 Health Services & Insurance Plan, used books and records inspections to review board meeting minutes and packages to be able to allege the absence of discussions on critical issues to support the oversight board failure claims. As a result it is more critical than ever for boards to document the implementation systems of information flow and monitoring of company risks. Practices and recommendations are outlined at the end of this post.

Cybersecurity Oversight Obligations

As noted above, the Delaware courts have emphasized the importance of the board’s oversight duties, particularly with respect to mission-critical company issues and risks. Possible inadequacies of oversight systems in these mission critical areas will likely cause courts to give added scrutiny to boards oversight of them. Cyber-security poses an area of increasing risk for companies. With the progressive sophistication of cyber criminals in disrupting operations to extort payment, cyber-security is likely to be considered a significant risk for most businesses. Board oversight of cyber-security risks and risk mitigation policies is important for most companies and their directors.

In fact, in a recent Caremark case, the Delaware Court of Chancery acknowledged that cyber-security was “an area of consequential risk that spans modern business sectors.” Firemen’s Ret. Sys. of St. Louis on behalf of Marriott Int’l, Inc. v. Sorenson, No. CV 2019-0965-LWW, 2021 WL 4593777, at *11 (Del. Ch. Oct. 5, 2021). The Delaware Court of Chancery however, dismissed the suit against the board concluding that “[t]he growing risks posed by cybersecurity threats do not, however, lower the high threshold that a plaintiff must meet to plead a Caremark claim” and in the case before it “that the directors surpassed Caremark’s baseline requirement that they ‘try’ in good faith to put a ‘reasonable compliance and reporting system in place.’” Id. at *12-13.

Takeaway: Implement and Monitor Cybersecurity Policies and Oversight Procedures

As cyber-attacks become more and more common, and cybersecurity, for many companies, is increasingly recognized as a key aspect of any business, it is of the utmost importance that boards implement cyber-security policies and continue to monitor their efficacy and enforcement. Boards should consider creation of a cybersecurity board committee or decide to exercise oversight through a risk committee or reports to the full board. In any case, cybersecurity should be included in regular reports to the full board. Hiring of consulting firms who report to a cyber-committee and/or the board should be considered. Any cyber incidents should be disclosed to the board immediately.

Takeaway: Implement Oversight Measures and Document Risk Assessments

Caremark claims are not impossible to plead, but remain difficult because of the need to demonstrate the absence of good faith on the part of the board or committee. As made clear in Marchand, critical to the defense of any oversight suit is an ability of the board to show its participation in good faith implementation of reasonable oversight measures and in reasonable monitoring of significant compliance risks. The following steps are just a few of those that can be taken by company boards to help insulate from such claims:

  • Board members should of course continue to keep themselves informed on issues of significance to the company or of high risk. Directors should receive regular scheduled updates from either in-house or outside experts regarding risks in various aspects of corporate affairs;
  • The board should establish protocols requiring management to keep the board apprised of compliance practices, incidents, red flags and risks in a timely manner;
  • The board should insist that there be a reasonable system to assure updates and information flow on important issues and risks;
  • Delegate to an existing or new committee additional oversight of the occurrence and general topics of major risk areas for the company;
  • Memorialize general topics of board discussions on oversight and risks in board minutes;
  • Boards should continue to ensure that they have adequate D&O insurance to protect against any potential claims they may face. Companies should interview and work closely with a D&O broker as a trusted advisor to help see to it that the right policies are chosen.

Conclusion

Where boards act reasonably and in good faith, their actions are afforded considerable deference pursuant to the business judgment rule under Delaware law. For this reason plaintiffs face a high hurdle in pleading claims based on alleged oversight failures by a board operating with reasonable diligence and in good faith. The Delaware Supreme Court’s decision in Marchand did not lower this high burden but clarified the requirement that the oversight system implemented by the board be reasonably configured to ensure that necessary information is communicated to the board, particularly with respect to mission critical risks facing the particular company. The increased use of books and records inspections to identify gaps in board minutes and materials have aided plaintiffs, to some degree, in surviving motions to dismiss. Boards, general counsels, and other corporate secretaries, in appropriate cases, can help avoid successful claims against the board and the company by implementing reasonably configured reporting systems and documenting the board’s discussion of risks.

Both comments and trackbacks are currently closed.