What is the Caremark Law and How Does it Relate to Cybersecurity Decisions?

What is the Caremark law? 

The Court’s 1996 landmark decision in Caremark established a legal framework for holding directors personally liable for breaching the duty of loyalty when the directors fail to “appropriately monitor and supervise the enterprise.” Under Caremark, directors may be liable in two distinct contexts:  (1) “a board decision that results in a loss because that decision was ill advised or ‘negligent,’” or (2) “an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”  For liability to attach under the Caremark theory, the board must have entirely failed to provide any reasonable oversight in a “sustained and systematic fashion,” or the information reporting system on which the board relied must be deemed an “utter failure.”  Historically, it has been very difficult for plaintiffs to satisfy the onerous standard established in Caremark, and cases pursuing this legal theory have often been unsuccessful. However, shareholders have recently found some success with this theory of liability and a trend of using Caremark to sue directors for failing to adequately protect against cybersecurity breaches is emerging.

In 2019, the Delaware Supreme Court issued a noteworthy decision concerning the Caremark standard.  Marchand v. Barnhill involved a board’s alleged failure to oversee the company’s food manufacturing and safety procedures. The company, an American ice cream manufacturer regulated by the Food and Drug Administration, conducted a product recall after a listeria outbreak connected to its products resulted in three deaths. The product recall and related plant shutdowns translated into a monetary loss for investors.  Plaintiffs brought a Caremark action against the company’s directors, alleging that the board failed to oversee the company’s food safety procedures. On appeal, the Court reversed the Chancery Court’s dismissal of the Caremark claim and allowed the case to proceed against the directors.  The key allegations that the Court focused on in its decision to allow the claim to proceed included:  (1) the non-existence of a board committee that addressed food safety; (2) the lack of reports and/or procedures requiring management to keep the board apprised of food safety compliance practices; (3) lack of evidence that “red” or “yellow” flags related to the outbreak and contained in management reports were disclosed to the board; (4) the fact that the board was presented with favorable information about food safety but not advised of negative reports that existed; and (5) board meetings lacked any regular discussions of food safety issues.

How does this relate to Cybersecurity decisions?

Caremark and its progeny pave a path for director and officer liability. This provides a real potential for Caremark liability for cybersecurity failures.

In the last decade or so, plaintiffs have increasingly pursued Caremark claims against directors in the wake of serious corporate data breaches. Wyndam, Target, and Home Depot each suffered significant data breaches between 2008 and 2014, and each of these breaches was followed by a shareholder derivative action seeking to hold directors personally liable for their failure to monitor the companies’ cybersecurity programs.

  • In 2008 and 2009, Wyndam, a global hotel chain, suffered three data breaches, which resulted in hackers accessing personal information for over 600,000 Wyndam customers.  Shareholders brought a Caremark claim against the directors.  The court dismissed the case, holding that the plaintiff failed to meet its burden for demand refusal. The court took note of the plaintiff’s underlying theory of liability, explaining that plaintiff’s Caremark claim was a “novel theory” with “potential weaknesses.”
  • In 2013, Target suffered a historic data breach during its busy holiday season, which exposed the credit card information of 40 million customers, and resulted in related settlements of over $18 million. Shareholders pursued a Caremark claim against Target’s officers and directors. In response to the lawsuit, Target created a Special Litigation Committee (SLC), which ultimately concluded that it would not be in the company’s best interest to further pursue the action, and the court accepted the SLC’s report and dismissed the case.
  • In 2014, Home Depot fell victim to a data breach that exposed the financial information of 56 million customers. This breach was, again, followed by a derivative claim against Home Depot’s directors, alleging a Caremark claim based on Home Depot’s failure to oversee cybersecurity and put in place a plan for immediately remedying the data breach. The court granted the officers and directors’ motion to dismiss, holding that the plaintiffs failed to meet the high bar of “bad faith,” which requires a showing that the directors “completely failed to undertake their responsibilities.”
 

While these lawsuits were unsuccessful, the Court’s subsequent decision in Marchand and Boeing has meaningfully shifted the landscape of the once illusory Caremark claim, and opened the door for such cybersecurity-related claims to survive a motion to dismiss.  Applying the types of factors considered in Marchand and Boeing, a court could reasonably conclude that similar failures in the cybersecurity context, if proven, subject the directors to liability. Consider the following hypothetical: a corporation, which is subject to various state and international data protection and privacy laws, suffers a significant data breach that exposes personal information, including financial information.  The Board:  (1) does not have a committee that addresses cybersecurity or data privacy; (2) does not have a consistent reporting structure to keep it apprised of data privacy compliance or cybersecurity efforts; (3) fails to received information about potential failures (i.e., “red flags”) in the company’s cybersecurity; (4) received only favorable information related to cybersecurity, but is not notified of unfavorable information, such as attempted cybersecurity attacks; and (5) does not regularly discuss cybersecurity at its meetings.  This hypothetical presents a similar scenario that faced the court in Marchand, albeit in a different context, and would presumably result in a viable Caremark claim against the directors.

Satisfying the duty to oversee cybersecurity risks and data privacy risks

Given the developments in the Caremark case law and shareholder-plaintiffs’ pursuit of that theory in the cybersecurity context, boards can immediate steps to proactively oversee the company’s cybersecurity risks, and ensure that they are meeting their fiduciary duty of oversight. Such measures will not only bolster the company’s protection against cybersecurity breaches, but will also protect directors from personal liability in the event of a data breach.  Effective board oversight of cybersecurity risks includes mechanisms to both thoroughly understand the risks, and there evolution, and structures for addressing those risk. Board should consider adopting some of the following practices to ensure adequate oversight of the company’s cybersecurity risks:

  1. Training board members and executives annually or bi-annually to ensure that strategic decision makers understand the complex and constantly-evolving landscape of cybersecurity and data privacy;
  2. Including updates and discussions on cybersecurity in regular management meetings, and ensuring that those discussions are adequately memorialized in meeting minutes;
  3. Creating a consistent reporting structure for cybersecurity oversight, including quarterly assessments and reports from either experienced company executives or external experts;
  4. Establishing a cybersecurity committee, or assigning cybersecurity oversight to an existing trusted advisor with sufficient time and knowledge to manage to manage cybersecurity risk;
  5. Adding one or more directors with cybersecurity expertise;
  6. Evaluating existing cybersecurity systems and exploring potential enhancements on a regular basis; and
  7. Ensuring the company as a crisis preparedness plan for cybersecurity breaches, and reviewing that plan on a regular basis.

Cybersecurity breaches can occur at even the best prepared companies, but ensuring the board active and ongoing oversight of cybersecurity risks can decrease the company’s exposure, and protect directors and officers from legal recourse. Cybersecurity breaches, and their related financial impacts, present a ripe opportunity for shareholder-plaintiffs. Boards should be prepared and proactively protect against cybersecurity-related litigation.

Source: Potential Board Liability for Cybersecurity Failures Under Caremark Law – CPO Magazine