A Caremark­-based claim against a board of directors alleging a failure to monitor corporate operations has been said to be "the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment," or at least to withstand a motion to dismiss. Yet, Caremark has taken on renewed importance - as noted by this blog - following recent high-profile successes on duty-to-oversee claims, most notably in Marchand v. Barnhill in 2019 and In re Boeing in September 2021, and recent shareholder lawsuits, alleging that data breach- and cybersecurity-related failures would have been preventable were it not for oversight failures by corporate officers and directors, are being plead asserting Caremark claims.

In the landmark In re Caremark case, the Delaware Court of Chancery recognized a duty on the part of directors and officers to monitor corporate operations that have the potential to create liability for the company. This duty is understood as derivative of the duty of loyalty, because where directors know or should know that they have a duty to act, and they fail to do so, "they breach their duty of loyalty by failing to discharge that obligation in good faith."

To successfully allege a Caremark claim, a plaintiff must plead facts demonstrating that either "(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention." Put differently, the directors must have acted in bad faith in failing to oversee. Furthermore, this failure must be related to some aspect of the business that is "essential and mission critical."

As our "data economy" has fed an increase in data security incidents, failures in data security have in turn created significant risks to corporations. These risks take many forms, including loss of access to business-critical data and IT infrastructure, successful consumer class action lawsuits, regulatory liability, or loss of commercial counterparties or liability to those counterparties. Not surprisingly, shareholder lawsuits have also followed, seeking to hold corporate boards responsible for lax oversight that results in harm to the corporation following a data security incident. To date, Caremark claims based on data security incidents have mostly failed to gain traction; the vast majority have been dismissed at the motion to dismiss stage and a smaller portion have settled, as our colleagues noted in an article for Bloomberg Law back in 2017. Several recent cases have confirmed that Caremark claims remain difficult to bring (much less win), even when those claims are based on data security incidents. But these cases also reveal potential avenues that shareholder plaintiffs may pursue when bringing data security-related Caremark claims.

In a case involving Marriott, Firemen's Ret. Sys. of St. Louis ex rel. Marriott Int'l, Inc. v. Sorenson, a shareholder sued the company's officers and directors for alleged oversight failures related to a 2018 data breach that exposed the personal information of approximately 500 million guests. On October 5, 2021, Vice Chancellor Will dismissed the Marriott shareholder's complaint for failure to plead demand futility, finding that "none of the directors face a substantial likelihood of liability under Caremark," since the Board had a system to assess cybersecurity risks and did not consciously disregard red flags that arose from it. As to Caremark's first prong, the court noted that the Marriott Board was consistently apprised of cybersecurity threats, and it repeatedly designated data security as a priority for the company - features that the plaintiff's complaint noted and that meant the board had not "utterly failed" to implement a monitoring and reporting system. By alleging that the company did not keep up with non-obligatory industry standards and "risked" violations of certain laws, the complaint also did not adequately plead that the Marriott Board did not become aware of violations of law (i.e., red flags) and disregard them.

As a result of to the complaint's failure to meet either prong under Caremark, meaning that no director faced a substantial likelihood of liability, Vice Chancellor Will determined that the Marriott Board remained capable of deciding whether to pursue litigation on the company's behalf, and demand was not excused. Any future lawsuits - and their choice of legal strategy - are something this blog and others will be watching for. But, as Vice Chancellor Will noted, while "corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place . . . growing risks posed by cybersecurity threats do not, however, lower the high threshold that a plaintiff must meet to plead a Caremark claim."

Only a month later, in November 2021, and just weeks apart, shareholders of SolarWinds and T-Mobile filed lawsuits alleging breaches of fiduciary duties by their respective boards in connection with cybersecurity failures - SolarWinds SUNBURST breach in December 2020 that impacted scores of clients, including the United States Government, and T-Mobile's August 2020 data breach impacting 54 million customers and February 2021 fine by the Federal Communications Commission ("FCC") over data security weaknesses. Both complaints attempt to distinguish themselves from the claim against Marriott.

The SolarWinds shareholders tie demand futility primarily to the board's decision to excuse Kevin Thompson, the former CEO, of any liability in connection with the SUNBURST breach and re-hire him as a "consultant" to assist with the breach fallout. This complaint also appears to focus on Caremark's first prong, the board's "utter failure" to implement a system of controls and oversight. Much of the complaint is redacted, including most of the section containing allegations regarding the board's oversight failures. But the unredacted text contains allegations that an outside consultant warned SolarWinds directors and officers of both the vulnerabilities in their data security systems and the company's apparent unwillingness to strengthen them. The shareholders describe, for example, simple passwords such as "solarwinds123" used to protect critical aspects of the company's flagship software product, which the company later acknowledged was a vulnerability the SUNBURST hackers exploited in their data security breach. The plaintiffs also allege that SolarWinds also advertised its high-profile clientele on its public website, providing what critics have called "a shopping list for adversaries," and then removed this list after the hack.

Additionally, in the initial paragraphs of the complaint, the shareholders state that "SolarWinds is a monoline provider" of IT software, the success of which "depends on trusted access to its clients' IT systems." The choice of language invokes Marchand, where the Delaware Supreme Court highlighted Bluebell's character as a "monoline company" whose success depends on consumer trust in the safety of its product (ice cream).

The T-Mobile complaint contains another distinction from the Marriott complaint. The Marriott court held that the plaintiffs failed to demonstrate that the board ignored known violations of law (i.e., red flags), in part because there had been no violations of law for the Marriott Board to ignore. Indeed, in her Marriott opinion, Vice Chancellor Will noted that "Oversight violations are typically found where companies - particularly those operating within a highly regulated industry - violate the law or run afoul of regulatory mandates." By contrast, the T-Mobile shareholders allege that the company's data security failures did result in violations of law. The T-Mobile complaint points to the FCC investigation and resulting fine levied on T-Mobile to allege that the Board was "long aware of" yet "failed to heed . . . red flags" related to the company's cybersecurity inadequacies.

Whether the Caremark claims against the SolarWinds and T-Mobile boards survive past the motion to dismiss stage is yet to be seen, and this blog's contributors will be monitoring closely as these cases and others like them unfold.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.