Cybersecurity is now among the most critical risk-areas for companies across industries, and boards of directors must be vigilant in overseeing their companies’ cybersecurity efforts. Failing to do so not only increases risks for the company, but may also expose board members to personal liability. Developments in Delaware’s Caremark doctrine for breaches of fiduciary duty have paved a narrow path for plaintiffs to hold directors liable for failing to adequately address and oversee their company’s cybersecurity and data privacy risks.
Cybersecurity and data privacy risks are high
Data breaches have become ubiquitous and are an ever-present risk for companies, their customers, employees, and shareholders. High-profile data breaches affecting major corporations in the last decade have brought the issue of cybersecurity front and center. For example, in 2013, Target experienced a massive data breach affecting over 100 million records, and in 2014 Home Depot fell victim to a data breach affecting 56 million records. Each of these cybersecurity failures resulted in the company paying out significant settlements—Target’s multistate settlement cost over $18 million and Home Depot’s settlement was over $27 million. These are only two examples among many instances of serious data breaches impacting corporate America. Cybersecurity risks, especially ransomware attacks, saw a marked increase in the work-from-home era necessitated by the COVID-19 pandemic, as businesses lost some measure of control over their employees’ activities and data security hygiene and threat actors have become increasingly sophisticated.
In addition to the significant financial, reputational, and strategic risks posed by cybersecurity failures, the regulatory landscape for data privacy is rapidly changing. The General Data Protection Regulation (GDPR) governs data collected from residents of the European Union and violations can result in serious fines. In the U.S., California, New York, and Virginia have recently passed state legislation aimed at enhancing data protection. The pervasive risk of cybersecurity attacks and regulatory compliance failures are now among the most significant risks that business face.
Importantly, while it receives less attention in the national press reporting high-profile data incidents or cyberattacks, shareholders have taken notice of increased cybersecurity risks and are increasingly seeking to hold directors and officers personally liable through derivative litigation. Cases recently decided by the Delaware Chancery Court under the landmark Caremark case have paved a path for shareholder-plaintiffs to hold directors and officers liable for breaching their fiduciary duties in the wake of a cybersecurity failure, and have increased the importance of board oversight of cybersecurity.
Caremark and its progeny pave a path for director and officer liability
The Court’s 1996 landmark decision in Caremark established a legal framework for holding directors personally liable for breaching the duty of loyalty when the directors fail to “appropriately monitor and supervise the enterprise.” Under Caremark, directors may be liable in two distinct contexts: (1) “a board decision that results in a loss because that decision was ill advised or ‘negligent,’” or (2) “an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.” For liability to attach under the Caremark theory, the board must have entirely failed to provide any reasonable oversight in a “sustained and systematic fashion,” or the information reporting system on which the board relied must be deemed an “utter failure.” Historically, it has been very difficult for plaintiffs to satisfy the onerous standard established in Caremark, and cases pursuing this legal theory have often been unsuccessful. However, shareholders have recently found some success with this theory of liability and a trend of using Caremark to sue directors for failing to adequately protect against cybersecurity breaches is emerging.
In 2019, the Delaware Supreme Court issued a noteworthy decision concerning the Caremark standard. Marchand v. Barnhill involved a board’s alleged failure to oversee the company’s food manufacturing and safety procedures. The company, an American ice cream manufacturer regulated by the Food and Drug Administration, conducted a product recall after a listeria outbreak connected to its products resulted in three deaths. The product recall and related plant shutdowns translated into a monetary loss for investors. Plaintiffs brought a Caremark action against the company’s directors, alleging that the board failed to oversee the company’s food safety procedures. On appeal, the Court reversed the Chancery Court’s dismissal of the Caremark claim and allowed the case to proceed against the directors. The key allegations that the Court focused on in its decision to allow the claim to proceed included: (1) the non-existence of a board committee that addressed food safety; (2) the lack of reports and/or procedures requiring management to keep the board apprised of food safety compliance practices; (3) lack of evidence that “red” or “yellow” flags related to the outbreak and contained in management reports were disclosed to the board; (4) the fact that the board was presented with favorable information about food safety but not advised of negative reports that existed; and (5) board meetings lacked any regular discussions of food safety issues.
The Marchand decision marked a milestone in the progression of Caremark claims and provided a roadmap for plaintiffs to satisfy the high standard for such claims. Since the decision in Marchand, shareholder-plaintiffs’ Caremark claims have prevailed at the motion to dismiss in several additional cases, including In re Boeing Co. Derivative Litig.2 Relying on the rationale Marchand, the Delaware Court of Chancery allowed a Caremark claim to proceed against Boeing’s directors, holding that the shareholder-plaintiffs adequately pled that the directors failed to adequately oversee Boeing’s airplane safety, which was “essential and mission critical” to the company’s business. The factors that the Court considered in Marchand and Boeing are readily applicable to the cybersecurity context.
Potential Caremark liability for cybersecurity failures
In the last decade or so, plaintiffs have increasingly pursued Caremark claims against directors in the wake of serious corporate data breaches. Wyndam, Target, and Home Depot each suffered significant data breaches between 2008 and 2014, and each of these breaches was followed by a shareholder derivative action seeking to hold directors personally liable for their failure to monitor the companies’ cybersecurity programs.
In 2008 and 2009, Wyndam, a global hotel chain, suffered three data breaches, which resulted in hackers accessing personal information for over 600,000 Wyndam customers. Shareholders brought a Caremark claim against the directors. The court dismissed the case, holding that the plaintiff failed to meet its burden for demand refusal. The court took note of the plaintiff’s underlying theory of liability, explaining that plaintiff’s Caremark claim was a “novel theory” with “potential weaknesses.”
In 2013, Target suffered a historic data breach during its busy holiday season, which exposed the credit card information of 40 million customers, and resulted in related settlements of over $18 million. Shareholders pursued a Caremark claim against Target’s officers and directors. In response to the lawsuit, Target created a Special Litigation Committee (SLC), which ultimately concluded that it would not be in the company’s best interest to further pursue the action, and the court accepted the SLC’s report and dismissed the case.
In 2014, Home Depot fell victim to a data breach that exposed the financial information of 56 million customers. This breach was, again, followed by a derivative claim against Home Depot’s directors, alleging a Caremark claim based on Home Depot’s failure to oversee cybersecurity and put in place a plan for immediately remedying the data breach. The court granted the officers and directors’ motion to dismiss, holding that the plaintiffs failed to meet the high bar of “bad faith,” which requires a showing that the directors “completely failed to undertake their responsibilities.”
While these lawsuits were unsuccessful, the Court’s subsequent decision in Marchand and Boeing has meaningfully shifted the landscape of the once illusory Caremark claim, and opened the door for such cybersecurity-related claims to survive a motion to dismiss. Applying the types of factors considered in Marchand and Boeing, a court could reasonably conclude that similar failures in the cybersecurity context, if proven, subject the directors to liability.
Consider the following hypothetical: a corporation, which is subject to various state and international data protection and privacy laws, suffers a significant data breach that exposes personal information, including financial information. The Board: (1) does not have a committee that addresses cybersecurity or data privacy; (2) does not have a consistent reporting structure to keep it apprised of data privacy compliance or cybersecurity efforts; (3) fails to received information about potential failures (i.e., “red flags”) in the company’s cybersecurity; (4) received only favorable information related to cybersecurity, but is not notified of unfavorable information, such as attempted cybersecurity attacks; and (5) does not regularly discuss cybersecurity at its meetings. This hypothetical presents a similar scenario that faced the court in Marchand, albeit in a different context, and would presumably result in a viable Caremark claim against the directors.
Satisfying the duty to oversee cybersecurity risks and data privacy risks
Given the developments in the Caremark case law and shareholder-plaintiffs’ pursuit of that theory in the cybersecurity context, boards can immediate steps to proactively oversee the company’s cybersecurity risks, and ensure that they are meeting their fiduciary duty of oversight. Such measures will not only bolster the company’s protection against cybersecurity breaches, but will also protect directors from personal liability in the event of a data breach. Effective board oversight of cybersecurity risks includes mechanisms to both thoroughly understand the risks, and there evolution, and structures for addressing those risk. Board should consider adopting some of the following practices to ensure adequate oversight of the company’s cybersecurity risks:
Training board members annually or bi-annually to ensure that directors understand the complex and constantly-evolving landscape of cybersecurity and data privacy;
Including updates and discussions on cybersecurity in regular board meetings, and ensuring that those discussions are adequately memorialized in board minutes;
Creating a consistent reporting structure for cybersecurity oversight, including quarterly assessments and reports from either experienced company executives or external experts;
Establishing a cybersecurity committee, or assigning cybersecurity oversight to an existing board committee with sufficient time and knowledge to manage to manage cybersecurity risk;
Adding one or more directors with cybersecurity expertise;
Evaluating existing cybersecurity systems and exploring potential enhancements on a regular basis; and
Ensuring the company as a crisis preparedness plan for cybersecurity breaches, and reviewing that plan on a regular basis.
Cybersecurity breaches can occur at even the best prepared companies, but ensuring the board active and ongoing oversight of cybersecurity risks can decrease the company’s exposure, and protect directors and officers from legal recourse. Cybersecurity breaches, and their related financial impacts, present a ripe opportunity for shareholder-plaintiffs. Boards should be prepared and proactively protect against cybersecurity-related litigation.