Cybersecurity in the Boardroom: ‘Caremark’ Liability for Boards’ Failure to Oversee Cybersecurity

In an era of increasing cyberattacks by varying threat actors, the board's oversight of cybersecurity risks remains a key responsibility. In two recent cases, the Delaware Court of Chancery (Chancery Court) dismissed Caremark claims against directors following major cybersecurity incidents, concluding that the plaintiffs had failed to plead specific facts from which bad faith liability on the part of the directors could plausibly be inferred. However, the growing threat of such incidents and the enactment of new expansive privacy laws together underscore the need for boards to exercise appropriate care in overseeing such risks. Boards should ensure that they are receiving necessary information from management or outside experts to exercise such oversight and should appropriately document their consideration of these risks. 

When do boards face ‘Caremark’ liability?

Caremark claims are typically derivative claims asserted by shareholders alleging that the board breached its duty of loyalty by failing to oversee key operations. To be viable, such claims must adequately allege that the board failed to impose systems for reporting risks or failed to act in the face of red flags disclosed to it. The Supreme Court of Delaware summarized it this way: “In short, to satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it.”^[1]

In non-cybersecurity-related matters, Delaware courts have signaled an increased willingness to allow to go forward, at least at the pleading stage, claims that seek to hold directors liable for their failure to exercise oversight over “mission critical” company risks.^[2]

In 2019, the Delaware Supreme Court held in Marchard v. Barnhill that the board was plausibly liable under Caremark for its alleged lack of oversight efforts when the company’s consumers were exposed to listeria-infected ice cream.^[3] And in 2021, the Chancery Court allowed a Caremark claim to proceed against the Boeing board following crashes of two of its airplanes.^[4] Plaintiffs in both Marchand and Boeing adequately alleged that the respective boards had failed to establish a reporting system and ignored red flags regarding an “essential and mission critical” aspect of the company’s business: food safety in Marchand and airplane safety in Boeing.^[5]

These cases highlight that boards should take an active role in implementing and monitoring reasonable information and reporting systems regarding mission-critical matters, rather than leave such tasks in the hands of management. Boards should meaningfully discuss mission-critical matters on a regular basis, receive regular updates on such matters from management, document their efforts to oversee and monitor such matters, and periodically identify any new risks that might require systematic oversight.^[6]

Past ‘Caremark’ claims alleging failures to oversee cybersecurity

Thus far, the Chancery Court has recently dismissed at the pleading stage two Caremark claims brought against boards for their alleged failures to oversee cybersecurity risks. However, the Chancery Court left the door open to such claims if a plaintiff can demonstrate that the board acted in bad faith by failing to oversee cybersecurity risks.

In September 2022, the Chancery Court rejected a Caremark complaint brought against the board of software company SolarWinds based on a massive cyberattack that exposed customers’ personal information, following which the company’s stock plummeted.^[7] In its decision, the court acknowledged that the SolarWinds board failed to prevent a large corporate trauma and that cybersecurity is “mission critical” for online service providers. Nevertheless, the court held that the plaintiffs had failed to plead specific facts leading to that trauma from which to infer bad faith liability on the board’s part.^[8] It held that plaintiffs had not credibly alleged that the board had allowed the company itself to violate law, had failed to implement a minimal reporting system about corporate risk including cybersecurity or had ignored “red flags” of cyberthreats that would suggest it consciously disregarded its oversight duties.^[9]

In October 2021, the Chancery Court similarly dismissed Caremark claims against the Marriott board based on a cyberattack related to the hotel company’s reservation system. The court reiterated that a board’s failure to prevent a corporate trauma alone will not subject it to Caremark liability unless it acted in bad faith leading to the failure.^[10] Because the plaintiff had not shown that the board had completely failed to undertake its oversight responsibilities, had turned a blind eye to known compliance violations or had consciously failed to remediate cybersecurity failures, the court dismissed the complaint.^[11]

Increased risk of ‘Caremark’ liability based on violations of positive law

In SolarWinds and Marriott, the court pointed out that there was no credible allegation in either case that the boards consciously disregarded “positive law.” However, the court did not foreclose the possibility that directors may be liable solely based on their failure to monitor business risk, like the risk of a third-party cybersecurity incident, in extreme cases of bad faith.^[12] The court stated it is possible to envision Caremark liability “based solely on failure to monitor business risk” in “an extreme hypothetical involving liability for bad faith actions of directors.”^[13]

Thus far, however, only bad faith allegations in connection with a corporation’s violation of positive law have led to viable claims under Caremark.^[14] In SolarWinds, the Chancery Court found no violation of positive law. It stated that Securities and Exchange Commission (SEC) guidance regarding cybersecurity disclosures “does not establish positive law with respect to required cybersecurity procedures or how to manage cybersecurity risks,” and that the New York Stock Exchange cybersecurity guide is not positive law because it is not binding.^[15] Furthermore, the court stated that “even if lack of cybersecurity oversight might be an appropriate subject for a Caremark claim, a violation of law or regulation is still likely a necessary underpinning to a successful pleading.”^[16]

The effect of new expansive data privacy laws

Recently enacted data privacy laws may, in fact, constitute positive law requirements that could have the effect of increasing directors’ exposure to the threat of Caremark litigation.^[17] For example, five comprehensive state privacy laws take effect in 2023, all of which place affirmative cybersecurity and data handling requirements on companies that process personal data. New regulations proposed by both the SEC and the New York Department of Financial Services not only include similar cybersecurity requirements, but also mandate board oversight to ensure a company meets those requirements.^[18]

The rising penalties for violating existing data privacy laws may also pose a significant risk to corporations and their boards, who are responsible for overseeing that risk. For example, two recent Illinois Supreme Court cases construing Illinois’ Biometric Information Privacy Act (BIPA) may have significantly expanded the threat of potential BIPA claims. In one decision, the court established that the statute of limitations period for BIPA claims is five years, extending the lookback period for BIPA violations from the one-year period that the defendant argued should apply.^[19]

In another decision, the court held that BIPA claims accrue at each act of collection and each act of disclosure, even if each act concerns the same biometric identifier.^[20] The defendant argued that claims should be limited to the first time that a private entity scans or transmits a party’s biometric identifier or biometric information. However, the court held that no such limitation appears in the statute.^[21] That decision may potentially lead to dramatically higher damages for BIPA violations, since BIPA provides for statutory damages of $1,000 for each negligent violation and $5,000 for each intentional violation. The defendant in that case estimated that it would face more than $17 billion in classwide damages.

New privacy laws and rules and expanding exposure under existing laws like BIPA all pose challenges to companies and their directors. Consistent with Caremark and its progeny, boards will need to implement reasonable systems to oversee those risks and then document their compliance.

^[1] _{Marchand v. Barnhill, 212 A.3d 805, 821 (Del. 2019).}

_{[2] But see the recent McDonald’s case, In re McDonald’s Corp. S’holder Derivative Litig., No. 2021-0324-JTL, 2023 WL 2293575 (Del. Ch. Mar. 1, 2023), where the Chancery Court dismissed Caremark claims against the McDonald’s board relating to its alleged failure to address sexual harassment and misconduct issues at the company. The court stated that boards do have an obligation to monitor all “central compliance risks,” but held that the complaint did not support an inference that the McDonald’s board failed to respond to issues it knew about.}

_{[3] Marchand, 212 A.3d at 824.}

^[4] _{In re Boeing Co. Derivative Litig., No. CV 2019-0907-MTZ, 2021 WL 4059934, at *25 (Del. Ch. Sept. 7, 2021) (Boeing).}

^[5] _{Marchand at 824; Boeing at *25.}

^[6] _{See Kramer Levin, Client Alert, Delaware Court of Chancery Allows Caremark Claim To Proceed Against Boeing Directors (Sept. 21, 2021), available at https://www.kramerlevin.com/en/perspectives-search/delaware-court-of-chancery-allows-caremark-claim-to-proceed-against-boeing-directors.html.}

^[7] _{Constr. Indus. Laborers Pension Fund v. Bingle, No. 2021-0940-SG, 2022 WL 4102492 (Del. Ch. Sept. 6, 2022) (SolarWinds).}

^[8] _{Id. at *2.}

^[9] _Id.

^[10] _{Firemen’s Ret. Sys. of St. Louis on behalf of Marriott Int’l, Inc. v. Sorenson, No. CV 2019-0965-LWW, 2021 WL 4593777, at *12 (Del. Ch. Oct. 5, 2021) (Marriott).}

^[11] _{Id. at *1.}

^[12] _{Marriott at *14; SolarWinds at *1.}

^[13] _Id.

^[14] _{SolarWinds at *1.}

^[15] _{Id. at *9.}

^[16] _{Id. at *7 (emphasis added).}

^[17] _{See Kramer Levin, Client Alert, Cybersecurity, Privacy and Data Protection 2022 Year in Review (Jan. 24, 2023), available at https://www.kramerlevin.com/en/perspectives-search/cybersecurity-privacy-and-data-protection-2022-year-in-review.html.}

^[18] _{See Kramer Levin, Client Alert, SEC Proposes Cybersecurity Risk Management Requirements for Investment Advisers and Registered Funds (Feb. 11, 2022), available at https://www.kramerlevin.com/en/perspectives-search/sec-proposes-cybersecurity-risk-management-requirements-for-investment-advisers-and-registered-funds.html; Kramer Levin, Client Alert, New York State Department of Financial Services To Amend Cybersecurity Regulations for Financial Services Companies (Nov. 17, 2022), available at https://www.kramerlevin.com/en/perspectives-search/new-york-state-department-of-financial-services-to-amend-cybersecurity-regulations-for-financial-services-companies.html.}

^[19] _{Tims v. Black Horse Carriers, Inc., 2023 WL 1458046 (Ill. 2023).}

^[20] _{Cothron v. White Castle System, Inc., 2023 WL 2052410 (Ill. 2023).}

^[21] _{Id. at *7.}