Under the Delaware Chancery Court decision in the Caremark case, directors can be liable for failures in their oversight duties – that is, their duties to monitor the company and its functions. Lawsuits alleging a violation of the duty of oversight are notoriously challenging for plaintiffs. However, in the recent Marchand v. Barnhill case, the Delaware Supreme Court reversed the Chancery Court’s dismissal of a Caremark liability case and allowed the case to proceed against the board of an ice cream manufacturer that experienced a deadly listeria outbreak. Caremark liability cases remain difficult to plead and prove, but the Marchand decision nevertheless has important implications for director liability for breaches of their duty of oversight.
In an email exchange, loyal reader Paula Robertson Miller of Marsh raised the question of what the implications of the Marchand decision might be with respect to potential board oversight liability concerning cybersecurity and privacy issues. As discussed below, I believe the Delaware Supreme Court’s decision in the Marchand case could indeed have important implications with respect to board oversight of cybersecurity and privacy liability issues. The Delaware Supreme Court’s June 19, 2019 ruling can be found here. A July 12, 2019 post on the Cooley law firm’s PubCo blog about the ruling can be found here.
In 2015, ice cream manufactured by Blue Bell Creameries caused an outbreak of listeria that resulted in the deaths of three people and in many others becoming ill. The company was forced to close down its manufacturing operations for an extended period, which in turn caused the company to experience a liquidity crisis. To sustain itself through the crisis, the company completed a financing transaction that was dilutive to the interests of existing shareholders.
After completing a books and records request, a shareholder filed a derivative lawsuit alleging that the two officers of the company had breached their duties of care and loyalty by knowingly disregarding contamination risks and failing to oversee the safety of the company’s food-making operations, and that the company’s board of directors had breached their duty of loyalty under Caremark.
The defendants moved to dismiss the action for failure to plead demand futility. The Chancery Court granted the motion as to both the claim against the two executives and as to the Caremark claim against the directors. With respect to the claim against the officers, the Chancery Court held that the plaintiff had failed to establish that there was not a majority of disinterested directors to consider the demand. With respect to the Caremark claim, the Chancery Court held that plaintiff had not pleaded facts to support the allegation that the board had failed to adopt or implement any reporting or compliance system. The Court of Chancery said “What plaintiff really attempts to challenge is not the existence of monitoring and reporting controls, but the effectiveness of monitoring controls” and that “this is not a valid theory under Caremark.” The plaintiff appealed.
The June 19, 2019 Opinion
In a unanimous June 19, 2019 opinion written by Chief Justice Leo E. Strine, Jr., the Delaware Supreme Court reversed the lower court’s ruling as to both the claim against the two executives and the Caremark claim against the board.
With respect to the claim against the executives, the Court said that the plaintiff has pleaded sufficient fact to raise a reasonable doubt whether one of the directors could impartially assess the litigation demand.
With respect to the Caremark claim, Justice Strine opened his analysis by observing that “Caremark claims are difficult to plead and ultimately to prove out” and that a claim of a breach of Caremark duties is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”
Justice Strine then reviewed the elements of a Caremark claim. He noted that under Caremark and its progeny, a director “must make a good faith effort to oversee the company’s operations.” Failing to make that effort “breaches the duty of loyalty and can expose a director to liability.” For a plaintiff to prevail on a Caremark claim, the plaintiff must show that a fiduciary acted in bad faith. Bad faith is established when “the directors completely fail to implement any reporting information system or controls,” or having implemented such controls failing to monitor or oversee.
In short, to satisfy their duty of loyalty, “directors must make a good faith effort to implement an oversight system and then monitor it.” Caremark’s “bottom-line requirement is that the “board must make a good faith effort – i.e., try – to put in place a reasonable board-level system of monitoring and reporting.” Under these principles, a court’s inquiry in a Caremark liability case is not to examine the effectiveness of a board-level monitoring system, but rather to determine with the complaint “pleads facts supporting a reasonable inference that the board did not undertake good faith efforts to put a board level system of monitoring and reporting in place.”
Turning to the facts alleged in the case against the Blue Bell directors, the Court found that while Caremark represents a “tough standard for plaintiffs to meet” the plaintiffs have met the standard here.
The Court noted that the allegations in the case related to one of the most central issues at the company, which is whether that the only product it makes is safe for consumers. The plaintiffs alleged that there was no board committee to address food safety issues; that there were no regular processes to keep the board apprised of food safety compliance; no schedule for the board to consider on a regular basis any key food safety risks; that there were no disclosures at the board level of red flag incidents that preceded the listeria outbreak; and that the board meeting minutes are devoid of any suggestion that there was any regular discussion of food safety issues.
The Court said with respect to these allegations that “in sum, the complaint supports an inference that no system of board-level compliance monitoring and reporting existed at Blue Bell,” which in turn “supports an inference that the board has not make the good faith effort that Caremark requires.”
The Court concluded by saying:
If Caremark means anything, it is that a corporate board must make a good faith effort to exercise its duty of care. A failure to make that effort constitutes a breach of the duty of loyalty. Where, as here, a plaintiff has followed our admonishment to seek out relevant books and records, and then uses those books and records to plead facts supporting a fair inference that no reasonable compliance system and protocols were established as to the obviously most central consumer safety and legal compliance issue facing the company, then the board’s lack of efforts resulted in it not receiving official notices of food safety deficiencies for several years, and that, as a failure to take remedial action, the company exposed consumers to listeria-infected ice cream, resulting in the death and injury of company customers, the plaintiff has met his onerous pleading burden and is entitle to discovery to prove out his claim.
It probably is worth emphasizing at the outset that though the Supreme Court reversed the Chancery Court ruling dismissing the plaintiff’s claim and allowed the plaintiff’s Caremark claim against the Blue Bell board to go forward, Caremark claims remain challenging for prospective claimants. The burden on a plaintiff to plead a valid Caremark claim is and remains, as Chief Justice Strine noted in his opinion, “onerous.”
Not only do Caremark claims remain difficult for claimants to establish, but there are some exceptional features to this case that arguably make this the unusual case that could survive the challenging pleading hurdles.
The Court clearly seemed troubled by the fact that the listeria outbreak had resulted in the deaths of customers that consumed the company’s product, and that these deaths had followed after a series of serious red flags about the company’s manufacturing operations over the course of several years. It also was clearly important to the Court that these unfortunate events involved an operating risk – i.e., food safety – that is absolutely mission critical. It may well be that these egregious facts explain the Court’s willingness to allow the plaintiff’s Caremark claim to go forward here when so many other Caremark cases do not survive dismissal motions.
All of that said, this case does underscore the fact that boards do indeed have certain oversight duties and that they can be held liable for breaching those duties if, as the post in the PubCo blog puts it, the board “simply leaves compliance and risk oversight entirely to the prerogatives of management.” The Marchand case demonstrates that boards must oversee and monitor corporate compliance risks.
Boards must be able to show, and can be held liable if they are unable to show, that they have made a good faith effort to establish appropriate reporting systems and reporting procedures that enable the board to discharge its oversight responsibilities. This potential liability exposure will be particularly significant with respect to matters that are critical to a company’s operations and business.
These considerations could be relevant with respect to any number of challenges that a company might face, but at the current moment two areas that are the source of a great deal of attention are cybersecurity and privacy. As a result of a significant number of data breaches and other privacy incidents, there is a growing movement toward holding corporate officials accountable when these events occur. It is no accident that as a part of its recent massive settlement with the FTC on privacy related issues, Facebook not only agreed that its CEO would have specific oversight and reporting responsibilities, but also that the company’s board must establish a privacy committee and maintain oversight responsibilities.
For many companies, data security and privacy concerns are every bit as mission critical as food safety is for Blue Bell Creameries. When companies experience breakdowns in this area, there are a number of constituencies that seek to hold companies and their executives liable – regulators, consumers, and, sometimes, investors. As I have documented on this site, there have been a number of actions brought by shareholders against companies and their officials alleging mismanagement and misrepresentation.
The Marchand decision suggests that at least in certain circumstances shareholders might attempt to hold directors accountable for data and privacy breaches by filing a Caremark claim alleging a breach of the duty of oversight. Yes, the pleading hurdles for this type of claim are “onerous.” But unless boards can demonstrate that they made a good faith effort to oversee mission critical areas of risk like data and privacy security, claimants may be able to establish a Caremark claim.
The implication of the Marchand opinion is that in order to demonstrate that they have fulfilled their duty of oversight boards must be able to show that they have made a good faith effort to monitor a critical area of company risk. Data security and privacy clearly are two areas of company risk that for many companies are absolutely critical. The lesson for boards here is not just that boards can be held liable for breaches of their duty of oversight. The lesson here is also that boards should take steps to ensure that they can demonstrate a good faith effort to oversee and monitor company risks – which for many companies will include a company’s data and privacy security concerns.
Special thanks to Paula Robertson Miller for sending me her question and encouraging me to think about the Marchand decision.