Earlier this year, in Marchand v. Barnhill, the Delaware Supreme Court underscored that boards that fail to establish oversight procedures for their company’s mission critical functions can be held liable for breach of their Caremark duties. In an October 1, 2019 decision in the Clovis Oncology Derivative Litigation, the Delaware Chancery Court provided further perspective on directors’ potential liability for breaches of the duty of oversight. The Chancery court held, citing Marchand, that boards not only must be able to show that they have made good faith efforts to implement an oversight system, but that also that they monitor the system – particularly when a company operates in a highly regulated industry. The Chancery Court’s October 1, 2019 decision in the Clovis Oncology Derivative Litigation can be found here.
Clovis is a developmental stage biotechnology company. During the relevant period, the company’s fortunes largely rested on Roci, a developmental drug intended to treat a type of lung cancer. In order to test Roci, the company established a clinical trial procedure using widely recognized and rigorous testing and reporting protocols. Under these protocols, the success of the trial, the likelihood of FDA approval, and the possibility of later physician update would depend on confirmed clinical responses, as unconfirmed clinical responses were viewed as less reliable.
In the subsequent shareholder derivative complaint, the plaintiffs alleged that the company misrepresented to investors and others the level of confirmed responses in the Roci clinical trial process. When the FDA later declined to approve the drug and when the actual confirmed response rate became public, the company’s share price declined precipitously.
The plaintiff shareholders filed a derivative lawsuit against the individuals on the company’s board of directors. The plaintiffs alleged that the board had breached its fiduciary duties under Caremark by failing to fulfill their duties to oversee the Roci clinical trials. The defendants moved to dismiss asserting that the plaintiffs had failed to make the requisite demand on the board of directors and also asserting that the plaintiffs had failed to plead a claim on which relief could be granted.
Although not directly relevant to the derivative lawsuit, it is interesting to note that these circumstances involved in derivative suit were also the subject of securities class action litigation. The securities suit ultimately settled for $25 million in cash and $117 million in Clovis stock. The SEC also pursued an enforcement action against three Clovis officials, which led to a consent decree requiring the three defendants to pay $20 million, $250,000 and $100,000 in civil penalties.
The October 1, 2019 Opinion
In an October 1, 2019 opinion, Vice Chancellor Joseph R. Slights III denied the defendants’ motion to dismiss with respect to the duty of oversight claim.
In ruling on the motion to dismiss, Vice Chancellor Slights noted the Delaware Supreme Court’s decision in Marchand v. Barnhill, which, he said, “underscores the importance of the board’s oversight function when the company is operating in the midst of a ‘mission critical’ regulatory compliance program.” He also noted that Marchand “makes clear” that where a company operates in a “mission critical” regulatory environment, “the board’s oversight function must be more rigorously exercised.” In order to show fulfillment of this oversight function, the board must show “a good faith effort to implement and oversight system and then to monitor it.”
Vice Chancellor Slights did find that the plaintiffs’ could not establish a breach of the first prong of the oversight duty, as the board did have oversight and reporting systems in place for the clinical trials. However, he did find that the plaintiffs’ allegations were sufficient to state a claim with regard to the second prong – that is, the duty to monitor the oversight systems.
In reaching this conclusion, Vice Chancellor Slights found that the plaintiffs had alleged that “the Board consciously ignored red flags that revealed a mission critical failure to comply” with the rigorous clinical trial protocols and associated FDA regulations, and that “this failure of oversight caused monetary and reputational harm to the Company.” The Vice Chancellor specifically found that the plaintiffs had alleged that the “Board ignored multiple warning signs that management was inaccurately reporting” the cancer drug’s efficacy.
Vice Chancellor’s reliance upon and citation to the Delaware Supreme Court’s Marchand v. Barnhill decision underscores the importance of that decision and its significance for directors’ potential liability for breach of fiduciary duty claims based on alleged breaches of the duty of oversight.
However, in Marchand, the Court was focused primarily on the alleged failure of the board in that case to have made a good faith effort to establish appropriate oversight systems in connection with a mission critical regulatory compliance issue. By contrast, in the Clovis Oncology case, the focus was not on the failure to have an oversight system, but the alleged failure to monitor the oversight system.
As noted in an October 5, 2019 post by attorneys from the Wachtell, Lipton on the Harvard Law School Forum on Corporate Governance and Financial Regulation (here), the Clovis Oncology decision represents a ruling “further extending the practical reach of the Caremark doctrine.” Having a compliance program alone is not enough; directors must have procedures in place to “ensure that the board itself monitors ‘mission critical’ corporate risks.”
While the Marchand and Clovis Oncology decision unquestionably have important implications for directors’ potential liabilities for alleged breaches of their duty of oversight, there are several important considerations to keep in mind.
First, in both Marchand and Clovis Oncology, the courts took great pains to underscore the fact that Caremark breach of the duty of oversight cases face a “high bar” and noting that Delaware’s courts have said, and repeated, that a Caremark claim “is among the hardest to plead and prove.” Nothing about the courts’ decision in these cases eliminated the “onerous” burden for plaintiffs to establish a Caremark claim.
Second, both Marchand and Clovis Oncology involved egregious circumstances that arguably colored the courts’ perceptions of the subsequent derivative lawsuits. In Marchand, the background included the deaths of customers that had consumed the defendant company’s product. In Clovis Oncology, the derivative claim related to circumstances that had already been the subject of a massive securities class action lawsuit settlement and also the subject of a settled SEC enforcement action. Clearly, neither of these cases represent routine or run of the mill circumstances.
Third, both Marchand and Clovis Oncology emphasized that the board’s oversight responsibilities were particularly important with respect to “mission critical” regulatory requirements. That is, the claims arose out of circumstances that involved compliance requirements that the board had to be watching, given the importance of the requirements to the company’s operations and business success.
In other words, these recent cases do not imply some massive expansion of boards’ oversight duties. They are not likely to result in some huge influx of duty of oversight claims.
Nevertheless, these cases do have important implications. Among other things, the courts’ decisions in these cases, which both involved denials of motions to dismiss, establish that while the burden for plaintiffs to establish a claim for breach of the duty of oversight is “onerous,” the standards are not insurmountable, and that allegations can be presented that meet these pleading requirements.
The decisions also establish that boards’ responsibilities do include both the establishment of and the monitoring of processes to oversee their companies’ “mission critical” regulatory compliance requirements. Further, the decisions establish that boards that do not fulfill these oversight requirements can be held liable for breaches of their fiduciary duties.
As I noted in a recent post with respect to boards’ oversight duties, these lessons are relevant with respect to any number of challenges that companies might face, but they arguably could have significant implication with respect to two areas that are the subject of particular regulatory focus at the moment, cybersecurity and privacy.