Last month, when the Delaware Court of Chancery sustained the breach of the duty of oversight claim against the Boeing board, some observers suggested we could see an increase in board oversight breach lawsuits. We may yet see more breach of the duty of oversight claims, but another more recent Delaware Chancery Court decision in the Marriott data breach shareholder derivative suit suggests claimants still face an uphill battle in asserting these kinds of claims. On October 5, 2021, Delaware Vice Chancellor Lori Will granted the defendants’ motion to dismiss in the case, in part on grounds related to the plaintiff’s breach of the duty of oversight claims. As discussed below, the ruling could have particular significance with respect to the prospects for claims of breach of the duty of oversight relating to cybersecurity issues. A copy of Vice Chancellor Will’s opinion can be found here.
In September 2018, Marriott International Inc. discovered a data breach affecting customer records. The breach, which Marriott later determined had begun in 2014, pertained to the reservation system of Starwood Hotels and Resorts, which Marriott acquired in 2016. Marriott ultimately determined that the breach exposed the personal data of over 500 million guests. Marriott publicly announced the breach on November 30, 2018.
Multiple lawsuits ensued, included both a securities class action lawsuit and a separate federal court shareholder derivative lawsuit alleging violations of the federal securities laws as well as claims for alleged violation of Delaware law. As discussed here, in June 2021, the federal court presiding over the securities class action lawsuit and the federal court derivative suit granted the defendants’ motions to dismiss both actions. In dismissing the federal law claims in the federal court derivative suit, the court also declined to exercise supplemental jurisdiction over the state law claims and dismissed those without prejudice.
A separate plaintiff filed a shareholder derivative lawsuit against the Marriott board and certain of its officers in Delaware Chancery Court. The Chancery Court lawsuit alleged breach of fiduciary duty claims pertaining to the defendants’ alleged misconduct both before and after the Starwood acquisition. With respect to the pre-merger period, the plaintiff alleged that the defendants had breached their fiduciary duty by failing to conduct adequate due diligence of Starwood’s cybersecurity technology. With respect to the post-acquisition conduct, the plaintiff alleged that the defendants had continued to operate Starwood’s deficient technology; failed to timely disclose the data breach; and that the directors breached their duty of oversight in violation of the Caremark standard.
The defendants moved to dismiss on the grounds that the plaintiff had failed to make a pre-suit demand to the Marriott board to take up the claim and had failed to plead sufficient facts to establish demand futility.
The October 5, 2021 Opinion
On October 5, 2021, Vice Chancellor Will granted the defendants’ motion to dismiss, ruling that demand was not excused because “none of the director defendants faces a substantial likelihood of liability on a non-exculpated claim.” The Marriott board, she concluded, “retained its ability to assess whether to pursue litigation on behalf the company.” Students of the law will be interested to note that in assessing the demand futility issue, Vice Chancellor Will applied the newly articulated demand futility standard that the Delaware Supreme Court promulgated in its decision last month in the Facebook case (discussed here).
In support of her conclusion that none of the director defendants face a substantial likelihood of liability, Vice Chancellor Will made two essential rulings.
First, with respect to the plaintiff’s pre-Starwood acquisition claims, she determined that the plaintiff’s pre-acquisition claims were time barred by the applicable statute of limitations.
With respect to the plaintiff’s breach of the duty of oversight claims under Caremark, she determined that the “allegations in the complaint do not meet the high bar required to state a Caremark claim.”
In reaching this conclusion with respect to the plaintiff’s breach of the duty of oversight claims, Vice Chancellor Will repeated the oft-stated comment that oversight liability under Caremark is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” In order to state a Caremark claim, the plaintiff must establish that the directors either utterly failed to implement a reporting system or controls, or having implemented a system or controls, consciously failed to monitor them. Vice Chancellor Will noted with respect to this liability standard that Delaware’s courts have focused on “key enterprise risks” affecting a company’s “mission critical” operations.
With respect to this “mission critical” element, Vice Chancellor Will noted that cybersecurity “is an area of consequential risk that spans modern business sectors,” adding that in recent years cyberattacks have affected thousands of companies and government agencies and that regulators have repeatedly warned of cybersecurity risks. Vice Chancellor Will specifically noted that as the risks of cybersecurity become manifest “corporate governance must evolve to address them” adding further that “the corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.”
However, growing cybersecurity risks do not “lower the high threshold that a plaintiff must meet to plead a Caremark claim.” A plaintiff must establish “a showing of bad faith conduct” to establish director oversight liability.” Only “a sustained or systemic failure of the board to exercise oversight will establish the lack of good faith.”
The allegations in the plaintiff’s complaint, Vice Chancellor Will said, “do not meet the high bar required to state a Caremark claim.” The plaintiff, she said, has not shown “that the directors completely failed to undertake oversight responsibilities, turned a blind eye to know compliance violations, or consciously failed to remediate cybersecurity failures.”
In reaching these conclusions, she specifically noted that the plaintiff does not allege that Marriott Board “utterly failed” to implement any cybersecurity reporting system or internal controls. To the contrary, she found that the complaint and incorporated documents demonstrate that the directors surpassed the Caremark baseline standard that they “try” in good faith to put a “reasonable compliance and reporting system in place.” Similarly, the plaintiff’s allegations failed to establish that the Marriott board consciously disregarded “red flags” indicated violations of legal requirements.
In a concluding section, Vice Chancellor Will noted that the data breach at the center of the case “was momentous in scale and put the data of hundreds of millions of people at risk.” However, the circumstance was the result of actions of a hacker – “Marriott was the victim of an illegal act rather than the perpetrator.” Whether or not this was a preventable scenario, there is “a difference between a flawed effort and a deliberate failure to act,” and Caremark requires a plaintiff to demonstrate the latter. Having failed to show that the Marriott directors “consciously disregarded positive law or acted in bad faith,” the plaintiff “has not impugned the ability of any member of the Demand Board to impartially consider a demand based on a substantial likelihood for failed oversight.”
The tone and points of emphasis in Vice Chancellor Will’s opinion reenforce the oft-stated principle that breach of the duty of oversight claims are very difficult indeed to establish. She highlights and underscores that in order for a claim of this type to be sustained, the plaintiff must plead that the defendants had absolutely no mechanism to oversee a mission critical operation or disregarded the mechanism in bad faith. The suggestion is that it will only be in very unusual circumstances that these types of claims will be permitted to proceed.
Of course, that said, in recent months there have been breach of the duty of oversight claims that have been sustained, most recently in the Boeing case. And in that sense – that is, in the possibility for breach of the duty of oversight claims to survive – Vice Chancellor Will’s comments about cybersecurity are particularly interesting. She specifically noted in the intro section to her opinion that “Cybersecurity has increasingly become a central compliance risk deserving board level monitoring at companies across sectors.” More to the point, she also noted that “the corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.” At a minimum, this and similar statements underscore the fact that for many organizations cybersecurity is going to a mission critical issue, one that requires board oversight – and one that, were the board to breach its oversight duties, could give rise to director liability.
I emphasize this latter point because that has been a focal point for me in discussing breach of the duty of oversight cases, going all the way back to the 2019 milestone case of Marchand v. Barnhill, in which the Delaware Chancery Court sustained a breach of the duty of oversight claim against the Blue Bell Creamery board. At the time, I highlighted the fact that cybersecurity and privacy issues could for many organizations represent the type of mission critical operations for which board oversight is required, and for which the failure to provide oversight could give rise to a Caremark claim. Vice Chancellor Will’s opinion confirms this proposition on both ends – that is, that cybersecurity is mission critical for many organizations, requiring board oversight, and failure to oversee cybersecurity issues could, if properly plead, support a claim for breach of the duty of oversight.
All of that said, Vice Chancellor Will’s opinion does make it clear that it will only be in very unusual circumstances that a viable breach of the duty of oversight claim can be sustained with respect to cybersecurity issues. That is, a prospective claimant will have to be able to show that the defendant board had no mechanisms of overseeing cybersecurity issues (and not just that the board had a poor mechanism or did a poor job monitoring it) or that the board consciously disregarded cybersecurity red flags. It will be the unusual set of circumstances where a plaintiff can even attempt to make these kinds of allegations.
The case does have important implications for boards in seeking to minimize the risks of cybersecurity-related breach of the duty of oversight claims. That is, well-advised boards will have mechanisms and controls in place that allows them to be able to show that they had controls and processes in place to allow that to exercise their oversight function; by the same token, the board will also want to be able to show that it had processes in place for addressing and responding to cybersecurity red flags that may arise.