The filing of data breach and other cybersecurity incident-related shareholder derivative lawsuits against corporate boards is nothing new; plaintiffs’ lawyers have been filing these kinds of claims now for several years. However, in recent months, the plaintiffs’ lawyers have shown an increasing inclination to file these claims based on allegations of breach of the duty of oversight. The latest example of this type of claim is the shareholder derivative suit filed this week against the board of T-Mobile USA. Although the plaintiff’s complaint does not expressly use the words “breach of the duty of oversight” or refer to “Caremark duties,” the complaint does refer to the board’s alleged “failure to monitor” and to the board’s alleged failure “to heed red flags” – the very kind of allegations that are at the heart of breach of the duty of oversight claims. A copy of the plaintiff’s complaint in the November 29, 2021 lawsuit can be found here.
T-Mobile USA is a telecommunications company. According to the recently filed shareholder derivative complaint, in the course of its operations, the company obtains and stores the personal identifying information of its millions of customers, making it a target for hackers. The company’s board was, according to the complaint “aware of the substantial risks posed to the Company, having recognized those very risks in public filings with the SEC and having assured stockholders that those risks were being properly managed.”
The complaint alleges, however, that the board members were “long aware of red flags demonstrating that the Company did not have an effective system of internal controls to ensure the safety and security of customers’ personal identifying information in the face of this threat.” The complaint alleges that since 2015 hackers had “frequently exploited weaknesses” the company’s cybersecurity, noting that in February 2021 the FTC levied a $92 million fine against the company for its failure to protect customer location information and finding that the company’s privacy safeguards were “fundamentally weak.”
The complaint alleges further that in August 2020, the company disclosed that a hacker had accessed personal identifying information for 54 million customers, which incident has led to an ongoing FCC investigation and dozens of consumer class action lawsuits.
On November 29, 2021, a plaintiff shareholder filed a securities class action lawsuit in the Western District of Washington against certain members of board of directors of T-Mobile USA, as well as against the company itself as nominal defendant.
The complaint alleges, in reliance on the allegations described above, that the defendants were required to “(1) implement and maintain an effective system of internal controls to ensure that data breaches are prevented and that personal identifying information of its customers is safe and secure, as represented; (2) implement and maintain effective internal controls and corporate governance practices to monitor the material risks posed to the Company, its stockholders, and customers by the storage of customer data and the ‘target’ such information posed to hackers and other malicious actors; and (3) take action when presented with red flags that internal controls over cybersecurity were inadequate and that bugs on the Company’s website allowed hackers to access customers’ personal identifying information.”
On the basis of these allegations, the complaint asserts four substantive claims. First, the complaint alleges that the defendants violated Section 14(a) of the Securities Exchange Act of 1934, based on allegations that in the company’s 2021 proxy statement the defendants misrepresented the company’s internal controls and state of cybersecurity preparedness. Second, the complaint alleges that the defendants’ breached their fiduciary duties by failing to have effective internal controls in place and failing to heed and take action with respect to “red flags” showing that the controls were inadequate. Third, that the board members’ failures caused the waste of corporate assets. Fourth, the complaint alleges that the defendants aided and abetted each other in breaching their respective fiduciary duties.
The complaint alleges that because of the board “utterly failed” to fulfill its fiduciary duties, “each member faces a substantial likelihood of liability therefor,” and that “a majority of the Board lacks independence,” as a result of which, the complaint alleges, demand is excused.
The complaint seeks the recovery of damages on behalf of T-Mobile USA, and an order directing the company and the individual defendants to “take all necessary actions to reform and improve its corporate governance practices and procedures and internal control systems,” as well as an order of restitution from the individual defendants.
This cybersecurity-incident related lawsuit against the T-Mobile USA board follows closely on the lawsuit filed earlier in November against the board of Solar Winds (discussed here). The Solar Winds complaint overtly alleged breach of the duty of oversight; as I noted at the outset of this post, the new T-Mobile USA complaint does not expressly refer to the duty of oversight, but it does refer to the board’s alleged failure to monitor and its failure to heed and respond to “red flags,” which are the kind of allegations at the heart of breach of the duty of oversight claims.
There is a certain extent to which it comes as no surprise that plaintiffs’ lawyers are asserting allegations of oversight duty breaches in connection with circumstances arising out of cybersecurity incidents. Indeed, at the time of the Delaware Supreme Court’s 2019 landmark Marchand v. Barnhill ruling, I speculated that a newly revitalized breach of the duty of oversight claim could represent a legal theory on which plaintiffs might seek to rely in asserting claims against boards of companies that had experienced cybersecurity incidents. As I noted at the time, cybersecurity is for many types of operations “mission critical.” With the benefit of post-incident hindsight, plaintiffs’ lawyer could, I speculated, seek to portray the ups and downs of daily operations as presenting “red flags” that should have triggered boards’ monitoring of key operations. The recent filing of the breach of the duty of oversight claims against the SolarWinds and the T-Mobile USA boards seems to represent the realization of the concerns I expressed in my earlier post.
Plaintiffs’ lawyers’ willingness to pursue these kinds of claims undoubtedly was bolstered by the recent $237.5 million settlement of the breach of the duty of oversight claim failed against the board of Boeing in connection with the Max 737 Air Disasters.
On the other hand, plaintiff’s counsel’s assessment of the likelihood of success on a breach of the duty of oversight would necessarily have to take into account the October 2021 decision in the Marriott data breach-related derivative lawsuit As I noted in a post at the time, Vice Chancellor Lori Will granted the defendants’ motion to dismiss, ruling that the plaintiffs’ obligation to make a pre-suit demand on the board was not excused. With respect to the plaintiff’s breach of the duty of oversight claims under Caremark, Vice Chancellor Will specifically said that the “allegations in the complaint do not meet the high bar required to state a Caremark claim.”
On the other hand, in her Marriott opinion Vice Chancellor Will did say some things that the plaintiff in this case may find to be helpful. For example, she said that cybersecurity risks are an increasingly important part of the corporate landscape, and that as risks of cybersecurity become manifest “corporate governance must evolve to address them,” adding further that “the corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.”
T-Mobile USA is based in the state of Washington but it is incorporated under the laws of the state of Delaware, so the Delaware case law will be relevant in this case. One aspect of the plaintiffs’ allegations that will complicate the analysis is that the plaintiffs’ substantive claims are not based solely on the alleged breach of the duty of oversight. Indeed, in order to try to avoid the “high bar” required to sustain a breach of the duty of oversight claim, the plaintiff in this case may try to argue that he is not asserting a breach of the duty of oversight claim at all.
For all of these reasons, this case will be interesting to watch. But for now, the one important takeaway is that the plaintiffs’ lawyers seem to be showing an increased willingness to pursue D&O liability claims based on cybersecurity incidents. There is a distinct sense in which the possibility of these kinds of claims represents a distinct and arguably growing liability risk for corporate boards.