A claim alleging a board’s breach of duty of oversight has long been regarded as one of the most difficult for a plaintiff to sustain. But after the Delaware Supreme Court’s 2019 opinion in Marchand v. Barnhill, breach of the duty of oversight claims (or Caremark claims, as they are sometimes called) have in recent years, as Vice Chancellor Sam Glasscock put in in his recent opinion in the SolarWinds case, “bloomed like dandelions after a warm spring rain.” Some commentators questioned whether oversight breach claims were in fact as difficult to sustain as is so often said. However, in his recent opinion, the Vice Chancellor emphasized the oversight breach claims remain “one of the most difficult claims” to sustain and granted the defendants’ motion to dismiss the cybersecurity-related oversight breach claims asserted against the board of Solar Winds. A copy of Vice Chancellor Glasscock’s September 6, 2022 opinion in the SolarWinds case can be found here.
SolarWinds Corporation provides information technology infrastructure management. Its main software product is the Orion Platform. In December 2020, the company discovered that it had been the victim of a major cyberattack. In the attack, Russian hackers used the company’s Orion platform to attack the Company’s clients. The hackers hid malicious code in the software and exploited its trusted access to gain access to the company’s clients IT systems. The hackers used the access to steal the clients’ proprietary information, intellectual property, and emails. The attack, know as the Sunburst Attack, affected as many as 18,000 of the company’s clients. Upon revelation of the attack, the company’s share price declined nearly 40%.
Following the news of the Sunburst Attack, the company was hit with numerous lawsuits and was also the subject of various governmental investigations. Among the lawsuits filed is a separate securities class action lawsuit. In addition, a plaintiff shareholder filed a derivative suit in Delaware Chancery Court against certain past and present SolarWinds directors, as well as against the company itself as nominal defendant. The derivative suit plaintiff essentially alleges that the defendants failed to adequately oversee the risk to cybersecurity of criminal attack. The defendants moved to dismiss.
The September 6, 2022 Opinion
In a detailed September 6, 2022 Opinion, Vice Chancellor Glasscock granted the defendants’ motion to dismiss. Specifically, he held that the plaintiff had failed to make a sufficient showing that a pre-suit demand on the company’s board would have been futile. In concluding that the plaintiff had not established demand futility, the Vice Chancellor found that because the plaintiff’s breach of the duty of oversight claim was not “viable,” the plaintiff had failed to establish that a majority of the board faced a substantial likelihood of liability.
In assessing the plaintiff’s breach of the duty of oversight claims, Glasscock emphasized that in order to sustain a claim for breach of the duty of oversight, “the lack of oversight pled must be so extreme that it represents a breach of the duty of loyalty,” which in turn “requires an action (or omission) that a director knows is contrary to the corporate weal.” A viable claim for breach of the duty of oversight may be established only for either “utter failures by directors to impose a system for reporting risk” or for “failure to act in the face of ‘red flags’ disclosed to them so vibrant that lack of action implicates bad faith, in connection with the corporation’s violation of positive law [emphasis in original], have led to viable claims under Caremark.”
Vice Chancellor found (and emphasized) that in this case, “there is no credible allegation that the Company violated positive law.” In the absence of an allegation of an illegal act or omission, the plaintiff could only sustain its claim if it sufficiently alleged that the board undertook its monitoring duties in bad faith. The Vice Chancellor emphasized that mere allegations of negligence alone were not sufficient.
Having reviewed the applicable standards, Vice Chancellor Glasscock found that the director defendants “(1) are not credibly alleged to have allowed the company itself to violate law, (2) did ensure that the company had at least a minimal reporting system about corporate risk, including cybersecurity, and (3) are not alleged to have ignored sufficient ‘red flags’ of cyber threats to imply a conscious disregard of a know duty, indicative of scienter.” In other words, the Vice Chancellor said, “the directors failed to prevent a large corporate trauma, but the Plaintiffs have failed to plead sufficient facts from which I may infer bad faith liability on the part of a majority of directors regarding that trauma.”
In the immediate aftermath of the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, and as part of the discussion of the decision’s possible implications, one question I was asked was whether claimants might seek to assert breach of the duty of oversight claims in the context of cybersecurity and privacy issues. After all, for many companies these days, cybersecurity is mission critical. However, there are now two Delaware court decisions in which attempts to assert an oversight duty claim in the context of a cybersecurity incident have been unsuccessful.
As I noted at the time, in October 2021, Delaware Vice Chancellor Lori Will dismissed the shareholder claims asserted against the Marriott Board in connection with the massive and high profile claims that the company had sustained. Vice Chancellor Glasscock has now rejected the cybersecurity related oversight breach claims asserted against the Solar Winds board.
To be sure, Vice Chancellor Glasscock did not hold that a claimant could never sustain a cybersecurity related oversight duty breach claim. But his opinion does contain a number of points that underscore how difficult it would be for a claimant to succeed on this theory.
First, as he emphasized throughout his opinion, the plaintiff here had not (and apparently could not) allege that the Solar Winds board had violated positive law. The criminal acts of third parties means only that the company was the victim of legal violations not the perpetrator. The absence of legal duties means that cybersecurity is a business risk, one of many the company faces. In order for the cybersecurity-related business risk to give rise to potential board liability, the claimant must establish a “nexus” between the risk and the board, which this plaintiff was found to have failed to do.
In addition to emphasizing the difficulty of establishing an oversight duty breach in the cybersecurity context, Vice Chancellor Glasscock’s opinion underscores the difficulty of establishing an oversight duty breach in any context. After reading Judge Glasscock’s opinion, one is left with the impression that an oversight duty breach claim may indeed be one of the most difficult claims for a plaintiff to sustain.
One final point worth noting that while SolarWinds has managed to get the derivative lawsuit dismissed, the securities class action lawsuit against the company and certain of its directors and officers remains pending. As discussed here, in March 2022, the defendants’ motion to dismiss the securities suit was largely denied.