One of the basic exposures that corporate directors and officers face is the risk of a shareholder derivative lawsuit. In the following guest post, Greg Markel, Giovanna Ferrari, and Sarah Fedner, all of the Seyfarth Shaw law firm, take a look at the basic features of shareholder derivative suits and conclude with ten basic takeaways for boards and others. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article.Continue Reading Guest Post: Derivative Litigation: Board Lessons and Takeaways

A claim alleging a board’s breach of duty of oversight has long been regarded as one of the most difficult for a plaintiff to sustain. But after the Delaware Supreme Court’s 2019 opinion in Marchand v. Barnhill, breach of the duty of oversight claims (or Caremark claims, as they are sometimes called) have in recent years, as Vice Chancellor Sam Glasscock put in in his recent opinion in the SolarWinds case, “bloomed like dandelions after a warm spring rain.” Some commentators questioned whether oversight breach claims were in fact as difficult to sustain as is so often said. However, in his recent opinion, the Vice Chancellor emphasized the oversight breach claims remain “one of the most difficult claims” to sustain and granted the defendants’ motion to dismiss the cybersecurity-related oversight breach claims asserted against the board of Solar Winds.  A copy of Vice Chancellor Glasscock’s September 6, 2022 opinion in the SolarWinds case can be found here.
Continue Reading Del. Court Dismisses Cybersecurity-Related Oversight Claim Against SolarWinds Board

The filing of data breach and other cybersecurity incident-related shareholder derivative lawsuits against corporate boards is nothing new; plaintiffs’ lawyers have been filing these kinds of claims now for several years. However, in recent months, the plaintiffs’ lawyers have shown an increasing inclination to file these claims based on allegations of breach of the duty of oversight. The latest example of this type of claim is the shareholder derivative suit filed this week against the board of T-Mobile USA. Although the plaintiff’s complaint does not expressly use the words “breach of the duty of oversight” or refer to “Caremark duties,” the complaint does refer to the board’s alleged “failure to monitor” and to the board’s alleged failure “to heed red flags” – the very kind of allegations that are at the heart of breach of the duty of oversight claims. A copy of the plaintiff’s complaint in the November 29, 2021 lawsuit can be found here.
Continue Reading Data Breach-Related Derivative Suit Filed Against T-Mobile USA Board

Among the companies with D&O litigation in recent years arising from sexual misconduct allegations was the clothing and consumer products company L Brands. The parties to the various legal proceedings arising out of the allegations have reached a settlement in which L Brands has agreed to adopt a number of management and governance measures; in order to fund these initiatives, the company has committed to funding of $90 million over the course of five years. As discussed below, the settlement has several interesting features. The parties’ July 30, 2021 stipulation of settlement can be found here.
Continue Reading L Brands Establishes $90 Million Fund in Sexual Misconduct Derivative Suit Settlement

Anyone reading the business pages know that SPAC IPO activity continues to surge; indeed, we have not yet even officially completed 2021’s first quarter, yet the number of SPAC IPOs completed and the amount of funding raised have both already exceeded the totals for the full year 2020. As I have already noted in prior posts on this site, all of this SPAC activity has already attracted some legal action. At the end of the last week, there were further signs that the legal activity could be about to pick up. As discussed below, news reports circulated late last week that the SEC has sent informal inquiries to Wall Street banks concerning SPACs, and, as also discussed below, a plaintiff shareholder has initiated a class action lawsuit against the directors and officers of a SPAC, among others, in Delaware Chancery Court presenting some alternative liability theories.
Continue Reading Is SPAC-Related Legal Action About to Heat Up?

As I have noted in prior posts, there has been a recent renewed focus among observers of Delaware corporate case law development on breach of the duty of oversight claims (sometimes called Caremark claims in reference to the initial Court of Chancery decision elaborating on the duty of oversight). Indeed, at least one academic commentator has suggested, based on a series of Delaware court rulings during 2019-2020, that we have entered a “new era” of Caremark claims.

But though there have been a number of high profile cases in which breach of the duty of oversight claims have been sustained, a recent Delaware Court of Chancery decision underscores the fact that the pleading hurdles for these types of claims are still substantial, and, indeed, as discussed below, at least one set of commentators has suggested that this most recent decision raises the question whether the pleading bar for these types of claims has changed at all. The Delaware Court of Chancery’s December 31, 2020 decision in Richardson v. Clark can be found here.
Continue Reading Del. Chancery Court: Caremark Claims Against MoneyGram Board Not Sustained

Stark Photo
John Reed Stark

Fontaine
David Fontaine

It is well understood by now that cyber security is a concern for every organization and that it is an issue on which every company’s board should be focused. But what specifically should boards of directors be worried about and what questions should they be asking? In the following guest post, John Reed Stark and David R. Fontaine take a look at the ten cybersecurity concerns on which every board of directors should be focused. John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  David Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities, owns Kroll’s data breach response services. The authors’ complete biographies appear at the end of the post. This article was previously published on CybersecurityDocket.com, an online global cybersecurity and incident response report, and a division of Docket Media.

I would like to thank the authors’ for their willingness to publish their article on this site. I welcome guest posts from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. The authors’ guest post follows.

*************************************

Every board now knows its company will fall victim to a cyber-attack, and even worse, that the board will need to clean up the mess and superintend the fallout.

Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses. These include digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies,[1] fulfillment of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan – and the list goes on.

And besides the more predictable workflow, a company is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage;[2] loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.

So what is the role of a board of directors amid all of this complex and bet-the-company workflow? Corporate directors clearly have a fiduciary duty to understand and oversee cybersecurity, but there is no need for board members (many of whom have limited IT experience) to panic.

Below we compile a list of ten cybersecurity considerations that provide a solid bedrock  of inquiry for corporate directors who want to take their cybersecurity oversight and supervision responsibilities seriously.[3]  This “cybersecurity top ten list” provides the requisite strategical framework for boards of directors to engage in an intelligent, thoughtful and appropriate supervision of a company’s cybersecurity risks.
Continue Reading Guest Post: Ten Cybersecurity Concerns for Every Board of Directors

hbr4The fiduciary duties of members of corporate boards are usually invoked in connection with directors’ potential liability exposures. However, in their January 2015 Harvard Business Review article entitled “Where Boards Fall Short” (here), Dominic Barton, global managing director of McKinsey & Co., and Mark Wiseman, President and CEO of the Canada