Red Flags

Cybersecurity and the Duty of Oversight

By Kevin LaCroix on March 18, 2025

In the immediate aftermath of the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, which revitalized so-called Caremark claims for breach of the duty of oversight, one question I was asked was whether claimants might seek to assert breach of the duty of oversight claims in the context of cybersecurity and data privacy issues. Claimants did, in fact, subsequently raise Caremark claims in connection with the high-profile date breaches at Marriott and SolarWinds, but in each case, the Delaware Chancery Court granted the defendants’ motions to dismiss (as discussed here and here, respectively), raising questions about the viability of duty of oversight claims in the cybersecurity context.

Notwithstanding the less than promising track record for these kinds of claims, in a recent article, NYU Law Professor Jennifer Arlen argues that cybersecurity-related claims for breach of the duty of oversight should support Caremark liability in at least one class of cases – that is, cases relating to companies for whom cybersecurity is a “mission critical legal risk” and in which it is alleged that the company had inadequate cybersecurity that risked (and later caused) substantial harm to businesses and government agency customers, and that the company had misled the customers through statements that were designed to defraud the customers into believing that the company’s cybersecurity systems were materially better than they were. Professor Arlen’s March 18, 2025, post on the Harvard Law School Forum on Corporate Governance about Caremark claims in the cybersecurity context can be found here.Continue Reading Cybersecurity and the Duty of Oversight

Guest Post: “Mission Critical”: Director Liability Ticking Time Bomb

By Kevin LaCroix on December 4, 2024

Posted in Corporate Governance

Recent case law developments in Delaware’s courts underscore the importance for corporate boards to monitor “mission critical” operations at their companies. These developments have important corporate governance implications, as I detailed in a September blog post (here). In the following guest post, Tim J. Leach, FCPA FCA Managing Director Risk Oversight Solutions Inc. takes a deeper look at the corporate governance implications from the recent duty of oversight/duty to monitor case law. I would like to thank Tim for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Tim’s article.Continue Reading Guest Post: “Mission Critical”: Director Liability Ticking Time Bomb

Meta Board and Execs Hit with Oversight Duty Breach Claim Based on Trafficking Allegations

By Kevin LaCroix on March 23, 2023

Posted in Director and Officer Liability

Delaware’s courts traditionally have said that breach of the duty of oversight claims (sometimes referred to as Caremark claims) are “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” However, in series of cases following the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, Delaware courts have sustained a number of breach of the duty of oversight claims. More recently, Vice Chancellor Laster, in a pair of decisions in the McDonald’s case, elaborated significantly on the reach of duty of oversight. Among other things, Laster made it clear that the duty extends to corporate officers as well as to directors. Some commentators (including me) were concerned that Laster’s elaborations could lead to further lawsuits alleging breach of the duty of oversight.

Now, in what is the first high-profile post-McDonald’s Caremark claim of which I am aware, a group of four institutional investors has brought a breach of the duty of oversight claim against certain directors and officers of Meta, alleging that the executives failed to take sufficient action with respect to allegations that the company’s social media sites were being used for human trafficking. The new complaint appears to have been shaped to reflect many of the implications arising from Laster’s decisions in the McDonald’s case. A copy of the redacted public version of the plaintiffs’ March 20, 2023, complaint in the Meta case can be found here.Continue Reading Meta Board and Execs Hit with Oversight Duty Breach Claim Based on Trafficking Allegations

Breach of Duty of Oversight Claims Against McDonald’s Directors Dismissed

By Kevin LaCroix on March 7, 2023

Posted in Director and Officer Liability

In the latest development in the Delaware courts’ evolving elucidation of the standards surrounding claims for breach of the duty of oversight – sometimes referred to as Caremark claims — a Delaware Court has held that the board of McDonald’s cannot be held liable for an alleged oversight duty breach in connection with the alleged scandals at the company involving sexual harassment allegations. This ruling in the directors’ favor follows closely after the same court’s recent ruling in the same case that the plaintiffs had stated a claim against an officer defendant for breach of the duty of oversight. The court’s recent rulings in the case provide extensive additional insights with respect to what must be alleged to establish a Caremark claim. Vice Chancellor Laster’s March 1, 2023, opinion in the case, dismissing the claims against the McDonald’s directors, can be found here.Continue Reading Breach of Duty of Oversight Claims Against McDonald’s Directors Dismissed

Del. Court Sustains Breach of Fiduciary Duty Claim for Board’s Rejection of Demand Letter

By Kevin LaCroix on June 8, 2022

Posted in Shareholders Derivative Litigation

In a series of opinions beginning with the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, Delaware courts have sustained a number of so-called “Caremark” claims based on the defendant board members’ breach of their duty of oversight. The courts have denied motions to dismiss in cases where the boards failed to act despite “red flags” alerting them to problems. But what happens if the “red flag” that alerts the board to a problem is a litigation demand letter submitted by a prospective claimant seeking to have the board take up litigation because of problems identified in the letter? In an interesting and troubling May 24, 2022 decision, Vice Chancellor Travis Laster sustained a claim based on these kinds of allegations, accepting what he called a “novel theory” with “admitted trepidation.” Though Laster sought in his opinion to contain some the more “disquieting” implications of this ruling, there is now at least a theoretical basis on which future prospective claimants could argue that a board’s rejection of a litigation demand letter could itself give rise to a separate breach of fiduciary duty claim.
Continue Reading Del. Court Sustains Breach of Fiduciary Duty Claim for Board’s Rejection of Demand Letter

The D&O Diary