Caremark’s Comeback Includes Potential Director Liability in Connection With Data Breaches

A Caremark­-based claim against a board of directors alleging a failure to monitor corporate operations has been said to be “the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” or at least to withstand a motion to dismiss.  Yet, Caremark has taken on renewed importance — as noted by this blog — following recent high-profile successes on duty-to-oversee claims, most notably in Marchand v. Barnhill in 2019 and In re Boeing in September 2021, and recent shareholder lawsuits alleging that data breach- and cybersecurity-related failures would have been preventable were it not for oversight failures by corporate officers and directors, are being plead asserting Caremark claims.

In the landmark In re Caremark case, the Delaware Court of Chancery recognized a duty on the part of directors and officers to monitor corporate operations that have the potential to create liability for the company.  This duty is understood as derivative of the duty of loyalty, because where directors know or should know that they have a duty to act, and they fail to do so, “they breach their duty of loyalty by failing to discharge that obligation in good faith.”

To successfully allege a Caremark claim, a plaintiff must plead facts demonstrating that either “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” Put differently, the directors must have acted in bad faith in failing to oversee.  Furthermore, this failure must be related to some aspect of the business that is “essential and mission critical.”

As our “data economy” has fed an increase in data security incidents, failures in data security have in turn created significant risks to corporations.  These risks take many forms, including loss of access to business-critical data and IT infrastructure, successful consumer class action lawsuits, regulatory liability, or loss of commercial counterparties, or liability to those counterparties.  Not surprisingly, shareholder lawsuits have also followed, seeking to hold corporate boards responsible for lax oversight that results in harm to the corporation following a data security incident.  To date,  Caremark claims based on data security incidents have mostly failed to gain traction; the vast majority have been dismissed at the motion to dismiss stage and a smaller portion have settled, as our colleagues noted in an article for Bloomberg Law back in 2017.  Several recent cases have confirmed that Caremark claims remain difficult to bring (much less win), even when those claims are based on data security incidents.  But these cases also reveal potential avenues that shareholder plaintiffs may pursue when bringing data security-related Caremark claims.

In a case involving Marriott, Firemen’s Ret. Sys. of St. Louis ex rel. Marriott Int’l, Inc. v. Sorenson, a shareholder sued the company’s officers and directors for alleged oversight failures related to a 2018 data breach that exposed the personal information of approximately 500 million guests.  On October 5, 2021, Vice Chancellor Will dismissed the Marriott shareholder’s complaint for failure to plead demand futility, finding that “none of the directors face a substantial likelihood of liability under Caremark,” since the board had a system to assess cybersecurity risks and did not consciously disregard red flags that arose from it.  As to Caremark’s first prong, the court noted that the Marriott board was consistently apprised of cybersecurity threats, and it repeatedly designated data security as a priority for the company — features that the plaintiff’s complaint noted and that meant that the board had not “utterly failed” to implement a monitoring and reporting system.  By alleging that the company did not keep up with non-obligatory industry standards and “risked” violations of certain laws, the complaint also did not adequately plead that the Marriott board did not become aware of violations of law (i.e., red flags) and disregard them.

As a result of the complaint’s failure to meet either prong under Caremark, meaning that no director faced a substantial likelihood of liability, Vice Chancellor Will determined that the Marriott board remained capable of deciding whether to pursue litigation on the company’s behalf, and demand was not excused.  Any future lawsuits — and their choice of legal strategy — are something this blog and others will be watching for.  But, as Vice Chancellor Will noted, while “corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place . . . growing risks posed by cybersecurity threats do not, however, lower the high threshold that a plaintiff must meet to plead a Caremark claim.”

Only a month later, in November 2021, shareholders of T-Mobile filed a lawsuit alleging breaches of fiduciary duties by the T-Mobile board in connection with cybersecurity failures.  The complaint specifically focuses on T-Mobile’s August 2020 data breach impacting 54 million customers and February 2021 fine by the Federal Communications Commission (“FCC”) over data security weaknesses.  Importantly, the complaint attempts to distinguish itself from the claim against Marriott with respect to the T-Mobile board’s knowledge of red flags.

In particular, the Marriott court held that the plaintiffs failed to demonstrate that the board ignored known violations of law (i.e., red flags), in part because there had been no violations of law for the Marriott board to ignore.  Indeed, in her Marriott opinion, Vice Chancellor Will noted that “Oversight violations are typically found where companies — particularly those operating within a highly regulated industry — violate the law or run afoul of regulatory mandates.”  By contrast, the T-Mobile shareholders allege that the company’s data security failures did result in violations of law.  The T-Mobile complaint points to the FCC investigation and resulting fine levied on T-Mobile to allege that the board was “long aware of” yet “failed to heed . . . red flags” related to the company’s cybersecurity inadequacies.

Whether the Caremark claims against the T-Mobile board survive past the motion to dismiss stage is yet to be seen, and this blog’s contributors will be monitoring closely as this case and others like it unfold.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.