FEATURE
 the directors of a corporation acted on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the compa- ny.” 17 This presumption, known as the business judgment rule, historically af- fords the business decisions of directors — not their failures to act in the oversight context — significant protection and deference.
1. Duty of Care
The duty of care requires directors to “consider all material information reasonably available in making business decisions.” 18 Directors’ duty of care only requires that they “use that amount of care which ordinarily careful and pru- dent men would use in similar circum- stances.”19 Violations are only actionable if directors act with gross negligence.20
In 1985, in Smith v. Van Gorkom, the Delaware Supreme Court found that the board was not entitled to the protec- tion of the business judgment rule and breached its duty of care in approving a merger that was orchestrated by the com- pany’s chairman and CEO and another inside director.21 The board approved the merger after a 20-minute presentation, relying on the advice of the company’s legal counsel and the directors’ “knowl- edge of the market history of the Com- pany’s stock.” 22 The Delaware Supreme Court held the company’s directors jointly and severally liable for more than $23 million.23 In response, the Delaware Assembly in 1986 enacted section 102(b) (7) of the Delaware General Corpora- tion Law, which allows a corporation’s certificate of incorporation to contain “[a] provision eliminating or limiting the personal liability of a director to the cor- poration or its stockholders for monetary damages for breach of fiduciary duty as a director.” 24 Ultimately, the Delaware Su- preme Court has held that a duty of care claim is dismissible if the company has adopted a charter provision embodying section 102(b)(7), requiring the board to prove entire fairness.25 As a result, duty- of-care claims consistently fail in the face of a section 102(b)(7) provision in the corporation’s charter.
2. Duty of Loyalty
Section 102(b)(7) charter provisions,
on the other hand, do not foreclose per- sonal liability for breaches of duties of loyalty. The duty of loyalty “mandates that the best interest of the corporation and its shareholders takes precedence over any interest possessed by a director, officer or controlling shareholder and not shared by the stockholders generally.” 26 The duty of loyalty precludes directors from acting in bad faith.27 As discussed infra, the duty of loyalty also requires directors to take a more proactive role in overseeing compliance issues.
B. Caremark Claims
Plaintiffs seeking damages in connec-
tion with cybersecurity incidents have historically based their claims on an or- ganization’s alleged bad faith and over- sight failures arising out of the duty of loyalty. This strategy can be traced back to the Caremark case. In 1994, Care- mark International, Inc., a healthcare company, was indicted for violating the Anti-Referral Payments Law in connec- tion with alleged illegal payments. The allegations led to a number of enforce- ment actions and civil claims. Caremark settled the federal litigation and some of the civil claims, including lawsuits brought by insurance company payors.28 In the wake of these settlements, five shareholder derivative suits were lodged against Caremark’s board.29 The defen- dants and Caremark entered into a set- tlement that would require Caremark to enact a seven-point plan to ensure Care- mark’s compliance with federal law mov- ing forward.30
While ultimately dicta, the discussion of oversight liability in Caremark has emerged as the dominant legal standard for evaluating duty-of-care claims. Spe- cifically, the Delaware Chancery Court articulated that in a shareholder deriva- tive action, directors can be held person- ally liable for failing to “appropriately monitor and supervise the enterprise.” 31 The court further observed that failing to implement a sufficient corporate in- formation and reporting system can con- stitute an “unconsidered failure of the board to act in circumstances in which due attention would, arguably, have pre- vented the loss.” 32 Moreover, acting with a “conscious disregard” for corporate du-
ties and ignoring “red flags” can lead to a director or officer being held personally liable for a corporation’s loss.33 In paral- lel, because of their value to enterprises and rapid advances in technology, the scope and importance of corporate in- formation and reporting systems have es- calated dramatically, including statutory requirements for oversight related to the integrity of financial statements.34
In Stone v. Ritter, the Delaware Su- preme Court reframed the general stan- dard for corporate oversight liability as a duty of loyalty claim.35 In Stone, Am- South Bancorporation was subjected to fines and civil penalties after neglect- ing to file suspicious activity reports as required by banking law.36 This led to a shareholder derivative suit alleging that the board violated its fiduciary duty by neglecting to institute a sufficient pro- gram to monitor legal compliance.37 The Delaware Supreme Court ultimately dis- missed the case, but upheld the Caremark standard in the process.38 Specifically, the court held that “Caremark articulates the necessary conditions predicate for di- rector oversight liability: (a) the directors utterly failed to implement any report- ing or information system or controls; or (b) having implemented such a system or controls, consciously failed to moni- tor or oversee its operations thus dis- abling themselves from being informed of risks or problems requiring their attention.”39 To impose liability in either situation, the plaintiff must show that the directors knew that they were not discharging their fiduciary obligations. The Delaware Supreme Court further acknowledged that “a claim that direc- tors are subject to personal liability for employee failures is ‘possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.’” 40
C. Shareholder Derivative Suits in the Wake of a Cybersecurity Incident
In the last decade, Delaware courts have seen an increased number of cases arising from cybersecurity incidents grounded in the alleged failure by offi- cers and directors to fulfill their duties.41 In each case, the business judgment
16 DELAWARE LAWYER SPRING 2020