face of a known duty to act.”82 The plain- tiffs appealed.
On April 28, 2017, the plaintiffs filed an unopposed motion for preliminary approval of shareholder derivative settle- ment and memorandum of law in sup- port.83 The settlement established that Home Depot would pay $1.125 mil- lion of the plaintiffs’ attorneys’ fees and would undertake a number of reforms to bolster the board’s oversight and re- sponsibility for data security.84 Notably, the board agreed to “(i) document the duties and responsibilities of the Chief Information Security Officer (CISO); (ii) periodically conduct Table Top Cyber Exercises; (iii) monitor and periodically assess key indicators of compromise on computer network endpoints; (iv) main- tain and periodically assess the Compa- ny’s partnership with a dark web mining service to search for confidential Home Depot information; (v) maintain an ex- ecutive-level committee focused on the Company’s data security.”85
While the initial dismissal — follow- ing the Wyndham and Target dismissals — indicated that shareholder derivative actions in this area are difficult to prove, the Home Depot suit and settlement demonstrates the scrutiny directors and officers can anticipate following a major incident. The settlement also outlines several better practices for corporations which may help satisfy Caremark duties relating to cybersecurity.86
D. Evolution of Caremark
Despite the acknowledged difficul- ties, Caremark claims have been lodged against corporations in the wake of major data breaches throughout the last decade. Reviewing courts have shown consider- able deference to the business judgment of corporate directors and officers. As discussed above, most cases have been dismissed (e.g., Wyndham and Target) or settled out of court (e.g., Home Depot and Wendy’s).87 However, despite these early successes for corporations and their directors, two recent Delaware Caremark cases provide greater insight into the board’s duty of oversight with respect to areas that are deemed “mission critical.” While both cases dealt with U.S. Food and Drug Administration (FDA) regula-
tions, a corporation’s information assets and their protection will undoubtedly be “mission critical” to many corpora- tions, especially in hindsight. And, more importantly, these cases show that pre- vailing in litigation is very different from avoiding litigation or crises.
1. Marchand and Clovis: Setting the Stage for New Failed Oversight Theories
In 2015, Blue Bell Creameries USA, Inc. suffered a listeria outbreak “causing the company to recall all of its products, shut down production at all of its plants, and lay off over a third of its work- force.”88 Three people died as a result of the outbreak and “Blue Bell suffered a liquidity crisis that forced it to accept a dilutive private equity investment.” 89 As a result, a shareholder brought a de- rivative suit against two executives and Blue Bell’s directors, alleging breaches of fiduciary duties. Specifically, “[t]he complaint allege[d] that the executives — Paul Kruse, the President and CEO, and Greg Bridges, the Vice President of Operations — breached their duties of care and loyalty by knowingly disre- garding contamination risks and failing to oversee the safety of Blue Bell’s food- making operations, and that the direc- tors breached their duty of loyalty under Caremark.” 90 In relevant part, the Dela- ware Court of Chancery dismissed the Caremark claim. On appeal, the Supreme Court of Delaware acknowledged that “our case law gives deference to boards and has dismissed Caremark cases even when illegal or harmful company activi- ties escaped detection, when the plain- tiffs have been unable to plead that the board failed to make the required good faith effort to put a reasonable compli- ance and reporting system in place.”91 The court found that the complaint sup- ported “an inference that no system of board-level compliance monitoring and reporting existed at Blue Bell.”92 Spe- cifically, “no board committee that ad- dressed food safety existed; no regular process or protocols that required man- agement to keep the board apprised of food safety compliance practices, risks, or reports existed; no schedule for the board to consider on a regular basis, such
as quarterly or biannually, any key food safety risks existed; during a key period leading up to the deaths of three custom- ers, management received reports that contained what could be considered red, or at least yellow, flags, and the board minutes of the relevant period revealed no evidence that these were disclosed to the board; the board was given certain favorable information about food safety by management, but was not given im- portant reports that presented a much different picture; and the board meet- ings are devoid of any suggestion that there was any regular discussion of food safety issues.”93 In sum, the court held that “[w]hen a plaintiff can plead an in- ference that a board has undertaken no efforts to make sure it is informed of a compliance issue intrinsically critical to the company’s business operation, then that supports an inference that the board has not made the good faith effort that Caremark requires.”94 In the realm of cybersecurity issues, the Marchand case may be especially instructive regarding how and whether a board may rely upon the information they receive and how and whether to validate such information as part of effective oversight.
The Delaware Chancery Court in In re Clovis Oncology, Inc. Derivative Litig. expounded upon the findings in March- and. Clovis Oncology, Inc., an emerg- ing biopharmaceutical company, was developing Rociletinib, a therapy for the treatment of lung cancer. The drug was promising in its early stages, but it be- came apparent towards the later stages of clinical trials that it would likely not be approved by the FDA.95 As a result, “Clovis stockholders [...] allege mem- bers of the Clovis board of directors [...] breached their fiduciary duties by failing to oversee the Roci clinical trial and then allowing the Company to mislead the market regarding the drug’s efficacy.”96
In addressing the Caremark claims, the Delaware Court of Chancery stated that the Supreme Court of Delaware’s “recent decision in Marchand v. Barn- hill underscores the importance of the board’s oversight function when the company is operating in the midst of ‘mission critical’ regulatory compliance
SPRING 2020 DELAWARE LAWYER 19