FEATURE
 risk.” 97 The court further acknowledged that, “[a]s Marchand makes clear, when a company operates in an environment where externally-imposed regulations govern its ‘mission critical’ operations, the board’s oversight function must be more rigorously exercised.”98 While “Caremark does not demand omni- science” it requires a “‘good faith effort to implement an oversight system and then monitor it,’” including sensitiv- ity to “compliance issue[s] intrinsically critical to the company[...].” 99 With re- spect to the first Caremark prong, the court held that it would be “difficult to conceive how Plaintiffs would prove the Board had no ‘reporting or information system or controls[.]’”100 However, the court held that Clovis failed the second Caremark prong — having implemented such a system or controls, the board con- sciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention — given that the complaint established “the Board consciously ignored red flags that re- vealed a mission critical failure to comply with the Response Evaluation Criteria in Solid Tumors (R ECIST) protocol and associated FDA regulations.”101
2. Implications of Marchand and Clovis
While Marchand and Clovis do not address Caremark in the context of cy- bersecurity issues, these decisions sug- gest a prospective avenue for plaintiffs to challenge director oversight in analogous regulatory contexts. The cybersecurity- related shareholder derivative actions outlined above signal that allegations regarding reporting and information sys- tems remain likely. But Marchand and Clovis indicate that, for many companies, the operation of those systems could be deemed “intrinsically critical” especially in the presence of specific legal obliga- tions such as those imposed by the FTC and, increasingly, many states. Accord- ingly, such situations may trigger higher scrutiny into board determinations about the criticality and controls of a company’s cybersecurity program. Together, the de- cisions may signal that Delaware courts are willing to actively analyze whether
directors have satisfied their duties of oversight — in effect giving less credence to the judgment of the board in an area where the Delaware General Assembly has not yet foreclosed personal liability for directors via charter provisions.
Even more disturbing for board mem- bers, Marchand and Clovis may be read to suggest that reviewing courts may be prone to rely on 20/20 hindsight after a data breach to determine whether a board underwent sufficient steps to sat- isfy its oversight duties. Given the criti- cal nature of information systems and management for organizations, and the profligacy with which companies declare the import of these systems to their busi- nesses, it seems inevitable that plaintiffs will seek to build upon the holdings of these two cases to allege novel claims in the face of cybersecurity crises and inci- dents.
While the business judgment rule remains intact, these cases indicate that board members who passively rely on the presence of a compliance program to satisfy their oversight obligations in “in- trinsically critical” areas may face higher litigation risk. Given the quickly chang- ing threat environment, it seems quite possible that these two cases could lead to a new wave of shareholder derivative actions alleging failures to actively moni- tor cybersecurity issues.
III. ‘REASONABLE SECURITY’ AND ITS IMPLICATIONS FOR BROADER ENTERPRISE LIABILITY RISK
With both state and federal laws and regulations, corporations face a broad ar- ray of legal obligations pertaining to data security. But, significantly, there is no uniform standard that outlines a corpo- ration’s obligations in this realm. In fact, the prevailing standard requires “reason- able” security, which has been broadly criticized for being too vague to imple- ment. How “reasonableness” then trans- lates into sufficient versus effective board oversight of cybersecurity, especially in areas where it is deemed “critical,” calls for a broader understanding of the issue.
While at least one commentator has gone so far as to suggest that board mem- bers have a common-law duty to provide security to information assets, sharehold-
er derivative actions criticizing enterpris- es, officers and directors have been less common so far.102 More frequently, regu- latory enforcement actions and securities class actions (many of which name indi- vidual corporate officers and directors as defendants) have followed in the wake of high-profile cybersecurity incidents. Enforcement actions from the FTC, the SEC, the Department of Health and Hu- man Services, and the EU Data Protec- tion Authorities often drive significant fines and trigger corporate governance changes.103 Securities class actions are also beginning to serve as a routine re- sponse to a cybersecurity incident, and have personally named corporate officers and directors as defendants in addition to the corporation itself. While these actions have not all resulted in personal liability for directors and officers, they are often cited as “red flags” in deriva- tive actions and remain strong indicators of what is increasingly required of com- panies seeking to implement satisfactory cybersecurity practices in the eyes of the law. Familiarity with the teachings of these cases and other enforcement activi- ties of specialty regulators can be help- ful in demonstrating the exercise of the duty of loyalty under Caremark, and as discussed infra, pursuing the NACD’s recommendations on knowing the law and the enterprise risk.
A. The Federal Trade Commission: a Lodestar for Data Security Reasonableness
The FTC routinely holds corpora- tions accountable in the wake of a cy- bersecurity incident and has brought more than 65 cases arising from cyber- security incidents since 2002.104 Sec- tion 5(a) of the FTC Act empowers the agency to “prevent persons, partnerships, or corporations . . . from unfair or de- ceptive acts or practices in or affecting commerce.”105 Specifically, the FTC con- siders failure to maintain reasonable and appropriate data security for consumers’ information to be unfair and deceptive trade practices.106 This formulation has been the subject of criticism due to the vagueness of “reasonable” security and an emphasis on non-precedential con- sent decrees.107 Nonetheless, reviewing
20 DELAWARE LAWYER SPRING 2020