FEATURE
 that such provision shall not eliminate or limit the liability of a director: (i) [f]or
any breach of the director’s duty of loyalty
to the corporation or its stockholders; (ii)
for acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law; (iii) under §174
of this title; or (iv) for any transaction from which the director derived an improper personal benefit.”; see also Emerald Partners v. Berlin, 787 A.2d 85, 90 (Del. 2001) (“The purpose of Section 102(b)(7) was to “permit shareholders” — who are entitled to rely
upon directors to discharge their fiduciary duties at all times — to adopt a provision in the certificate of incorporation to exculpate directors from any personal liability for the payment of monetary damages for breaches of their duty of care, but not for duty of loyalty violations, good faith violations and certain other conduct.”)
25. Malpiede v. Townson, 780 A.2d 1075, 1094 (Del. 2001).
26. Cede & Co. v. Technicolor, Inc., 634 A.2d 345, 361 (Del. 1993).
27. See Stone, 911 A.2d at 369 (citing In re Walt Disney Co. Deriv. Litig., 906 A.2d 27, 67 (Del. 2006)) (Bad faith can be established “where the fiduciary intentionally acts with
a purpose other than that of advancing the best interests of the corporation, where
the fiduciary acts with the intent to violate applicable positive law, or where the fiduciary intentionally fails to act in the face of a
known duty to act, demonstrating a conscious disregard for his duties.”).
28. In re Caremark Int‘l Inc. Derivative Litig., 698 A.2d 959, 960–64 (Del. Ch. 1996).
29. Id. at 964.
30. Id. 698 A.2d at 966.
31. Id. at 961.
32. Id. at 967.
33. Id.
34. “IT departments are experiencing tremendous changes as their roles expand
to impact customer service, sales, and
even business strategies. As a result, organizations are increasingly turning
IT into a driving force in all aspects of business.” Daniel Newman, The Changing Role Of IT In The Future Of Business,
FORBES (July 26, 2016), https://www.forbes. com/sites/danielnewman/2016/07/26/ the-changing-role-of-it-in-the-future- of-business/#4797d950525d. See e.g., SARBANES-OXLEY ACT OF 2002, 107 P.L. 204, 116 Stat. 745, 777, P.L. 107 - 204, 2002 Enacted H.R. 3763, 107 Enacted
H.R. 3763 (Section 302 of SOX, in relevant part, requires each company to file periodic reports that the principal executive officers and the principal financial officers, or persons performing similar functions, certifying
that “the signing officers are responsible
for establishing and maintaining internal controls; have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared; have evaluated the effectiveness
of the issuer’s internal controls as of a date within 90 days prior to the report; and have
presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Moreover, “the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)
— all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls.”); Jay Chaudhry, SOX Doesn’t Mean Secure: Avoid Compliance Complacency To Keep Your Enterprise Safe, FORBES (Sept.
24, 2019), https://www.forbes.com/sites/ forbestechcouncil/2019/09/24/sox-doesnt- mean-secure-avoid-compliance-complacency- to-keep-your-enterprise-safe/#56ceecf97b83 (“Some 17 years ago, the U.S. federal government enacted the Sarbanes-Oxley
Act to create better controls for and increase the visibility of financial operations. . . But when it comes to information security, by today’s standards, SOX falls short.”). In
our experience, we have observed that this divergence in industry understanding is increasingly reflected in scrutiny from outside auditors. Gaps in understanding regarding SOX’s relationship to cybersecurity issues outside the scope of financial statement integrity is an emerging issue for enterprises. Auditors are increasingly cautious about a broad variety of attestation risks in this area, especially in connection with previous audits.
35. Stone, 911 A.2d at 364 (quoting the Chancery Court opinion).
36. Id. at 365-66. 37. Id. at 364.
38. Id. at 365, 369. 39. Id. at 369-70. 40. Id. at 372.
41. See Craig A. Newman, Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement, NEW YORK TIMES, (Jan. 23, 2019), https://www. nytimes.com/2019/01/23/business/ dealbook/yahoo-cyber-security-settlement. html; see also Jennifer Bennett, Marriott Hit With Derivative Suit Over Massive Data Breach (1), BLOOMBERG LAW (Mar.
18. 2019), https://www.bloomberglaw.com/ document/XF46GBAK000000?bna_news_ filter=securities-law&jcsearch=BNA%2520000 0016991bad8f 7ab7dd9f f 047d0002#jcit.
42. See Palkon v. Holmes, No. 2:14-CV-01234 (SRC), 2014 WL 5341880, at *1 (D.N.J. Oct. 20, 2014).
43. Id. 44. Id. 45. Id.
46. Id. at 3 (“A shareholder dissatisfied
with a board’s refusal may seek to rebut
that presumption by bringing a derivative action lawsuit. The shareholder must raise
a reasonable doubt that the refusal was a business judgment, which requires pleading with particularity that the decision was either: (1) “made in bad faith,” or (2) “based on
an unreasonable investigation.”) (citations omitted).
47. Complaint at ¶ 3, Palkon v. Holmes, 2014 WL 5341880 (D.N.J. Oct. 20, 2014).
48. Id. at ¶¶ 5, 6.
49. Id. at ¶ 7.
50. Palkon, 2014 WL 5341880, at *4-5 51. Id., at *5-6.
52. Id. at *6-7. It is important to emphasize that this decision, addressing demand refusal in the wake of a cyber-incident, does not speak to pre-breach oversight standards.
53. Majority Staff Rep’t for Chairman Rockefeller, S. COMM. ON COMMERCE, SC., TRANSP., A “KILL CHAIN” ANALYSIS OF THE 2013 TARGET DATA BREACH, (2014).
54. Target Corp., Annual Report
(Form 10-Q), at 8 (May 25, 2016),
h t t p s : // w w w . s e c . g o v / A r c h i v e s / e d g a r / data/27419/000002741916000051/tgt- 2016430x10xq.htm
55. George Stahl, Target to Pay $10 Million in Class Action Over Data Breach, WALL ST. J.(March 19, 2015, 8:38 am ET), https://www.wsj.com/articles/target-to- pay-10-million-in-class-action-over-data- breach-1426768681.
56. Sruthi Ramakrishnan and Nandita Bose,
Target in $18.5 million multi-state settlement over data breach, Reuters (May 23, 2017),
h t t p s : // w w w . r e u t e r s . c o m / a r t i c l e / u s - t a r g e t - cyber-settlement/target-in-18-5-million- multi-state-settlement-over-data-breach- idUSK BN18J2GH
57. Kevin McCoy, Target to pay $18.5M for 2013 data breach that affected 41 million consumers, USA TODAY, (May 23, 2017), https://www.usatoday.com/ s t o r y / m o n e y / 2 0 1 7/ 0 5 / 2 3 / t a r g e t - pay-185m-2013-data-breach-affected- consumers/102063932/.
58. Robin Sidel, Target to Settle Claims
Over Data Breach, WALL ST. J. (Aug. 18, 2015), https://www.wsj.com/articles/target- reaches-settlement-with-visa-over-2013-data- breach-1439912013.
59. See Memorandum of Law of the Special Litig. Comm. of the Bd. of Dirs. of Target Corp. in Support of its Motion for Approval and Dismissal at 2, Davis v. Steinhafel, No. 0:14-cv-00203-PAM-JJK (D. Minn. May 6, 2016).
60. See id. at 10, 14.
61. Id. at 18.
62. Target Corp. Report of the Special Litigation Committee at 49 (March 30, 2016).
63. Id. at 50.
64. Id.
65. Id. at 52-53.
66. SLC report at 53. 67. Id. at 54.
68. Id. at 58-61. 69. Id. at 68-73.
70. See Tyler Wrightson, Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization, at 30 (2015) (“One of the most important and simple truths in this technological war is that you simply can’t afford to prevent a successful attack.”)
71. Majority Staff Rep’t for Chairman Rockefeller, S. COMM. ON COMMERCE, SC., TRANSP., A “KILL CHAIN” ANALYSIS OF THE
26 DELAWARE LAWYER SPRING 2020