Enhanced Scrutiny Blog Caremark Return Includes Potential Admin Liability for Data Breaches

A care markAn action based on a complaint against a board of directors alleging failure to oversee corporate operations has been considered “the most difficult theory in corporate law on which a plaintiff could hope to obtain judgment”, or of the least resist a motion to dismiss. Again, care mark has taken on renewed importance – as noted this blog — following recent resounding successes on demands for mandatory monitoring, in particular in Merchant c. Barnhill in 2019 and In case of Boeing in September 2021, and recent shareholder lawsuits, alleging that the data breach and cybersecurity failures could have been avoided but for the oversight failures of officers and directors, argue in favor of the assertion. care mark complaints.

In the benchmark In re Caremark In this case, the Delaware Court of Chancery recognized the duty of directors and officers to oversee corporate operations that could create corporate liability. This duty is understood to be derived from the duty of loyalty, for when directors know or should know that they have a duty to act, and they fail to do so, “they breach their duty of loyalty by not discharging this duty in good faith.”

To successfully allege a care mark claim, a plaintiff must plead facts showing that “(a) the directors totally failed to implement a reporting or information system or controls; Where (b) having implemented such a system or controls, has deliberately failed to monitor or supervise its operations, thereby preventing itself from being informed of risks or issues requiring its attention. In other words, the directors must have acted in bad faith by failing to monitor. Additionally, that failure must relate to an aspect of the business that is “mission-critical and mission-critical.”

As our “data economy” has fueled an increase in data security incidents, data security failures have in turn created significant risks for businesses. These risks take many forms, including loss of access to critical business data and IT infrastructure, successful consumer class action lawsuits, regulatory liability, or loss of or liability to business counterparties. . Unsurprisingly, shareholder lawsuits have also followed, seeking to hold boards accountable for lax oversight that harms the company following a data security incident. Nowadays, care mark claims based on data security incidents have mostly failed to gain traction; the vast majority were dismissed at the motion to dismiss stage and a smaller portion settled, like our colleagues Noted in an article for Bloomberg Law in 2017. Several recent cases confirmed that care mark claims remain difficult to bring (let alone win), even when those claims are based on data security incidents. But these cases also reveal potential avenues plaintiff shareholders can follow when they breach data security. care mark complaints.

In a case involving Marriott, Retreat of firefighters. Sys. of Saint-Louis ex rel. Marriott Int’l, Inc. v Sorenson, a shareholder sued the company’s officers and directors for alleged oversight failures related to a 2018 data breach that exposed the personal information of about 500 million guests. On October 5, 2021, Vice Chancellor Will dismissed Marriott shareholder’s complaint for failure to plead futility of the request, finding that “none of the directors faces a substantial likelihood of liability under of care marksince the Council had a system in place to assess cybersecurity risks and did not consciously ignore the resulting red flags. As for care markFirst, the court noted that Marriott’s board was constantly briefed on cybersecurity threats, and it repeatedly identified data security as a priority for the company – features that the plaintiff’s complaint noted and which meant that the board had not “completely failed” to set up a monitoring and reporting system. In alleging that the company failed to meet non-mandatory industry standards and “risked” violating certain laws, the complaint also failed to adequately argue that Marriott’s board of directors did not had no knowledge of violations of the law (i.e..red flags) and ignore them.

Due to the complaint’s failure to comply with one or other of the care mark, meaning no director faced a substantial likelihood of liability, Vice Chancellor Will determined that Marriott’s board of directors remains capable of deciding whether to pursue litigation on behalf of the company. , and the request was not excused. Any future lawsuits – and their choice of legal strategy – is something this blog and others will watch. But, as Vice-Chancellor Will noted, as “the harm to businesses from failing to adhere to cybersecurity safeguards increasingly demands that administrators ensure that businesses have appropriate monitoring systems. . . however, the increasing risks posed by cybersecurity threats do not lower the high threshold that a plaintiff must meet to plead a claim. care mark Claim.”

Only one month later, in November 2021, and a few weeks apart, the shareholders of solar winds and T-Mobile filed lawsuits alleging breaches of fiduciary duties by their respective boards of directors in connection with cybersecurity lapses – the SolarWinds SUNBURST breach in December 2020 that affected dozens of customers, including the United States government, and the August 2020 T-Mobile data breach affecting 54 million customers and February 2021 fined by the Federal Communications Commission (“FCC”) for data security weaknesses. Both complaints attempt to distinguish themselves from the complaint against Marriott.

SolarWinds shareholders attribute the futility of the request primarily to the board’s decision to exonerate Kevin Thompson, the former CEO, from any liability related to the SUNBURST breach and rehire him as a “consultant” for help resolve the fallout from the breach. This complaint also appears to relate to care markThe first part, the “total failure” of the board of directors to implement a control and monitoring system. Much of the complaint is redacted, including most of the section containing allegations about the board’s oversight failures. But the unredacted text contains allegations that an outside consultant warned SolarWinds directors and executives about vulnerabilities in their data security systems and the company’s apparent reluctance to strengthen them. Shareholders describe, for example, simple passwords such as “solarwinds123” used to protect critical aspects of the company’s flagship software product, which the company later admitted was a vulnerability which SUNBURST hackers exploited in their breach of data security. The plaintiffs also allege that SolarWinds also advertised its high-profile clientele on its public website, providing what critics called “a shopping list for opponents,” then removed that list after the hack.

Further, in the opening paragraphs of the complaint, the shareholders state that “SolarWinds is a monoline provider” of computer software, whose success “depends on reliable access to its customers’ computer systems.” The choice of language invokes Traderwhere the Delaware Supreme Court emphasized Bluebell’s character as a “monoline company” whose success depends on consumer confidence in the safety of its product (ice cream).

T-Mobile’s complaint contains another distinction from Marriott’s complaint. Marriott’s court found that the plaintiffs failed to demonstrate that the board ignored known violations of the law (i.e. red flags), in part because there were no breach of law to be ignored by Marriott’s counsel. Indeed, in her Marriott opinion, Vice-Chancellor Will noted that “oversight breaches typically occur when companies — especially those operating in a highly regulated industry — violate the law or violate regulatory mandates.” In contrast, T-Mobile shareholders allege that the company’s data security flaws do result in violations of the law. T-Mobile’s complaint refers to the FCC’s investigation and the resulting fine imposed on T-Mobile for alleging that the Board was “long aware” but “disregarded.” . . red flags” related to deficiencies in the company’s cybersecurity.

If the care mark the claims against the boards of SolarWinds and T-Mobile survive beyond the motion to dismiss stage, and the contributors to this blog will be watching closely as these and similar cases unfold.