Recent high-profile cyberattacks on companies including Sony, Home Depot, Target, and Yahoo underscore how important effective cybersecurity has become to a corporation’s stakeholders, including shareholders and customers. Given the serious threat hacks pose, oversight in this area has become a key duty of the corporation’s board of directors. Yet evidence shows that boards may not be as prepared or capable of monitoring this type of specialized risk.1
But given experts’ contention that the severity and frequency of cyberattacks will only get worse in the future, scrutiny of board action (in action) by shareholders and others will likely magnify.
This blog posts analyzes the board’s duty of oversight in the cybersecurity context. It focuses on Delaware corporate law. It first examines Delaware’s duty of loyalty, focusing on the standards governing the board’s oversight duties as established in the Caremark line of cases. It then discusses Caremark’s application to a recent prominent shareholder derivative suit related to the breach at Wyndham Worldwide, the global hospitality chain.
The Board’s Oversight Duties Under Delaware Law
Delaware courts have established the basic standards for director liability in the oversight context through its Caremark line of cases. In Caremark the Delaware Court of Chancery held that “only a sustained or systematic failure of the board to exercise oversight—such as an utter failure to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition of liability.”2 Subsequent cases have reaffirmed this standard while also clarifying the duty directors owe in this context. In Stone v. Ritter, the Delaware Supreme court held that Caremark “articulates the necessary conditions predicate for director oversight liability,” specifically that an oversight breach occurs when the board either (1) “utterly failed to implement any reporting or information system or controls,” or (2) if “having implemented such a system or controls, consciously fails to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”3
Two other case are worth mentioning. In re Citigroup Shareholder Derivative Litigation, decided in 2009, involved a claim related to the board’s management of business risks.4 The complaint alleged that directors of Citigroup had breached their fiduciary duties by not properly monitoring and managing the company’s exposure to the subprime mortgage and credit markets and by ignoring “red flags” indicating increasingly worsening conditions in these markets and the effects those conditions had on market participants.5 There the court reiterated that in order to establish oversight liability a plaintiff “must show that the directors knew they were not discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act.”6 In re Goldman Sachs Group, Inc. Shareholder Litigation, decided in 2011, addressed allegations that directors and officers of the company violated their fiduciary duties by failing to adequately monitor the company’s operations.7 There, the plaintiffs asserted that the board approved a management-compensation structure that caused management’s interests to diverge from the interests of the shareholders, which led management to pursue an unduly risky business strategy.8 These claims were based on several theories, including that the compensation scheme was itself approved in bad faith and that there was an “intentional dereliction of duty or a conscious disregard by the Director Defendants in setting compensation levels.”9 The court dismissed plaintiffs’ claims, holding that the plaintiffs failed to make a demand upon the corporation. The allegations, if true, only supported the conclusion that the defendants made bade business decisions.
The Caremark cases illustrate how difficult it is for plaintiffs to show that directors breached their fiduciary duty of oversight. The high hurdles plaintiffs face in alleging a breach of oversight are apparent upon review of the few cases that have been brought in the cybersecurity realm.
Director Oversight and Cybersecurity
Wyndham Worldwide (“Wyndham”) is a global hospitality chain that operates hotels and other resorts. Wyndham was the subject of three cyber attacks between April 2008 and January 2010, which resulted in the theft of credit numbers and other sensitive personal information of over six-hundred thousand customers, numerous private actions against the company, and even a FTC legal action based on its insufficient security measures.10
A few months after the board had denied a shareholder’s demand to file a lawsuit based on the breaches, Dennis Palkon, another shareholder, sent a “virtually identical” demand letter to the board. The board again refused. Palkon subsequently filed a derivative lawsuit against Wyndham and several its corporate officials, alleging that defendants “failed to implement adequate data-security mechanisms, such as firewalls and elaborate passwords, and that this failure allowed hackers to steal customers’ data.”11
Moreover, the complaint alleged that Wyndham’s security vendor “stopped providing security updates … more than three years before the intrusions,” and that these lapses in security “unreasonably and unnecessarily” exposed customers’ sensitive personal information.12 The defendants’ response focused on that the board’s refusal to consider the demand was exercised in good faith, and the court’s analysis therefore focused on this point. Applying Delaware law, the Palkon court dismissed the plaintiffs’ complaint due to problems with the plaintiff’s demand, holding that there was no conflict of interest and that the presumption of the business judgment rule insulates even directors who conduct even a “cursory” investigation before refusal.13 In this case, because the shareholders could not show beyond a reasonable doubt that most of the board faced substantial liability because the board “consciously failed to act in the face of a known duty to act,” the lawsuit could not proceed. Noting that this standard is “an incredibly high hurdle,” the court also stated that “as long as the outside directors pursued any course of action that was reasonable, they would not have violated their duty of loyalty.”14
Interestingly, the court noted in a footnote that the plaintiffs’ claim “rested on a novel theory,” distinguishing Caremark’s requirement that a corporation’s “directors utterly failed to implement any reporting or information system …[or] consciously failed to oversee its operations thus disabling themselves from being informed” with the plaintiffs’ concession that security measures did exist when the first breach occurred and that the Board had “addressed” cybersecurity issues many times.15 Similar shareholder derivative actions against directors of Target Corporation, whose breach led to the breach of 70 million customers’ financial data, a stock price decrease and reputational and other financial damage, and Home Depot, who suffered similarly, have all been dismissed by courts for the same reason.16
Given the procedural and substantive hurdles plaintiffs face to allege a breach of the duty of loyalty in the oversight context, it’s hard to imagine facts involving a generally competent board of directors at an established corporation acting in such a way that they may face liability. It seems that, for courts analyzing claims in this area, merely taking some kind of action is sufficient to monitor or oversee the corporation’s cybersecurity. But given the complexity of cybersecurity, the severe consequences an attack can have on corporations, and the role of the board in this area, it may be time for Delaware courts to better align fiduciary duty standards with the evolving expectations of shareholders and cybersecurity “best practices” by adding meaning to Caremark’s currently lax standards.
See e.g., J. Yo-Jud Cheng and Boris Groysberg, Why Boards Aren’t Dealing with Cyberthreats, Harv. Bus. Rev. (Feb. 22, 2017), https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats (noting that “[j]ust 38% of directors reported having a high level of concern about cybersecurity risks, and an even smaller proportion said they were prepared for these risks” in a survey conducted of more than 5,000 directors in over 60 countries). ↩
In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996). ↩
Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 371 (Del. 2006). ↩
In re Citigroup S’holder Deriv. Litig. 964 A.2d 106 (Del. Ch. 2009). ↩
Id. at 114. ↩
Id. at 123. ↩
In re Goldman Sachs Grp., Inc. S’holder Litig., No. 5215-VCG, 2011 WL 4826104 (Del. Ch. Oct. 12, 2011). ↩
Id. at *3. ↩
Id. at *14 ↩
See Brent Kendall, Legal Showdown on Cybersecurity, Wall St. J. (May 12, 2013), https://www.wsj.com/articles/SB10001424127887324059704578475461266801742. ↩
Palkon v. Holmes, No. 14-cv-01234, 2014 WL 5341880 (D.N.J. Oct. 20, 2014). ↩
Complaint at 3, Palkon v. Holmes, No. 14-cv-01234, 2014 WL 5341880 (D.N.J. Oct. 20, 2014). ↩
Palkon, 2014 WL 5341880, at *6-7. ↩
Id. at *6 n.1. ↩
See Kevin M. McGinty, A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat, Mintz Levin: Privacy & Security Matters (Dec. 2, 2016), https://www.privacyandsecuritymatters.com/2016/12/a-failed-strategy-another-derivative-action-in-a-data-breach-case-goes-down-to-defeat/. ↩