Stone v. Ritter: The Delaware Supreme Court Affirms the Caremark Standard for Corporate Compliance Programs
by Andrew J. Demetriou and Jessica T. Olmon, Fulbright & Jaworski L.L.P., Los Angeles, CA
Since the 1996 Delaware Chancery Court decision in In re Caremark International Inc. Derivative Litigation, the fiduciary duty of corporate directors has been understood to embrace the adoption and maintenance of corporate compliance programs that are designed to detect corporate wrongdoing and bring it to the attention of management and the board of directors. In its November 6, 2006 decision in Stone v. Ritter, the Delaware Supreme Court affirmed the Caremark standard for director duty and elaborated on the nature of the directors' responsibilities for conduct found to be in violation of law that causes losses to a corporation.
Stone v. Ritter involved a derivative action by shareholders of AmSouth Bancorporation ("AmSouth"), in the wake of the disclosure that AmSouth had paid $50 million in fines and civil penalties arising from violations of the federal Bank Secrecy Act. The lawsuit alleged that the directors of AmSouth had breached their duty to act in good faith because, while AmSouth maintained a program to monitor Bank Secrecy Act compliance, the program was not adequate to prevent the violations giving rise to the fines and civil penalties. The Chancery Court dismissed the complaint on the basis that, under Caremark, directors can only be liable in situations involving a sustained or systematic failure of the board to exercise oversight, and the Court found that the complaint did not establish the requisite lack of good faith on which to base liability.
In affirming the Chancery Court, the Supreme Court of Delaware established two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues; and second, there is no duty of "good faith" that forms a basis, independent of the duties of care and loyalty, for director liability. Prior to Caremark, the duty of corporate directors in instances of corporate wrongdoing was defined by the rule announced in Graham v. Allis-Chalmers Manufacturing Co . , which established that unless directors had reason to believe there was wrongdoing within the corporation, the duty of care did not require that they "install and operate a corporate system of espionage" by implementing a corporate compliance program. The Caremark decision changed the standard, holding that the Board could not escape liability unless it took some actions to implement a program to detect potential violations of law or corporate policy and exercised a duty of oversight. This is understood to require that the compliance program incorporate procedures by which the Board can track and analyze compliance problems that surface and take steps to assure that they do not persist.
Consistent with the result in Caremark, the standard in Stone for director liability is whether there is a "sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists..." This standard aims to protect shareholders by ensuring that corporations will adopt reasonable programs to deter, detect and address violations of law and corporate policy, while absolving the Board from liability for corporate conduct so long as it has exercised reasonable responsibility with respect to the adoption and maintenance of a compliance and reporting system. Although the standard protects the Board, consistent with most jurisprudence under the business judgment rule, it also requires that the Board follow through to address problems of which it has notice; and this may include adopting modifications to its compliance program to address emerging risks. It is significant in this context that good faith on the part of the Board will be evaluated within the analysis of whether the Board has exercised its duties of care and loyalty, eliminating potential liability where the Board has arguably exercised due care, but may not have reasonably considered all of the risks that should be addressed by the compliance efforts, raising the question of good faith.
An important question left open by Stone is whether the Delaware courts may become embroiled in cases involving value judgments as to the adequacy of compliance programs in view of the circumstances under which they are adopted as well as in the context of changes in regulatory or other risks affecting the corporation's business. In addition, the related concern is the degree to which a pattern of violations of law or corporate policy (so-called "red flags") will create a duty for the Board to modify its compliance program or otherwise act, and this can be resolved only on a case by case basis. The result may be a change in the litigation focus from the duty of the Board to adopt a program to the process by which compliance measures are adopted and the degree to which the Board has exercised proper oversight to ensure that compliance efforts remain current or perhaps even consistent with "best practices." The Caremark decision held that the decision as to the elements of a compliance program remains squarely within the business judgment rule, and therefore the Board must satisfy the standards of due care and loyalty, but there has been little commentary concerning the duty of ongoing review and revision of the program.
Importantly, the Stone decision reinforces the proposition that directors are not responsible for ensuring the legality of every act by the corporation's personnel, even if the illegal conduct disclosed a failure of the corporate compliance program. Nonetheless, it is now beyond reasonable disagreement that corporations that are active in the healthcare industry must have an appropriate compliance program addressing such matters as kickbacks, self-referral issues and false claims, to the extent appropriate to their core business activities. Moreover, in exercising business judgment in approving a compliance plan, the Board should be advised on guidance published by the Office of Inspector General of the Department of Health and Human Services, as well as publications from private sector organizations, such as the Health Care Compliance Association, that may be viewed as defining industry standards and practices. In addition, the Board of Directors must do more than merely adopt a reasonable program, but must demonstrate its general effectiveness through evidence that regular reports are being made to appropriate Board organs from the compliance officers, and addressing issues that surface through the compliance efforts. The Board may also be held to a duty of continuing education on developments in compliance and periodic review of the program elements to ensure that is remains reasonably effective. Counsel advising Boards of Directors on compliance issues and compliance programs need to be sensitive changes in the regulatory environment that may signal the need to Board action, so as to preserve the protection afforded to a Board under the decision in Stone v. Ritter.