Overseeing Cybersecurity Risk: Confirmation of Officer Oversight Duties Could Mean Increased Personal Risk for Data Privacy and Cybersecurity Breaches

The fiduciary duty of oversight has been one of the hottest topics of discussion among practitioners and boards of directors since it was thrust back into the limelight by the Delaware Supreme Court’s decision in Marchand v. Barnhill. In Marchand, the Delaware Supreme Court reversed a decision by the Delaware Court of Chancery to dismiss, among other things, a claim for breach of the duty of oversight—known as a Caremark claim—against the directors of Blue Bell Creameries, reasoning that a successfully pled oversight claim should not be “a chimera.” Since Marchand in 2019, multiple plaintiffs have successfully overcome motions to dismiss filed by directors pursuant to oversight theories.

On January 25, 2023, in In re McDonald’s Corporation Stockholder Derivative Litigation, the Court of Chancery settled the open question of whether officers, like directors, owe a fiduciary duty of oversight. The Court explained that most officers “have particular areas of responsibility,” and that officers have a duty to make a good faith effort to ensure information systems are in place and to address and report upward red flags within their areas. The Court noted, however, that “a particularly egregious red flag might require an officer to say something even if it fell outside the officer’s domain.”

Denying defendants’ motion to dismiss, the Court in McDonald’s found that an officer’s duty of oversight is “an essential link in the corporate oversight structure,” as critical parts of an officer’s job are (i) “to identify red flags, report upward, and address them if they fall within the officer’s area of responsibility,” and (ii) “to gather information and provide timely reports to the board about the officer’s area of responsibility.” Like directors, officers will only be held liable for violations of the duty of oversight if a plaintiff can prove such officers acted in bad faith. On March 1, 2023, the Court dismissed the claim against the officer under Rule 23.1 for failure to plead demand futility, after finding that the complaint failed to plead a claim against the director defendants for breach of fiduciary duty.

Even before the Court’s ruling in McDonald’s made clear that officers owe a fiduciary duty of oversight, stockholder plaintiffs were focused on the role of technology professionals in cybersecurity incidents. In Construction Industry Laborers Pension Fund v. Bingle, and Firemen’s Retirement System of St. Louis v. Sorenson,the plaintiffs alleged that the board and certain officers had breached their oversight duties in relation to cybersecurity matters. The Court in both cases dismissed the claims after determining the companies’ boards were sufficiently independent and disinterested to determine for each corporation whether to bring the claims and therefore did not reach the issue addressed in McDonald’s. Now that McDonald’s has clarified that officers have a duty of oversight as well, the question is whether and when officers might be on the hook for overseeing data privacy and security.

In Firemen’s Retirement System of St. Louis v. Sorenson, plaintiff brought Caremark claims against the board of directors of Marriott International, Inc. following a data security breach that exposed the personal information of up to 500 million guests. In dismissing the claims under Rule 23.1 for failure to plead demand futility, the Court credited the Marriott board’s systems to assess cybersecurity risks. The board and audit committee were “routinely apprised on cybersecurity risks and mitigation, provided with annual reports … that specifically evaluated cyber risks, and engaged outside consultants to improve cybersecurity practices.” Notably, the Court further found that when management discovered “red flags” related to cybersecurity, relevant reports were delivered to the board. The Court found that cybersecurity “is an area of consequential risk that spans modern business sectors” and that the “corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.” Following the holding in McDonald’s, it is probable that Delaware courts will equally call upon the appropriate officers to focus on reporting red flags to the board and how such red flags are addressed.

Almost one year later, in Construction Industry Laborers Pension Fund v. Bingle, a plaintiff brought Caremark claims against SolarWinds’ board of directors following a major cyberattack on the company’s software system, through which Russian hackers were able to insert malware that gained access to up to 18,000 of SolarWinds’ clients’ systems. The directors were alleged to have failed to monitor corporate efforts in a way that prevented cybercrimes. The Court dismissed these claims under Rule 23.1 and, in so doing, found that the SolarWinds board (i) did not utterly fail to implement a reporting system for cybersecurity risks, since both the nominating and corporate governance committee and the audit committee were charged with oversight responsibility for cybersecurity, and (ii) did not ignore any red flags related to cybersecurity risks. Notably, in its analysis, the Court described the reporting systems SolarWinds had in place as “subpar” because, among other reasons, the board did not receive any reports from either committee with respect to cybersecurity for over two years.

The Bingle Court held that “a subpar reporting system between a Board subcommittee and the fuller Board[, however,] is not equivalent to an ‘utter failure to attempt to assure’ that a reporting system exists.” Accordingly, the Court continued “[w]ithout a pleading about the Committees’ awareness of a particular threat, or understanding of actions the Board should take, the passage of time alone under these particular facts does not implicate bad faith.” The Court was not required to address, however, whether SolarWinds’ officers had adequately complied with their oversight duties in reporting to the board or had received information amounting to a red flag.

Given these prior attempts by plaintiffs to plead cybersecurity-related Caremark claims, what should companies be focused on in the wake of the McDonald’s holding? The Court in McDonald’s observed that, unlike directors, “nondirector officers may have a greater capacity to make oversight and strategic decisions on a day-to-day basis.” Furthermore, the Court found that “[a]s the day-to-day managers of the entity, the officers are optimally positioned to identify red flags and either address them or report upward to more senior officers or to the board. The officers are far more able to spot problems than part-time directors who meet a handful of times a year.” Accordingly, companies should focus on determining which officers’ “areas of responsibility” could be viewed to encompass data privacy or cybersecurity, as the cybersecurity-specific oversight by such officers will likely now face greater scrutiny. This analysis, unfortunately, may not be as straightforward as one would hope, particularly since there exists no single comprehensive data privacy law in the United States to provide guidance. Instead, companies must consider the various state laws to which they might be subject—such as the recently adopted and fairly comprehensive California Privacy Rights Act (“CPRA”)—and federal laws and regulations enforced by federal agencies, like the Federal Trade Commission.

If a company has a Chief Technology Officer, Chief Privacy Officer, and/or Data Protection Officer—which is required under the European Union’s data privacy law, the General Data Protection Regulation—it seems likely a court would find that data protection and cybersecurity fall within that officer’s area of responsibility, and therefore that each officer has a fiduciary duty to oversee data management and protection. But who else might be responsible for overseeing those matters? Would a company’s Chief Human Resources Officer be potentially liable for breach of fiduciary duty if there is a cybersecurity breach or if employee data is compromised? One could imagine a scenario in which a court might find that a human resources professional is responsible for oversight of employee information received pursuant to the Americans with Disabilities Act or Fair Credit Reporting Act, and therefore owes a fiduciary duty of oversight with respect to the protection of such data.

Furthermore, to what extent would a Chief Executive Officer, especially a technology-oriented one, a Chief Compliance Officer, or even a Chief Legal Officer be liable for cybersecurity oversight, given that the Court in McDonald’s found such officers “likely will have company-wide oversight portfolios”? Given that the CEO, CCO, and CLO are charged with broader oversight responsibilities, a court’s analysis of the exercise of fiduciary duties might more closely resemble the board-level duty of oversight analyses conducted in Sorenson and Bingle.

Recent Delaware caselaw suggests that fiduciaries of many companies may owe a duty of oversight encompassing the protection of consumer data and cybersecurity. The Court’s ruling in McDonald’s makes clear that such duty would be owed not only by a company’s directors, but also by those officers whose areas of responsibility include consumer data and cybersecurity. For some companies, it may be clear who should be responsible for cybersecurity oversight; for others, it may be advisable to delineate the roles and responsibilities of executive officers and board committees such that it is clear which officers are charged with oversight responsibility over specific functions. Companies should, at a minimum, make an effort to determine which of the officers are principally responsible for the establishment and monitoring of the company’s data and information protection systems. Such efforts could potentially prevent confusion regarding responsibilities, increase the likelihood that cybersecurity-related issues are identified and addressed in a timely manner, and help directors establish the reporting system required by Delaware law. The law recognizes that no system is foolproof. Fiduciary liability is not premised on the occurrence of the underlying event but rather the failure of officers and directors to make a good faith effort to attempt to establish systems of controls or the failure to report clear red flags when they emerge.

This area of Delaware law is rapidly developing. Similarly, data privacy law in the United States is continually evolving, and a handful of states have enacted comprehensive legislation specific to data privacy, including the CPRA, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act, and many others have similar legislation under consideration or pending. Companies should therefore stay apprised of potentially relevant data privacy legislation, as well as future cases resolving cybersecurity-related and/or officer-level Caremark claims.