The fiduciary duty of oversight has been one of the hottest topics of discussion among practitioners and boards of directors since it was thrust back into the limelight by the Delaware Supreme Court’s decision in Marchand v. Barnhill. In Marchand, the Delaware Supreme Court reversed a decision by the Delaware Court of Chancery to dismiss, among other things, a claim for breach of the duty of oversight—known as a Caremark claim—against the directors of Blue Bell Creameries, reasoning that a successfully pled oversight claim should not be “a chimera.” Since Marchand in 2019, multiple plaintiffs have successfully overcome motions to dismiss filed by directors pursuant to oversight theories.
On January 25, 2023, in In re McDonald’s Corporation Stockholder Derivative Litigation, the Court of Chancery settled the open question of whether officers, like directors, owe a fiduciary duty of oversight. The Court explained that most officers “have particular areas of responsibility,” and that officers have a duty to make a good faith effort to ensure information systems are in place and to address and report upward red flags within their areas. The Court noted, however, that “a particularly egregious red flag might require an officer to say something even if it fell outside the officer’s domain.”
Denying defendants’ motion to dismiss, the Court in McDonald’s found that an officer’s duty of oversight is “an essential link in the corporate oversight structure,” as critical parts of an officer’s job are (i) “to identify red flags, report upward, and address them if they fall within the officer’s area of responsibility,” and (ii) “to gather information and provide timely reports to the board about the officer’s area of responsibility.” Like directors, officers will only be held liable for violations of the duty of oversight if a plaintiff can prove such officers acted in bad faith. On March 1, 2023, the Court dismissed the claim against the officer under Rule 23.1 for failure to plead demand futility, after finding that the complaint failed to plead a claim against the director defendants for breach of fiduciary duty.
Even before the Court’s ruling in McDonald’s made clear that officers owe a fiduciary duty of oversight, stockholder plaintiffs were focused on the role of technology professionals in cybersecurity incidents. In Construction Industry Laborers Pension Fund v. Bingle, and Firemen’s Retirement System of St. Louis v. Sorenson,the plaintiffs alleged that the board and certain officers had breached their oversight duties in relation to cybersecurity matters. The Court in both cases dismissed the claims after determining the companies’ boards were sufficiently independent and disinterested to determine for each corporation whether to bring the claims and therefore did not reach the issue addressed in McDonald’s. Now that McDonald’s has clarified that officers have a duty of oversight as well, the question is whether and when officers might be on the hook for overseeing data privacy and security.
In Firemen’s Retirement System of St. Louis v. Sorenson, plaintiff brought Caremark claims against the board of directors of Marriott International, Inc. following a data security breach that exposed the personal information of up to 500 million guests. In dismissing the claims under Rule 23.1 for failure to plead demand futility, the Court credited the Marriott board’s systems to assess cybersecurity risks. The board and audit committee were “routinely apprised on cybersecurity risks and mitigation, provided with annual reports … that specifically evaluated cyber risks, and engaged outside consultants to improve cybersecurity practices.” Notably, the Court further found that when management discovered “red flags” related to cybersecurity, relevant reports were delivered to the board. The Court found that cybersecurity “is an area of consequential risk that spans modern business sectors” and that the “corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.” Following the holding in McDonald’s, it is probable that Delaware courts will equally call upon the appropriate officers to focus on reporting red flags to the board and how such red flags are addressed.
Almost one year later, in Construction Industry Laborers Pension Fund v. Bingle, a plaintiff brought Caremark claims against SolarWinds’ board of directors following a major cyberattack on the company’s software system, through which Russian hackers were able to insert malware that gained access to up to 18,000 of SolarWinds’ clients’ systems. The directors were alleged to have failed to monitor corporate efforts in a way that prevented cybercrimes. The Court dismissed these claims under Rule 23.1 and, in so doing, found that the SolarWinds board (i) did not utterly fail to implement a reporting system for cybersecurity risks, since both the nominating and corporate governance committee and the audit committee were charged with oversight responsibility for cybersecurity, and (ii) did not ignore any red flags related to cybersecurity risks. Notably, in its analysis, the Court described the reporting systems SolarWinds had in place as “subpar” because, among other reasons, the board did not receive any reports from either committee with respect to cybersecurity for over two years.