chevron-down Created with Sketch Beta.

The Business Lawyer

Spring 2023 | Volume 78, Issue 2

Corporate Compliance Survey

Paul Eugene McGreal


  • Part I discusses how turnover at the National Labor Relations Board (“NLRB”) will soon change its approach to review of employer policies, including workplace rules that promote civility and require confidentiality during internal investigations.
  • Part II reviews a pending Supreme Court case concerning application of the attorney-client privilege to dual-purpose communications.
  • Part III concludes with a review of recent Delaware court decisions that discuss the fiduciary duty to oversee a company’s compliance and ethics program in the context of so-called “mission critical” risks.
Corporate Compliance Survey Griffiths

Jump to:

This is the fourteenth survey from the Corporate Compliance Committee. This survey summarizes selected legal developments regarding corporate compliance and ethics programs, which consist of an organization’s code of conduct, policies, and procedures designed to achieve compliance with applicable legal regulations and internal ethical standards. For an overview and introduction to the subject, as well as updates from past years, please see the prior surveys. This update assumes familiarity with the background and overview discussed there.

This Survey discusses three developments since the last installment. Part I discusses how turnover at the National Labor Relations Board (“NLRB”) will soon change its approach to review of employer policies, including workplace rules that promote civility and require confidentiality during internal investigations. Part II reviews a pending Supreme Court case concerning application of the attorney-client privilege to dual-purpose communications. And Part III concludes with a review of recent Delaware court decisions that discuss the fiduciary duty to oversee a company’s compliance and ethics program in the context of so-called “mission critical” risks.

I. NLRB Developments

As of this writing, we are in the midst of yet another about face in the NLRB’s application of the National Labor Relations Act (“NLRA”) to employer regulations of the workplace. This change stems from an anticipated re-reinterpretation of sections 7 and 8 of the NLRA. Section 7 provides in relevant part: “Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection … .” Section 8 then prohibits employers from interfering with an employee’s rights under section 7. The NLRB has applied these provisions to non-union employees who engage in “concerted activities for purposes of … mutual aid or protection,” such as discussing the terms and conditions of employment with co-workers.

The NLRB’s interpretation of these provisions affects a wide variety of workplace policies. For example, the NLRB applies sections 7 and 8 to employer rules governing workplace speech, employee use of social media, possession of mobile phones and recording devices in the workplace, and confidentiality. Indeed, the last Survey discussed cases that review employer rules concerning confidentiality of internal investigations, confidentiality of customer and employee information, profane or offensive employee speech, and other workplace concerns.

One frustration for employers is that the NLRB’s interpretation of sections 7 and 8 has changed—dramatically—from one presidential administration to the next. During the administration of President Barack Obama, the NLRB aggressively scrutinized workplace rules under an interpretation of sections 7 and 8 that was more employee friendly. This led to findings that a wide array of employer policies violated the NLRA. During the administration of President Donald Trump, the NLRB reversed course and gave greater deference to employers. This approach, not surprisingly, led the NLRB to uphold workplace policies that had previously been found unlawful. Since the last Survey, President Joseph Biden has taken office and appointed a majority of the NLRB, and all signs point to yet another reversal of course. So, employers who breathed a sigh of relief during the Trump Administration should brace themselves for another period of increased scrutiny.

Section A describes the NLRB’s prevailing interpretation of sections 7 and 8 concerning employer workplace rules. Section B explains how the NLRB applied this interpretation to employer policies that require confidentiality of workplace investigations. Section C concludes with developments since the change in administrations that signal a coming change in the law.

A. The NLRB’s Current Test for Workplace Policies

Prior to 2017, the NLRB scrutinized workplace policies under a test announced in the case Lutheran Heritage Village-Livonia. Under that test, a workplace rule violates the NLRA if it specifically prohibits conduct protected by section 7, or if “(1) employees would reasonably construe the language to prohibit Section 7 activity; (2) the rule was promulgated in response to union activity; or (3) the rule has been applied to restrict the exercise of Section 7 rights.” The last two prongs were not onerous because companies could take care that policies were not promulgated in response to union activity and that the rules were not applied to protected conduct. The NLRB, however, interpreted the first prong’s “reasonably construe” test quite broadly, essentially asking whether it was conceivable that an employee might understand a policy provision to restrict some protected employee speech. Under this broad interpretation, the NLRB struck down a wide variety of workplace civility rules on the ground that they might chill employee speech about terms and conditions of employment.

In December 2017, after appointments to the NLRB by President Trump, the NLRB decided The Boeing Company case, which replaced the Lutheran Heritage approach with a balancing test. The decision explained that Lutheran Heritage conflicted with Supreme Court precedent because it allowed invalidation of employer policies without consideration of legitimate business justifications. Additionally, the Boeing decision criticized what it characterized as inconsistent results under Lutheran Heritage that left employers unsure of the limits on their policy-drafting authority. Thus, a new legal standard was needed to honor Supreme Court precedent and the interests of employers and employees.

The new legal standard announced in Boeing consisted of a two-step analysis for evaluating employer policies. The first step was to balance the policy’s burden on the employee’s NLRA rights against the employer’s legitimate business interest in the challenged policy. This analysis determined whether, on balance, the challenged policy provision was lawful under the NLRA. In the second step, the NLRB placed the general type of policy provision at issue (e.g., workplace civility, confidentiality, etc.) into one of three categories for purposes of future decision making: policies that were per se lawful (what it called “Category 1”); policies that were subject to case-by-case analysis (what it called “Category 2”); or policies that were per se unlawful (what it called “Category 3”). In addition, Category 1 had two parts: Category 1(a) included any policy that “when reasonably interpreted, does not prohibit or interfere with the exercise of NLRA rights,” and Category 1(b) included any policy where “the potential adverse impact on protected rights is outweighed by justifications associated with the rule.”

Boeing anticipated that future NLRB decisions would designate types of policies among the three categories, and the categories would eventually become a threshold step of the analysis. That is, the NLRB would first decide whether the challenged employer policy falls in Category 1 (per se lawful), Category 2 (subject to the case-by-case balancing test), or Category 3 (per se unlawful). While Boeing yielded an initial period of uncertainty, subsequent NLRB decisions slotted types of workplace policies into the three categories, giving employers more concrete guidance.

The Boeing test rejected the NLRB’s prior approach of reading employer workplace rules with suspicion. This could be seen when the NLRB applied the Boeing test to two challenged employer policies in LA Specialty Produce Company. There, one policy prohibited employees from disclosing vendor or client lists, and the other policy barred employees from speaking with or providing information to the media. The NLRB decided that both challenged policies fell in Boeing Category 1(a) as presumptively lawful. While both policies could be read to prohibit protected employee speech, the NLRB decided that each “rule, when reasonably interpreted, does not prohibit or interfere with the exercise of NLRA rights.” LA Specialty Produce Company established the following interpretive canon for workplace policies: when a policy is reasonably capable of two or more interpretations, choose the interpretation that is least restrictive of an employee’s rights under the NLRA. This de facto canon recognized the reality that even carefully drafted workplace policies will have ambiguities or imprecise passages, and the drafter should not be penalized unless the language clearly limits protected employee speech. Under this approach, the NLRB deferred to the drafters of employer workplace policies.

Boeing initiated a new era of NLRB review of workplace rules. Whereas the Lutheran Heritage regime indulged almost every inference against legality, the Boeing approach weighs the employer’s business interests more heavily, which tips the scale in favor of many formerly suspect workplace rules. In doing so, Boeing replaced hyper-scrutiny with deference to workplace policy drafters. As the NLRB decided cases over the last three years, it sorted workplace rules among the three Boeing categories and reversed restrictive precedents that had limited the permissible range of workplace policies.

B. Confidentiality of Workplace Investigations

The Boeing test also changed the NLRB’s approach to employer requests for confidentiality during workplace investigations. Pre-Boeing, the NLRB had decided that while confidentiality serves an employer’s legitimate interest to “ensure that witnesses were not put in danger, that evidence was not destroyed, and testimony was not fabricated,” an employer must specifically establish this business justification for each individual workplace investigation. Consequently, an employer could not mandate confidentiality for either all or a designated category of investigations. The NLRB most clearly stated this case-by-case approach to confidentiality of internal investigations in Banner Estrella Medical Center. There, the NLRB found that Banner maintained a practice of requiring confidentiality in categories of investigations, such as sexual harassment complaints, and that doing so violated the case-by-case requirement.

Post-Boeing, the NLRB revisited the confidentiality of internal investigations in Apogee Retail LLC, which involved two employer rules. The first rule was in the employer’s “Code of Business Conduct and Ethics,” and it addressed participants in an internal investigation of “illegal or unethical behavior”: “Reporting persons and those who are interviewed are expected to maintain confidentiality regarding these investigations.” The second rule was in the employer’s “Loss Prevention Policy” and prohibited “unauthorized discussion of investigation or interview with other team members.”

The NLRB overruled Banner Estrella and instead applied the Boeing framework to the confidentiality rules. As with Boeing’s critique of Lutheran Heritage, the Apogee Retail opinion criticized Banner Estrella for undervaluing employers’ legitimate business interests:

(1) to ensure the integrity of the investigation, (2) to obtain and preserve evidence while employees’ recollection of relevant events is fresh, (3) to encourage prompt reporting of a range of potential workplace issues—unsafe conditions or practices, bullying, sexual harassment, harassment based on race or religion or national origin, criminal misconduct, and so forth—without employee fear of retaliation, and (4) to protect employees from dissemination of their sensitive personal information.

These interests also protect employees, as when harassment is promptly reported and remediated, or employees who report wrongdoing are protected from retaliation. Since these interests exist across all internal investigations, Banner Estrella’s case-by-case approach imposed a needless burden on employers. And perhaps worse, because at least some investigation would be needed for an employer to even perform Banner Estrella’s case-by-case determination, an employer could never ensure confidentiality throughout an investigation, sacrificing the employer and employee’s shared interests.

Applying Boeing, the NLRB decided that Apogee Retail’s confidentiality rules fell in Category 1(b) when applied to an ongoing workplace investigation. The NLRB acknowledged that the rules restricted protected speech by preventing employees from discussing their participation in a workplace investigation. That limitation, however, is “comparatively slight” since employees can still talk about the underlying workplace incident apart from the investigation, or about the conduct of workplace investigations generally. Conversely, the employer had strong interests in protecting the workplace and the integrity of the investigations. On balance, then, the employer’s interest in confidentiality during an internal investigation outweighed the burden on protected employee speech.

C. Another Change Is on the Horizon

With appointees of President Biden now a majority of the NLRB, it appears that the Boeing era will soon come to an end. The first signal came after President Biden terminated then-NLRB General Counsel Peter Robb. This change was significant because the General Counsel has authority to set the NLRB’s enforcement agenda by selecting which cases to pursue and what positions to take in those cases. Regional Director Peter Ohr took over as acting General Counsel, and over the next year President Biden appointed Jennifer Abruzzo as the new General Counsel as well as two new NLRB members, which constituted a majority of Democratic appointees to head the agency. As happened four years before, the stage was set for another change in course.

The first indication of a coming change was a Memorandum from acting General Counsel Ohr, who rescinded a Trump Administration General Counsel Memorandum that provided guidance on applying the Boeing test to a variety of workplace policies. Soon after, Ohr sought to withdraw an appeal that the prior General Counsel had filed in Stericycle, Inc. and Teamsters Local 628. The Administrative Law Judge in that case had held that the employer’s workplace policy concerning the confidentiality of internal investigations violated the NLRA, and the prior General Counsel asked the NLRB to overturn that ruling under Boeing and Apogee. The NLRB granted Ohr’s request to withdraw the appeal, which left in place the ALJ’s decision invalidating the workplace policy under pre-Boeing NLRB precedent.

Upon taking office in August 2021, General Counsel Abruzzo made clear that one of her priorities was to seek NLRB re-examination of the Boeing test. In General Counsel Memorandum 21-04, Abruzzo directed regional NLRB offices to submit a list of issues and matters for centralized review by the Division of Advice in the Office of General Counsel. The Division of Advice would weigh in on whether to “reexamine these areas and counsel the General Counsel’s office on whether change is necessary to fulfill the Act’s mission.” On the top of the list was the “doctrinal shift” made by the Boeing decision, with regional offices directed to submit for centralized review all cases involving application of the Boeing test to employee handbook rules and “confidentiality rules applicable to workplace investigations.” The expectation was that Abruzzo would soon after seek reversal of the Boeing test.

That expectation was fulfilled within the year when the NLRB took the unusual step of seeking briefing in a pending case on whether to abandon the Boeing test. In January 2022, in the Stericycle case discussed above, the NLRB issued a “Notice and Invitation to File Briefs” that contained the following passage:

[T]he parties and interested amici are invited to file briefs addressing the following questions:

1. Should the Board continue to adhere to the standard adopted in Boeing Co., 365 NLRB No. 154 (2017), and revised in LA Specialty Produce Co., 368 NLRB No. 93 (2019)?

2. In what respects, if any, should the Board modify existing law addressing the maintenance of employer work rules to better ensure that:

(a) the Board interprets work rules in a way that accounts for the economic dependence of employees on their employers and the related potential for a work rule to chill the exercise of Section 7 rights by employees;
(b) the Board properly allocates the burden of proof in cases challenging an employer’s maintenance of a work rule under Section 8(a)(1); and
(c) the Board appropriately balances employees’ rights under Section 7 and employers’ legitimate business interests?

3. Should the Board continue to hold that certain categories of work rules—such as investigative-confidentiality rules as addressed in Apogee Retail LLC d/b/a Unique Thrift Store, 368 NLRB No. 144 (2019) … —are always lawful to maintain?

In all, the NLRB received fifteen briefs in response to this request, including one filed in March 2022 on behalf of the Office of General Counsel. That brief made clear the General Counsel’s position: Boeing established a test “that fails to protect employees from the chilling effects of overbroad rules on the exercise of statutory rights,” and so “the Board should overrule Boeing and Apogee in favor of standards based on Lutheran Heritage and Banner.” In short, General Counsel Abruzzo urged the NLRB to abandon the Boeing and Apogee tests discussed above, and return to the pre-Boeing tests for workplace rules and investigations set forth in Lutheran Heritage and Banner Estrella. While the expectation is that the NLRB will follow the General Counsel’s lead, as of this writing, the NLRB has not released a decision in the Stericycle case. And so, the Boeing test remains the NLRB’s prevailing standard while the current General Counsel holds all matters that apply that test under the Memorandum directing regional offices to submit those cases to the Division of Advice.

II. The Attorney-Client Privilege and Dual-Purpose Communications

This Term, in the case In re Grand Jury, the Supreme Court heard oral argument on application of the attorney-client privilege to dual-purpose communications under the Federal Rules of Evidence. The case involved a grand jury subpoena to a company and its law firm for documents related to a criminal investigation. The documents were created during the law firm’s tax preparation work for the company, and the company and the law firm claimed that those documents were protected by the attorney-client privilege. The district court rejected this argument, adopting the “primary purpose” test for attorney-client communications made for more than one reason. Under that test, a court asks “whether the primary purpose of the communication is to give or receive legal advice, as opposed to business or tax advice.” The district court found that “the ‘primary purpose’ of the [subpoenaed] documents was to obtain tax advice, not legal advice,” and so the privilege did not attach. The Ninth Circuit affirmed the district court.

The Supreme Court granted certiorari to decide the proper privilege test for dual-purpose attorney-client communications. Federal Rule of Evidence 501 commits this question to the federal courts: “The common law—as interpreted by United States courts in the light of reason and experience—governs a claim of privilege … .” Exercising this discretion, lower courts have adopted three different interpretations of the privilege for dual-purpose communications:

  • First, the Ninth Circuit and other courts apply the “primary purpose” test described above.
  • Second, the Seventh Circuit has held that dual-purpose communications are not protected by the attorney-client privilege. And so, “a document prepared for use in preparing tax returns and for use in litigation … is not privileged.”
  • Third, somewhere in between the first two tests, the District of Columbia Court of Appeals held that a communication is protected if “obtaining or providing legal advice was one of the significant purposes.” For example, communications made during an internal investigation might be made both to obtain legal advice concerning suspected wrongdoing, and to comply with a regulatory requirement. A communication would be protected if obtaining legal advice was a “significant purpose,” even if another business purpose for the communication also existed. The Petitioner’s Brief advocates adoption of this test.

In addition, the American Bar Association, in an amicus brief filed in the case, urged the Court to adopt a fourth approach: “Attorneys and clients should be able to have certainty that their communications are privileged so long as any purpose of those communications is to obtain or provide legal advice and no other well-established exception applies.” This test would eliminate any consideration of the significance or role of legal advice in the communication, as long as seeking such advice is one of the purposes.

The Supreme Court’s decision in this case will have important implications for compliance professionals. Compliance officers are often licensed attorneys, and their work may straddle the line between providing legal advice and advising on business matters like risk management, corporate governance, and compliance and ethics programs. For example, in designing and implementing a compliance and ethics program, a compliance officer may interpret the underlying law to assist with drafting corporate policies or designing training programs. This work could include legal advice concerning application of the underlying law to the business of the compliance officer’s employer. Such application of law to business circumstances can be characterized as a form of legal advice. The compliance officer, however, will also work on practical issues such as how to effectively communicate and implement a corporate policy, or how best to deliver and measure the effectiveness of the training (e.g., online or in-person training, follow-up surveys to assess comprehension). This work could be characterized as business advice concerning the best allocation of limited compliance resources.

Whether the attorney-client privilege protects communications generated during this work will depend on the test that the Supreme Court adopts:

  1. The communications would not be protected under the Seventh Circuit approach because that test does not protect dual-purpose communications like this.
  2. The communications would likely not be protected under the Ninth Circuit’s “primary purpose” test because legal advice could be characterized as an ancillary purpose to the primary business purpose of designing and implementing a compliance and ethics program.
  3. It is not clear whether the communications would be protected under the District of Columbia’s “significant purpose” test. The Kellogg case, though, supports an argument that the protection should apply. In Kellogg, the internal investigation had arguably co-equal and complimentary purposes—provide legal advice while complying with a regulatory requirement. The same could be said of the compliance and ethics example discussed above—the legal advice and compliance and ethics tasks are intertwined and inseparable.
  4. The communications should be protected under the ABA’s “any purpose” test because legal advice was a purpose of the compliance officer’s work.

There are two important caveats about the limits to the Supreme Court’s decision in this case. First, the decision will not apply to civil and criminal matters in state court where the state rules of evidence apply. Second, even in federal courts, the Federal Rules of Evidence do not apply to civil claims based on state law. Rule 501 specifically provides that state rules of evidence apply to such claims. And so, while the Supreme Court’s decision in In re Grand Jury will set an important precedent for attorney-client privilege in federal courts for matters under federal law, corporate counsel must remain attentive to potentially applicable privilege rules under state law.

III. The Caremark Duty of Oversight

Part III reviews case law developments under the state corporate law duty of officers and directors, established in In re Caremark International Inc. Derivative Litigation, to oversee a corporation’s legal compliance efforts. As discussed in the last Survey, Marchand v. Barnhill, a Delaware Supreme Court case from May 2019, heightened this oversight duty for directors of certain corporations. Section A reviews the origin and nature of the Caremark claim, section B describes the Marchand decision, and Section C reviews recent Delaware decisions that have construed and applied Marchand.

A. The Caremark Claim

In dicta in its 1996 decision In re Caremark International Inc. Derivative Litigation, the Delaware Court of Chancery addressed the board’s duty to oversee a corporation’s legal compliance efforts. As part of its duty to monitor, the board must make good-faith efforts to ensure that a corporation has adequate reporting and information systems. The court described a claim for breach of that duty as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” with liability attaching only for “a sustained or systematic failure of the board to exercise oversight” or “an utter failure to attempt to assure a reasonable information and reporting system exists.”

Soon after the decision, this dicta morphed into what has become known as a Caremark claim, as federal and state courts, both within and outside Delaware, recognized a cause of action against boards for failing to take minimal steps to achieve legal compliance. As the phrases “systematic failure” and “utter failure” suggest, a board’s Caremark duty is relatively low. Only egregious lapses breach this duty, such as when board members ignore obvious red flags signaling illegal behavior, fail to appoint or convene an audit committee, or fail to address obvious concerns such as large loans to corporate insiders.

In Stone ex rel. AmSouth Bancorp. v. Ritter, the Delaware Supreme Court formally embraced the Caremark claim. The court both confirmed the elements of a Caremark duty and clarified that breach of that duty constitutes a breach of the director’s duty of loyalty:

We hold that Caremark articulates the necessary conditions predicate for director oversight liability: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. In either case, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.

The court in Stone, then, adopted the Caremark duty and restated it as having two components. First, there is a director’s initial duty to address compliance and ethics. The director breaches this branch of the Caremark duty by failing to take any action directed toward establishing a compliance and ethics program.

Second, directors have an ongoing duty to address compliance and ethics. The director breaches this component of the Caremark duty if she learns of a specific gap or weakness in the organization’s compliance and ethics program, but takes no action to address that failing. For example, a director may actually know of a new regulatory scheme or requirement that directly affects the business of her corporation, and then fail to inquire whether the organization is taking measures to comply with the new law. Or a board that charged management with implementing a compliance and ethics program may never receive or request reports on the design, implementation, and operation of the program. Note that, in both these examples, the board’s failure is to not inquire of management; the board need not actually design or implement the program itself. Recall that the director’s duty is one of oversight, and the board may rely on management in satisfying this duty.

The Delaware courts have been demanding of plaintiffs who allege breach of either component of the Caremark duty—the initial or ongoing duty of oversight. First, as to breach of a director’s initial duty, the reported decisions require the plaintiff to plead that the director took no actions related to compliance and ethics. A prior survey discussed a case where the plaintiff adequately pled that the directors consciously did nothing to prevent legal wrongdoing. In that case, the directors were described as “stooges” for the corporation’s president, who was looting the corporation of its assets. Because the directors literally did nothing at all—never even met—the inference of conscious disregard was inescapable. Indeed, given that the directors were “stooges,” it is possible they did not know a duty of oversight existed. The court’s decision implies, then, that conscious disregard does not require that the director was specifically aware of her Caremark duty. Of course, this makes sense—directors ought not be rewarded for ignorance of the fiduciary duties they voluntarily undertake as directors.

The pleading standard is also quite rigorous for the ongoing Caremark duty. The Delaware courts have stated the high pleading threshold as follows: “Plaintiffs must plead specific facts that show the directors knowingly disregarded their ongoing duty to oversee the organization’s compliance and ethics program.” These courts have consistently held that a plaintiff does not meet this burden by pleading that the organization committed such egregious or widespread wrongdoing that the directors must have known about and ignored the legal problem. In short, the degree or scope of wrongdoing standing alone, however severe, does not give rise to an inference that directors were conscious of the organization’s legal problems. Instead, the plaintiff must allege facts showing that the directors actually knew of the wrongdoing or red flags indicating legal violations.

B. Marchand v. Barnhill

The Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill may have heightened the director’s Caremark duty under certain circumstances, and thereby made it easier for plaintiffs to plead a Caremark claim. Marchand involved a shareholder derivative suit against Blue Bell Creameries USA, Inc., an ice cream manufacturer. Due to unsanitary conditions at its facilities, Blue Bell distributed ice cream contaminated with listeria, which led to three deaths, multiple illnesses, and a national recall of all Blue Bell products. The contamination resulted in a criminal proceeding for violations of federal food and drug laws and a “liquidity crisis” for the company. Shareholders claimed that these losses resulted from board members’ breach of their duty of oversight under Caremark. The Delaware Chancery Court dismissed the Caremark claim, finding that Blue Bell had some food safety measures in place and so the board members had not “utterly failed” to address compliance. The shareholders appealed to the Delaware Supreme Court.

The Delaware Supreme Court conceded that Blue Bell had in place minimal measures to comply with federal and state food drug safety laws. While past cases had dismissed an initial Caremark claim when such general organizational compliance measures existed, Marchand focused on the board’s own compliance processes, referring fourteen times to the need for various “board-level” compliance measures. Indeed, the court specifically noted the following failings of the Blue Bell board:

  • no board committee that addressed food safety existed;
  • no regular process or protocols that required management to keep the board apprised of food safety compliance practices, risks, or reports existed;
  • no schedule for the board to consider on a regular basis, such as quarterly or biannually, any key food safety risks existed;
  • during a key period leading up to the deaths of three customers, management received reports that contained what could be considered red, or at least yellow, flags, and the board minutes of the relevant period revealed no evidence that these were disclosed to the board;
  • the board was given certain favorable information about food safety by management, but was not given important reports that presented a much different picture; and
  • the board meetings are devoid of any suggestion that there was any regular discussion of food safety issues.

Notice what is not listed above: that the board knew or had received information indicating (i.e., so called red flags) that Blue Bell had food safety problems. Indeed, the court notes that all was well according to the information that the board had received. Under prevailing caselaw, these allegations would not state a claim for breach of the ongoing Caremark duty, which requires facts showing the board’s awareness—through actual knowledge or red flags—of the alleged wrongdoing.

Lacking allegations to support breach of either the initial or ongoing Caremark duty, the court tweaked the initial Caremark duty to require board members to implement certain board-level compliance measures. The following passage is illustrative:

Caremark does have a bottom-line requirement that is important: the board must make a good faith effort—i.e., try—to put in place a reasonable board-level system of monitoring and reporting. Thus, our case law gives deference to boards and has dismissed Caremark cases even when illegal or harmful company activities escaped detection, when the plaintiffs have been unable to plead that the board failed to make the required good faith effort to put a reasonable compliance and reporting system in place.

The references to failing to “put in place” adequate compliance measures is similar to the initial Caremark duty that a board has “utterly failed to implement” such measures. This view is further supported by the opinion’s introduction, which summarized the court’s decision: “we hold that the complaint alleges particularized facts that support a reasonable inference that the Blue Bell board failed to implement any system to monitor Blue Bell's food safety performance or compliance.”

By treating the claim as a breach of the initial Caremark duty, the court essentially required minimal board-level compliance measures for some corporations. The court defined the required compliance measures in the negative by noting what Blue Bell lacked. The quote above identifies three minimal board-level compliance requirements:

  • Establish a board committee for a mission-critical risk.
  • Establish regular process or protocols that require management to keep the board apprised of mission critical compliance practices, risks, or reports existed.
  • Schedule the board to consider on a regular basis, such as quarterly or biannually, any mission critical risk.

The court also criticized management’s failure to share critical food safety information with the board. This concern could be addressed by requiring direct board reports from personnel with operational responsibility for the mission critical risk, such as the food safety compliance officer of a food manufacturer. This measure would be consistent with DOJ compliance guidance and the United States Sentencing Guidelines, which both indicate the need for in-person reporting by operational compliance personnel with relevant knowledge.

Marchand suggests that three things about Blue Bell heightened the Caremark standard. First, Blue Bell manufactured a single product, and so its survival depended on whether “consumers enjoyed its products and were confident that its products were safe to eat.” Second, because Blue Bell had only one product line, violations of the applicable regulations for that product (i.e., food safety) posed a mission-critical risk for the company. Third, that mission-critical risk was governed by a complex regulatory scheme, making compliance, monitoring, and oversight complicated and time intensive. So, as subsequent Delaware decisions have explained, Marchand heightened the Caremark standard for corporations that match these three factors.

In sum, Marchand required greater board-level initiative for a mission critical risk at a monoline company, which reduces permissible board reliance on officers to fulfill their fiduciary duty to keep the board informed. Conversely, in a company with more business lines and risks, the board may reasonably rely on officers’ judgment and discretion to bring forward compliance matters. Otherwise, the duty of oversight might overwhelm or consume board members at such larger organizations. Further, Marchand heightens the board’s duty for an entire category of risk—the mission critical risk for a single-product company. A red flag is not needed to heighten the risk. Rather, the nature of the company’s business and the applicable legal regulations trigger the heightened duty. This make sense if Marchand is read to address the initial Caremark duty, which looks at the board’s threshold responsibility to create compliance measures. Marchand identifies “mission critical risk of single-product company” as a matter requiring specific board action under this initial Caremark duty.

C. Post-Marchand Delaware Decisions

Since Marchand, the Delaware Chancery Courts have decided several cases where shareholders asserted a Caremark claim. The last Survey discussed two of those cases. This section reviews three cases that shed light on how lower courts are interpreting and applying the Delaware Supreme Court’s opinion. The first case shows a Chancery Court upholding a Caremark claim, and the next two show courts dismissing such claims.

In the case In re The Boeing Company Derivative Litigation, the Delaware Chancery Court found that the plaintiffs’ allegations closely paralleled those in Marchand. Shareholders of The Boeing Company sued the company’s directors for failure to oversee the risks associated with aircraft safety. Two 737 MAX passenger planes had crashed within a year, and the accidents led to multiple investigations and lawsuits concerning the aircraft’s safety. The shareholders alleged that the board had failed the heightened Caremark duty recognized in Marchand.

The Chancery Court ruled that the Boeing shareholders’ claim fit the Marchand mold. First, Boeing was a single-product company that produced airplanes. Second, airplane safety was a mission critical risk that, if it matured, could threaten the existence of the company. Third, that risk was subject to an extensive, complex federal regulatory regime. Together, these factors required Boeing’s board to establish its own processes and practices to ensure continuing oversight of the mission critical risk of airplane safety.

As in Marchand, the Boeing shareholders alleged that the board had failed to institute any system to ensure systemic, ongoing oversight of the company’s mission critical risk. The court concluded that the following allegations supported a Caremark claim:

  • “The Board had no committee charged with direct responsibility to monitor airplane safety.”
  • “The Board did not monitor, discuss, or address airplane safety on a regular basis.”
  • “The Board had no regular process or protocols requiring management to apprise the Board of airplane safety; instead, the Board only received ad hoc management reports that conveyed only favorable or strategic information.”
  • “Management saw red, or at least yellow, flags, but that information never reached the Board.”

These alleged deficiencies, standing alone, stated a claim for the board’s breach of its Caremark duty. In addition, the Court explained that the shareholders had alleged specific communications among board members that, if proven, showed their actual awareness of the deficiencies in board oversight. Based on these allegations, the court denied the board members’ motion to dismiss. Within the next several months, the Boeing directors settled the lawsuit for about $237 million, and so the case was not tested before the Delaware Supreme Court.

Two subsequent cases show that Marchand may be limited to the rather extreme case where directors have implemented no board level policies or practices concerning a mission critical risk. First, Construction Industry Laborers Pension Fund v. Bingle involved a derivative lawsuit by shareholders of a company that “was in the business of providing management software to its customers.” Cybercriminals hacked into the company’s systems and introduced malware that the company distributed to customers through software updates. Once the malware was in the customers’ computer systems, the hackers were able to “access[] and steal[] ‘extensive proprietary information, confidential emails, and intellectual property’” from the customers. The cyberattack resulted in multiple lawsuits and investigations against the company.

The company’s shareholders brought the derivative action against board members for a failure to oversee the mission-critical risk of cybersecurity. Before discussing the plaintiff ’s claims in the case, Vice Chancellor Glasscock provided the following general commentary on the state of Caremark litigation in the Delaware courts:

Derivative claims against corporate directors for failure to oversee operations—so-called Caremark claims, once relative rarities—have in recent years bloomed like dandelions after a warm spring rain, largely following the Delaware Supreme Court's opinion in Marchand v. Barnhill. The cases, superficially at least, seem easy to conjure up: find a corporate trauma; allege the truism that the board of directors failed to avert that trauma; and hey, presto! an oversight liability claim is born. They remain, however, one of the most difficult claims to cause to clear a motion to dismiss. That is also easy to understand. Directors are not liable under our corporate law for the most likely cause of operational loss, simple negligence. Nor, given the ubiquity of exculpation clauses, are the directors even liable for gross negligence in violation of their duty of care. And, of course, most corporate trauma, to the extent it represents a breach of duty at the board level, implicates the exculpated duty of care. To plead potential liability sufficient to cause directors to be unable to consider a demand and thus justify a derivative claim under Rule 23.1, therefore, the lack of oversight pled must be so extreme that it represents a breach of the duty of loyalty. This in turn requires a pleading of scienter, demonstrating bad faith—in then-Chief Justice Strine's piquant formulation, a failure to fulfill the duty of care in good faith. In other words, an oversight claim is a flavor of breach of the duty of loyalty, which itself requires an action (or omission) that a director knows is contrary to the corporate weal. Historically, only utter failures by directors to impose a system for reporting risk, or failure to act in the face of “red flags” disclosed to them so vibrant that lack of action implicates bad faith, in connection with the corporation's violation of positive law, have led to viable claims under Caremark.

Even in the post-Marchand era, then, a Caremark claim must allege that directors acted in bad faith, meaning that they were aware of their failure to exercise oversight.

While the court accepted the shareholders’ characterization of cybersecurity as a mission-critical risk of the company, it found that the plaintiffs’ allegations did not support an inference of bad faith by the board members. The plaintiffs’ complaint acknowledged that the company had two committees charged with oversight of this mission-critical risk: the Audit Committee and the Nominating and Corporate Governance Committee. While conceding that the board had allocated oversight of the risk, the shareholders nonetheless argued that the board had breached its duty because neither committee every reported to the full board about cybersecurity. The court held that these allegations were different from Marchand and Boeing where the companies had no practice or protocol for board-level oversight. While the software company’s board committees may have been lax or careless in their oversight, such dereliction of duty was not an “utter failure” of board-level monitoring that would breach the board’s Caremark duty. Thus, the court dismissed the plaintiffs’ claim.

Second, City of Detroit Police & Fire Retirement System on Behalf of NiSource, Inc. v. Hamrock involved a Caremark claim against the directors of a natural gas company. A local subsidiary was engaged in work on a natural gas pipeline when an error caused an explosion that killed one person, injured twenty-two others, and caused significant property damage. A shareholder filed Caremark claims against the directors, claiming that they had failed to adequately oversee the mission-critical risk of pipeline safety.

The court accepted the plaintiff ’s argument “that pipeline safety is to a pipeline operating company what airplane and food safety are to airplane and food companies—mission critical.” Further, as in Marchand and Boeing, that mission-critical risk was subject to a comprehensive body of regulations. As in Bingle, however, the court found that the shareholders’ own allegations negated their claim. Specifically, their complaint “demonstrate[d] that the … board of directors did establish a system for monitoring and reporting on pipeline safety issues [that] included a committee tasked with overseeing safety issues, which did, in fact, monitor and report on pipeline safety compliance.” Further, plaintiff’s allegations established that the board committee “monitored and actively discussed the specific regulatory risks at issue.” Thus, unlike Marchand and Boeing, the plaintiff’s complaint revealed that the company’s board had put in place a board-level mechanism to oversee the mission-critical risk, and that the board was actually engaged in oversight. While that oversight might have been flawed, Caremark does not require perfection from directors.