Cybersecurity In The Boardroom: 'Caremark' Liability For Boards' Failure To Oversee Cybersecurity

• Published date: 21 March 2023
• Subject Matter: Corporate/Commercial Law, Privacy, Technology, Directors and Officers, Privacy Protection, Security
• Law Firm: Kramer Levin Naftalis & Frankel LLP
• Author: Mr Christopher Auguste, John Bessonette, Alan Friedman, Shari Kahn Krouner, Todd E. Lenson, Jordan M. Rosenbaum, Steven Sparling, Randy Kreider, Austin Manes and Martin McSherry

In an era of increasing cyberattacks by varying threat actors, the board's oversight of cybersecurity risks remains a key responsibility. In two recent cases, the Delaware Court of Chancery (Chancery Court) dismissed Caremark claims against directors following major cybersecurity incidents, concluding that the plaintiffs had failed to plead specific facts from which bad faith liability on the part of the directors could plausibly be inferred. However, the growing threat of such incidents and the enactment of new expansive privacy laws together underscore the need for boards to exercise appropriate care in overseeing such risks. Boards should ensure that they are receiving necessary information from management or outside experts to exercise such oversight and should appropriately document their consideration of these risks.

When do boards face 'Caremark' liability?

Caremark claims are typically derivative claims asserted by shareholders alleging that the board breached its duty of loyalty by failing to oversee key operations. To be viable, such claims must adequately allege that the board failed to impose systems for reporting risks or failed to act in the face of red flags disclosed to it. The Supreme Court of Delaware summarized it this way: "In short, to satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it."¹

In non-cybersecurity-related matters, Delaware courts have signaled an increased willingness to allow to go forward, at least at the pleading stage, claims that seek to hold directors liable for their failure to exercise oversight over "mission critical" company risks.²

In 2019, the Delaware Supreme Court held in Marchard v. Barnhill that the board was plausibly liable under Caremark for its alleged lack of oversight efforts when the company's consumers were exposed to listeria-infected ice cream.³ And in 2021, the Chancery Court allowed a Caremark claim to proceed against the Boeing board following crashes of two of its airplanes.⁴ Plaintiffs in both Marchand and Boeing adequately alleged that the respective boards had failed to establish a reporting system and ignored red flags regarding an "essential and mission critical" aspect of the company's business: food safety in Marchand and airplane safety in Boeing.⁵

These cases highlight that boards should take an active role in implementing and monitoring reasonable information and reporting systems regarding mission-critical matters, rather than leave such...