SEE ATTACHEMENT

profileKITOSH_CLIENT
attachment_2.pdf

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 1 All rights reserved

Mission Critical: Caremark, Blue Bell, and Director Responsibility for Cybersecurity Governance

[Pre-Publication Draft]

H. Justin Pace* Lawrence J. Trautman**

* BSBA, Western Carolina University; M.Acc, North Carolina State

University; J.D., Northwestern University Pritzker School of Law. Mr. Pace is Assistant Professor of Business Law at Western Carolina University. He may be contacted at [email protected].

** BA, The American University; MBA, The George Washington

University; J.D., Oklahoma City University School of Law. Mr. Trautman is Associate Professor of Business Law and Ethics at Prairie View A&M University. He may be contacted at [email protected].

ABSTRACT

If the potential for Caremark liability hangs like the sword of Damocles over

corporate directors of Delaware corporations, then that sword has been considerably more secure than that of the original myth. For decades, Chancellor Allen’s description of a Caremark claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment” held true. Caremark claims that survived a motion to dismiss were for decades few and far between. That changed in 2019. In the space of little over a year, Delaware courts have allowed five Caremark claims to survive in the corporation context and one claim to survive in the limited partnership context. The thread holding that sword is beginning to look more like the single horse hair of myth. The scope and likelihood of Caremark liability are matters of considerable interest and concern for directors. Under most circumstances, a board simply doing its job poorly is relevant only to the directors’ duty of care and protected by the business judgment rule, exculpatory provisions under Section 102(b)(7), and advancement and indemnification. Failure to monitor under Caremark, however, is a breach of the duty of loyalty. A breach of the duty of loyalty is not protected by the business judgment rule. It cannot be exculpated. And it cannot be covered by indemnification. 2019 marked an abrupt shift in Caremark in application, if not in theory. In June of that year the Supreme Court of Delaware (“Delaware Supreme Court”) reversed a decision by the Delaware Court of Chancery (“Chancery Court”) dismissing a claim against the directors of Blue Bell Creameries, Inc. (“Blue Bell”) under Caremark. Within a little over a year, the Chancery Court would sustain Caremark claims in four cases. In Clovis, the Chancery Court sustained a Caremark claim against directors of a pharmaceutical company who allowed the company to misrepresent the clinical trial success of one of its three drugs. In Hughes, the Chancery Court sustained a Caremark claim against directors of a Chinese company incorporated in Delaware that suffered from severe and pervasive accounting issues. In Teamsters Local, the Chancery Court sustained a Caremark claim against directors of a large pharmaceutical company who

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 2 All rights reserved

allowed an indirect subsidiary to essentially operate a criminal enterprise. And in Boeing, the Chancery Court sustained a Caremark claim against directors of an airplane manufacturer who did not pay attention to safety issues. Cybersecurity has become just such a mission critical risk for large corporations. This Article makes four key arguments. Black letter Caremark doctrine has not changed, but it is newly reinvigorated and the risks of Caremark liability for directors is greater than just a few years ago. Future Caremark liability will be centered on failure to provide board-level oversight of mission critical risks. Cybersecurity is mission critical to effectively all large companies today. The risk of Caremark liability can be mitigated by taking a few simple steps to ensure that the board is addressing cybersecurity. This Article is the first to make these arguments together and the first to make the final argument.

Keywords: AmerisourceBergen, audit committee, Blue Bell, boards of directors, Boeing 747 Max, Caremark, Clovis Oncology, corporate governance, cybersecurity, FAA, FDA, Marchand, oversight liability, ransomware, regulation, risk, SEC, Stone v. Ritter, Marriott, data breach JEL Classifications: Word count (including footnotes) = 25,387

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 3 All rights reserved

CONTENTS

OVERVIEW .................................................................................................................................... 4

I. CYBER RISK AND ATTACKS INCREASE .................................................................. 14

Recent Assessment ........................................................................................................... 14

II. THE EVOLUTION OF THE CAREMARK DOCTRINE ................................................. 15

a. The Caremark Doctrine is Born ................................................................................. 20

b. “[T]he most difficult theory in corporation law upon which a plaintiff might hope

to win a judgment” ........................................................................................................... 23

c. Caremark Newly Invigorated in Wake of Marchand (Blue Bell) .............................. 31

d. Four Subsequent Cases Show Marchard was No Fluke ........................................ 36

i. In re Clovis Oncology, Inc. ........................................................................................ 36

ii. Hughes v. Hu ......................................................................................................... 39

iii. Teamsters Local v. Chou (AmerisourceBergen) ................................................... 44

iv. In re The Boeing Company Derivative Litigation ................................................. 48

e. Reassessing Caremark Doctrine After Marchand et al. ............................................. 52

III. TECHNOLOGICAL CHALLENGES TO CORPORATE GOVERNANCE .................. 60

IV. GOOD FAITH CYBERSECURITY ................................................................................ 61

i. The Role of Positive Law in Caremark Claims ......................................................... 70

ii. Existing Cybersecurity Regulatory Framework .................................................... 72

V. CONCLUSION ................................................................................................................ 76

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 4 All rights reserved

Mission Critical: Caremark, Blue Bell, and Director Responsibility for Cybersecurity Governance

OVERVIEW

If the potential for Caremark liability hangs like the sword of Damocles over

corporate directors of Delaware corporations, then that sword has been considerably more

secure than that of the original myth. For decades, Chancellor Allen’s description of a

Caremark claim as “possibly the most difficult theory in corporation law upon which a

plaintiff might hope to win a judgment”1 held true. Caremark claims that survived a

motion to dismiss were for decades few and far between.2 That changed in 2019. In the

space of little over a year, Delaware courts have allowed five Caremark claims to survive

in the corporation context3 and one claim to survive in the limited partnership context.4

The thread holding that sword is beginning to look more like the single horse hair of

myth.

Under what has come to be known as a Caremark claim, directors can be held

liable for breach their fiduciary duties to the corporation for failing to provide adequate

oversight. Caremark claims typically arise where corporate employees caused the

corporation to engage in some unlawful conduct, and plaintiffs allege the unlawful

conduct would not have taken place had directors acted properly. There are two types of

1 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 967 (Del. Ch. 1996). 2 In re China Agritech, Inc. S’holder Deriv. Litig., No. 7163-VCL, 2013 WL 2181514 (Del. Ch. May 21, 2013); Rich ex rel. Fuqi Int’l v. Yu Kwai Chong, 66 A.3d 963 (Del. Ch. 2013); In re Am. Int’l Group Inc., 965 A.2d 763 (Del. Ch. 2009); Saito v. McCall, No. 17132-NC, 2004 WL 3029876 (Del. Ch. Dec. 20, 2004), overruled on other grounds by Lambrecht v. O’Neal, 3 A.3d 277 (Del. 2010). 3 Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), reversing Marchand v. Barnhill, No. 2017- 0586-JRS, 2018 WL 4657159, 2018 Del. Ch. LEXIS 316 (Del. Ch. Sept. 27, 2018); In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ (Del. Ch. Sept. 7, 2021); Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065 (Del. Ch. Aug. 24, 2020); Hughes v. Hu, No. 2019-0112- JTL, 2020 WL 1987029 (April 27, 2020); In re Clovis Oncology, Inc. Deriv. Litig., No. 2017- 0222-JRS, 2019 WL 4850188 (Del. Ch. Oct. 19, 2019). 4 Inter-Marketing Group USA, Inc. v. Armstrong, No. 2017-0030-TMR, 2020 WL 756965 (Del. Ch. Jan. 31, 2020).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 5 All rights reserved

Caremark claims: failure to implement (“Type I”) claims and failure to monitor

(“Type II”) claims. Under a Type I claim, the plaintiff alleges that “the directors utterly

failed to implement any reporting or information system or controls.”5 Under a Type II

claim, the plaintiff alleges that although the board implemented controls it “consciously

failed to monitor or oversee its operations thus disabling themselves from being informed

of risks or problems requiring their attention.”6 Conscious disregard is necessary7;

Caremark is a high bar.

The scope and likelihood of Caremark liability are matters of considerable

interest and concern for directors. Under most circumstances, a board simply doing its

job poorly is relevant only to the directors’ duty of care and protected by the business

judgment rule, exculpatory provisions under Section 102(b)(7),8 and advancement and

indemnification. Failure to monitor under Caremark, however, is a breach of the duty of

loyalty.9 A breach of the duty of loyalty is not protected by the business judgment rule.

It cannot be exculpated.10 And it cannot be covered by indemnification.11

5 Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). 6 Id. 7 See In re Walt Disney Co. Deriv. Litig., 906 A.2d 27, 62 (Del. 2006) (“[T]he concept of intentional dereliction of duty, a conscious disregard for one’s responsibilities, is an appropriate (although not the only) standard for determining whether fiduciaries have acted in good faith.”). 8 DEL. CODE ANN. tit. 8, § 102(b)(7) (2016). 9 Guttman v. Huang, 823 A.2d 492, 506 (Del. Ch. 2003). 10 See DEL. CODE ANN. tit. 8, § 102(b)(7)(ii) (2016) (“[T]he certificate of incorporation may also contain . . . [a] provision eliminating or limiting the personal liability of a director to the corporation . . . for monetary damages for breach of fiduciary duty as a director, provided that such provision shall not eliminate or limit the liability of a director: . . . (ii) for acts or omissions not in good faith.”). 11 Hermelin v. K-V Pharm. Co., 54 A.3d 1093, 1111 (Del. Ch. 2012) (“Sections 145(a) and (b) of the DGCL permit a corporation to indemnify [a director] so long as ‘the person acted in good faith and in a manner the person reasonably believed to be in or not opposed to the best interests of the corporation, and, with respect to any criminal action or proceeding, had no reasonable cause to believe the person’s conduct was unlawful.’”) (citing DEL. CODE ANN. tit. 8, § 145(a), (b) (2016)).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 6 All rights reserved

2019 marked an abrupt shift in Caremark in application, if not in theory. In June

of that year the Supreme Court of Delaware (“Delaware Supreme Court”) reversed a

decision by the Delaware Court of Chancery (“Chancery Court”) dismissing a claim

against the directors of Blue Bell Creameries, Inc. (“Blue Bell”) under Caremark.12 Blue

Bell is a manufacturer and seller of ice cream, and the plaintiffs’ Caremark claim alleged

the board failed to implement food safety controls.13 Poor food safety practices led to a

listeria outbreak tied to Blue Bell ice cream that claimed three lives.14 Notably, the

Delaware Supreme Court emphasized that Blue Bell Creameries is a single product

company and thus food safety is existential.15

The Chancery Court took the Delaware Supreme Court’s hint. Within a little over

a year, the Chancery Court would sustain Caremark claims in four cases.16 In Clovis, the

Chancery Court sustained a Caremark claim against directors of a pharmaceutical

company who allowed the company to misrepresent the clinical trial success of one of its

three drugs.17 In Hughes, the Chancery Court sustained a Caremark claim against

directors of a Chinese company incorporated in Delaware that suffered from severe and

pervasive accounting issues.18 In Teamsters Local, the Chancery Court sustained a

Caremark claim against directors of a large pharmaceutical company who allowed an

12 Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), reversing Marchand v. Barnhill, No. 2017- 0586-JRS, 2018 WL 4657159, 2018 Del. Ch. LEXIS 316 (Del. Ch. Sept. 27, 2018). 13 Id. at 807. 14 Id. at 814. 15 See, e.g., Marchand, 212 A.3d at 809 (“As a monoline company that makes a single product— ice cream—Blue Bell can only thrive if its consumers enjoyed its products and were confident that its products were safe to eat.”). 16 In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ (Del. Ch. Sept. 7, 2021). Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065 (Del. Ch. Aug. 24, 2020); Hughes v. Hu, No. 2019-0112-JTL, 2019 WL 1987029 (Del. Ch. Apr. 27, 2020); In re Clovis Oncology, Inc., No. 2017-0222-JRS, 2019 WL 4850188 (Del. Ch. Oct. 1, 2019). 17 Clovis, 2019 WL 4850188. 18 See Lawrence J. Trautman, American Entrepreneur in China: Potholes on the Silk Road to Prosperity, 12 WAKE FOREST J. BUS. & INT’L PROP. L. 427 (2012) (discussing doing business in China), http://www.ssrn.com/abstract=1995076.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 7 All rights reserved

indirect subsidiary to essentially operate a criminal enterprise.19 And in Boeing, the

Chancery Court sustained a Caremark claim against directors of an airplane manufacturer

who did not pay attention to safety issues.20

There are three plausible interpretations of Marchand and the four Chancery

Court cases that followed in its wake. The first is that the newly reinvigorated Caremark

doctrine is only dangerous for monoline companies. The second is that it is only

dangerous for companies in highly regulated industries (and perhaps only companies

regulated by the Food and Drug Administration (“FDA”)). But the third and most

plausible interpretation is that the newly reinvigorated Caremark doctrine will be limited

to “mission critical” operations.

Cybersecurity21 has become just such a mission critical risk for large

corporations.22 Cybersecurity incidents appear in the news at an alarming and increasing

rate. In 2016, Yahoo announced data breaches affecting a combined 1.5 billion user

accounts.23 Yahoo settled a derivative lawsuit for $29 million,24 and paid out almost

19 Teamsters Local, 2020 WL 5028065. 20 Boeing, No. 2019-0907-MTZ. 21 See JEFF KOSSEFF, CYBERSECURITY LAW xxiv–xxv (2020) (“Cybersecurity encompasses [data security, anti-hacking, data privacy] and more.”). See also Lawrence J. Trautman, Congressional Cybersecurity Oversight: Who’s Who and How It Works, 5 J.L. & CYBER WARFARE 1, 5 (2015) (“The terms cybersecurity and cyberattack have become broadly used without widespread acceptance as to their exact meaning.”). 22 See Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *2 (Del. Ch. Oct. 5, 2021) (“Cybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors.”). 23 Lawrence J. Trautman & Peter C. Ormerod, Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach, 66 AM. UNIV. L. REV. 1231, 1262 (2017) (citing Hayley Tsukayama, Craig Timberg & Brian Fung, Yahoo Data Breach Casts “Cloud” over Verizon Deal, WASH. POST: THE SWITCH (Sept. 22, 2016), https://www.washingtonpost.com/news/the-switch/wp/2016/09/22/report-yahoo-to-confirm-data- breach-affecting-hundreds-of-millions-of-accounts); Vindu Goel & Nicole Perlroth, Yahoo Says 1 Billion User Accounts Were Hacked, N.Y. TIMES (Dec. 14, 2016), http://www.nytimes.com/2016/12/14/technology/ yahoo-hack.html)). Presumably many of those accounts were compromised twice. 24 Craig A. Newman, Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement, NEW YORK TIMES: DEALBOOK (Jan. 23, 2019),

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 8 All rights reserved

$145 million combined for various claims.25 The $29 million settlement is notable in part

because $11 million of that $29 million was for the plaintiff’s attorneys’ fees.26 The

proven potential to recover attorneys’ fees gives entrepreneurial plaintiffs’ attorneys an

incentive to pursue claims for failure to monitor after high-profile data breaches are

announced.27 Equifax agreed to pay $149 million to settle securities litigation after a

cyberbreach—“the largest ever cybersecurity-related securities class action settlement.”28

Nor have cyberattacks slowed. 2020 saw “the Pearl Harbor of American IT,”

when the SolarWinds hack infiltrated over 18,000 government and private networks. 29

Oil and gas company Colonial Pipeline was forced to both shut down pipeline operations

and information technology systems for several days and pay a $4.4 ransom after a

ransomware attack in the first half of 2021.30 Colonial Pipeline supplies almost half the

gasoline and diesel for the East Coast of the United States, and even a short shutdown

https://www.nytimes.com/2019/01/23/business/dealbook/yahoo-cyber-security-settlement.html; Kevin LaCroix, Yahoo Data Breach-Related Derivative Suit Settled for $29 Million, THE D&O DIARY (Jan. 21, 2019), https://www.dandodiary.com/2019/01/articles/cyber-liability/yahoo-data- breach-related-derivative-suit-settled-29-million/. 25 See LaCroix, supra note 24. 26 See Newman, supra note 24; LaCroix, supra note 24. 27 See LaCroix, supra note 24. (“While the outcome of the pending cases remains to be seen, the fact is that the significant recovery in the Yahoo data breach derivative suit could well encourage other claimants to file similar lawsuits in the future.”). 28 Kevin LaCroix, Equifax Data Breach-Related Securities Suit Settled for $149 Million, THE D&O DIARY (Feb. 17, 2020), https://www.dandodiary.com/2020/02/articles/securities- litigation/equifax-data-breach-related-securities-suit-settled-for-149-million/. 29 Steven J. Vaughan-Nichols, SolarWinds: The more we learn, the worse it looks, ZDNET (Jan. 4, 2021, 8:35pm GMT), https://www.zdnet.com/article/solarwinds-the-more-we-learn-the-worse-it- looks/. See also Tabrez Y. Ebrahim, National Cybersecurity Innovation, 123 W. VA. L. REV. 483, 485 (2020) (“Following Stuxnet, in 2012, U.S. Secretary of Defense Leon Panetta warned that the U.S. was vulnerable to a ‘cyber Pearl Harbor.’”) (citing SEAN T. LAWSON, CYBERSECURITY DISCOURSE IN THE UNITED STATES 1918, 1953 (Taylor & Francis ed. 2019); Lawrence J. Trautman, Cybersecurity: What About U.S. Policy?, 2015 U. ILL. J.L. TECH. & POL’Y 341, 347); Lawrence J. Trautman, Is Cyberattack The Next Pearl Harbor?, 18 N.C. J. L. & TECH. 232 (2016), http://ssrn.com/abstract=2711059. 30 Charlie Osborne, Colonial Pipeline CEO: Paying DarkSide ransom was the ‘right thing to do for the country’, ZDNET (May 20, 2021, 11:04am GMT), https://www.zdnet.com/article/colonial- pipeline-ceo-paying-darkside-ransom-was-the-right-thing-to-do-for-the-country/. See also Lawrence J. Trautman & Peter C. Ormerod, WannaCry, Ransomware, and the Emerging Threat to Corporations, 86 TENN. L. REV. 503 (2019), http://ssrn.com/abstract=3238293.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 9 All rights reserved

had a ripple effect that disrupted fuel prices and availability in the eastern U.S. for weeks.

Colonial Pipeline faces two class action lawsuits31 and lawsuits by individual gas

stations.32 IT firm Kaseya suffered a cyberattack on its remote-monitoring and

management tool that compromised an estimated “800 to 1500 small to medium-sized

companies” in mid-2021.33 It took nine days for Kaseya to start getting customers back

live.34 It took another ten days for Kaseya to obtain a decryptor that would allow affected

customers to restore their data.35 “A Russia-linked criminal gang” had demanded $70

million from Kaseya (in Bitcoin) for a decryptor.36 After the fact, several employees

claimed they “flagged wide-ranging cybersecurity concerns to company leaders” but that

the issues were not resolved.37 Companies that house sensitive data of many other

companies pose a particular risk.38

Vulnerability intelligence expert Brian Martin observes that, “Every company in

the world that uses technology relies on both hardware and software from sources out of

their control… [that] likely come from Malaysia, Indonesia, and Tiawan while software

31 Compl., EZ Mart 1, LLC v. Colonial Pipeline Company, No. 1:21-cv-02522 (N.D. Ga.); Compl., Dickerson v. CDCP Colonial Partners, L.P., No. 1:21-cv-02098 (N.D. Ga.). 32 North Carolina gas station owner sues Colonial Pipeline for losses after ransomware attack, WTVD-TV RALEIGH-DURHAM (June 22, 2021). 33 Charlie Osborne, Updated Kaseya ransomware attack FAQ: What we known now, ZDNET (July 23, 2021, 12:33am GMT), https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq- what-we-know-now/. 34 Updates Regarding VSA Security Incident, KASEYA, https://www.kaseya.com/potential-attack- on-kaseya-vsa/ (last accessed July 28, 2021). 35 Id. 36 Ryan Gallagher & Andrew Martin, Kaseya Failed to Address Security Before Hack, Ex- Employees Say, BLOOMBERG (July 10, 2021, 8:00am EDT), https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before- hack-ex-employees-say. 37 Id. 38 See, e.g., Brian Fung, Ransomware hits law firm with dozens of major corporate clients, CNN BUSINESS (July 19, 2021 4:40PM ET), https://www.cnn.com/2021/07/19/tech/ransomware-law- firm/index.html?utm_term=16267764344867088f5897ac3&utm_source=cnn_Five+Things+for+T uesday%2C+July+20%2C+2021&utm_medium=email&bt_ee=87pnOg07kCpuSa8zL8dDYvWpc Ln2XKWrAsOeu9J1PcWBdQsSJhRLgpSE2w5MgaRh&bt_ts=1626776434488 (reporting on a ransomware attack on a law firm serving “a large array of Fortune 500 companies” in “over a dozen sectors of the economy”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 10 All rights reserved

comes from all over the world.”39 Whether these components and software can be trusted,

is an irrelevant question, since there is no practical alternative.40 Mr. Martin states, “With

more software using some form of automatic updates, the compromise of the parent

company [like in Solarwinds] may pose a risk… However, the alternative is not enabling

automatic updates and creating a process to verify those patches before they are

deployed.”41

Corporate boards are responsible for cybersecurity.42 Directors have a duty to

ensure the corporation takes reasonable measures to protect corporate data.43 This duty

has legal teeth to it, including by federal and state statute.44 Personal liability for

breaches of the duty of care, however, are of limited concern for directors because they

are protected by the business judgment rule, corporate indemnification, and Section

102(b)(7) exculpatory provisions. The newly increased risk of Caremark liability

drastically changes the landscape for potential liability because failure to property

monitor cybersecurity can violate the duty of loyalty.

The boards of U.S. publicly traded companies are not rising to the task—only six

percent have a compliance committee.45 A large majority of C-suite IT executives grade

39 Brian Martin, Viewpoint, 2021 Mid Year Report: Vulnerability QuickView, RiskBased Security 4 (2021). 40 Id. at 5. 41 Id. 42 See Lawrence J. Trautman & Kara Altenbaumer-Price, The Board’s Responsibility for Information Technology Governance, 3 JOHN MARSHALL J. OF COMPUTER & INFO. L. 313, 328 (2011) (“Simply put, IT governance and the effective application of an IT governance framework are the responsibilities of the board of directors and executive management.”). 43 Trautman & Ormerod, supra note 23 (relying on THOMAS J. SMEDINGHOFF, INFORMATION SECURITY LAW: THE EMERGING STANDARD FOR CORPORATE COMPLIANCE 29 (2008)). 44 Id. at 1235–38 (discussing statutory obligations to protect corporate data). 45 John Armour, et al., Board Compliance, 104 MINN. L. REV. 1191, 1225 (2020) [hereinafter, Armour, Board Compliance]. But see Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025, GARTNER (Jan. 28, 2021), https://www.gartner.com/en/newsroom/press-releases/2021-01-28-gartner-predicts-40--of-boards- will-have-a-dedicated-.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 11 All rights reserved

their board’s performance on cybersecurity as fair or poor.46 Boards also suffer from a

lack of cybersecurity subject matter expertise relative to other areas.47 Which is not to

say that cybersecurity is not recognized as mission critical. Over two-thirds of surveyed

directors recognized cybersecurity as “a strategic, enterprise risk.”48 A prominent

commentator in the directors’ and officers’ (“D&O”) liability insurance space identified

cybersecurity as one of the top ten D&O stories of 2020 (he also flagged the increased

risk of Caremark liability).49 The COVID-19 pandemic led to many more employees

working remotely and business being conducted virtually, which creates issues

demanding board-level attention.50

Fiduciary duties require corporate directors act in the best interest of the

corporation, not society as a whole. Fiduciary obligation law would be a “blunt . . . tool

to encourage good corporate citizenship.”51 It is poorly suited for advancing social goals

with the corporation’s interest and the common interest are not aligned. A reinvigorated

46 Teresa L. Johnson & Ben Fackler, 2020 in Hindsight: Key Considerations for Directors in 2021, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (April 7, 2021), https://corpgov.law.harvard.edu/2021/04/07/2020-in-hindsight-key-considerations-for-directors- in-2021/. 47 Id. (“[W]hen executives were asked to grade their Board’s subject matter expertise, IT/digital/data privacy and cyber risk expertise were at the bottom.”). 48 NACD, 2020-2021 NACD Trends and Priorities of the American Boardroom, NACD, 15 (Feb. 24, 2021). See also Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *7 (Del. Ch. Oct. 5, 2021) (“Cybersecurity was viewed by the Board as the second biggest risk facing Marriott for fiscal year 2017.”). 49 Kevin LaCroix, The Top Ten D&O Stories of 2020, THE D&O DIARY (Jan. 4, 2021), https://www.dandodiary.com/2021/01/articles/director-and-officer-liability/the-top-ten-do-stories- of-2020/. 50 See Jane Goldstein, et al., Director Oversight Duties Amidst COVID-19, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (May 8, 2020), https://corpgov.law.harvard.edu/2020/05/08/director-oversight-duties-amidst-covid-19/ (“As more employees work remotely and by necessity business is conducted virtually, the board and management should consider whether the company’s IT systems have enough capacity to support the growing virtual environment. Should management hire consultants to consider alternative communication platforms? In addition, are proper cybersecurity protection measures, policies, and contingency plans in place? Do the employees working remotely have proper cybersecurity training and are they aware of the company’s internal communication protocols and policies? Do those protocols and policies need to be updated?”). 51 Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *1 (Aug. 24, 2020).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 12 All rights reserved

Caremark doctrine applied to cybersecurity is not necessarily in the best interests of

either the corporation or society. But an invigorated Caremark doctrine will incentivize

directors to provide oversight for mission critical operations, and cybersecurity has

become mission critical for every large company. And cybersecurity is strategically

important,52 so the impact on the fundamental board trade-off between strategy and

oversight will be mitigated. Cybersecurity is also of increasing public interest; better

incentives for corporations to invest in cybersecurity will inure to society’s benefit. Good

faith is especially prosocial relative to other aspects of director fiduciary duty. While the

general norm is shareholder wealth maximization, the board is now allowed to manage

the corporation “in an illegal fashion,” even if the directors believe “that the illegal

activity will result in profits.”53 Cyber incidents have not traditionally resulted in liability

for directors on the basis they failed to provide proper oversight54; that may soon change.

This Article makes four key arguments. Black letter Caremark doctrine has not

changed, but it is newly reinvigorated and the risks of Caremark liability for directors is

greater than just a few years ago. Future Caremark liability will be centered on failure to

52 See NACD, 2020-2021 NACD Trends and Priorities of the American Boardroom, NACD, 15 (Feb. 24, 2021) (reporting that over two-thirds of surveyed directors view cybersecurity as a “strategic, enterprise risk”). 53 Metro Commc’n Corp. BVI v. Advanced Mobilecomm Techs. Inc., 854 A.2d 121, 131 (Del. 2004). See also Elizabeth Pollman, Corporate Oversight and Disobedience, 72 VANDERBILT L. REV. 101, 115 (2019) (“The requirement of fidelity to the law aims to protect society’s interests, not those of the corporation.”) (citations omitted). 54 See, e.g., In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., No. 19-md-2879, 2021 WL 2401641 (D. Md. June 11, 2021) (declining to exercise supplement jurisdiction and dismissing without prejudice oversight claim under Delaware law tied to data breach); In re The Home Depot, Inc. S’holder Deriv. Litig., 223 F.Supp.3d 1317, 1325–27 (N.D. Ga. Nov. 30, 2016) (dismissing Caremark claim under Delaware law that alleged directors failed to appropriate respond to data breach); In re Target Corp. Deriv. Litig., No. 14-cv-203 (D. Minn. July 7, 2016) (dismissing oversight claim under Minnesota law); Palkon v. Holmes, No. 2:14-cv-01234, at *6 n.1 (D.N.J. Oct. 20, 2014) (dispensing with a Caremark claim under Delaware law in a footnote in litigation after Wyndham Worldwide Corporation data breach). See also Benjamin P. Edwards, Cybersecurity Oversight Liability, 35 GA. ST. U. L.R. 663, 671–76 (2019) (discussing the Wyndham, Target, Home Depot, and Yahoo data breach derivative lawsuits).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 13 All rights reserved

provide board-level oversight of mission critical risks. Cybersecurity is mission critical

to effectively all large companies today. The risk of Caremark liability can be mitigated

by taking a few simple steps to ensure that the board is addressing cybersecurity. This

Article is the first to make these arguments together and the first to make the final

argument.

Part I details the increase in cyber risk and attacks over the last several years. Part

II details the evolution of Caremark doctrine. Part II(a) looks at the Caremark decision

itself and the doctrine as originally laid out in that opinion. Part II(b) surveys a decades-

long stretch where Caremark was “possibly the most difficult theory in corporation law

upon which a plaintiff might hope to win a judgment”55 and discusses the evolution of

black letter Caremark doctrine into its current form in the Stone v. Ritter opinion.56 Part

II(c) analyzes the Delaware Supreme Court’s decision in Marchand v. Barnhill,57 which

overturned dismissal of a Chancery Court decision dismissing a Caremark claim58 and

newly reinvigorated Caremark doctrine. Part II(d) looks at four subsequent Chancery

Court opinions refusing to dismiss a Caremark claim. Part II(e) reassesses Caremark

doctrine after that line of cases. Part III looks at technological challenges to corporate

governance. Part IV looks at what board-level cybersecurity oversight that would pass

muster under Caremark’s good faith standard looks like after Marchand et al. Part V

considers the challenges the uncertainty of the future, particularly when it comes to

cybersecurity, creates for both board and the law. Part VI concludes.

55 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 967 (Del. Ch. 1996). 56 911 A.2d 362 (Del. 2006). 57 212 A.3d 805 (Del. 2019). 58 Marchand v. Barnhill, No. 2017-0586-JRS, 2018 WL 4657159 (Sept. 27, 2018).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 14 All rights reserved

I. CYBER RISK AND ATTACKS INCREASE

Reports of cyber attack and ransomware demands has now become almost a daily

occurrence.59 Many excellent accounts of the increased threat are available, and, given

the space constraints for any one law review article, we will not replicate them here. 60

Recent Assessment

Although Covid-19 during early 2020 may have caused a brief disruption in the

“vulnerability landscape, where the number of reported vulnerabilities fell dramatically,”

by year end 2020, “the average number of vulnerabilities… reached almost 70 per day,

with a high of 384 in a single day.”61 In addition, “patches from Microsoft, Oracle, and

other major vendors were released on the same day, account[ing] for around 7% of all

disclosed vulnerabilities in 2020.”62 Exhibit 1 discloses vulnerabilities for the period

2013 to 2020.

Exhibit 1 Vulnerabilities for the Period 2013 to 2020.63

59 David Uberti, Cyberattackers Hit Grain Co-op, Demand $5.9 Million, WALL ST. J., Sept. 21, 2021. See also 60 See RiskBased Security, 2020 Year End Report 3 (2021). 61 Id. 62 Id. 63 2020 Year End Report: Vulnerability QuickView, Vulnerability Trends in 2020, RiskBased Security 7 (2021).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 15 All rights reserved

During the first six months of 2021, “Risk Based Security’s VulnDB team

aggregated an average of 80 new vulnerabilities per day… also updated an average of

200 existing vulnerability entries per day as new solution information, references, and

additional metadata became available.”64 We learn that “1,425 vulnerabilities disclosed in

the first half of 2021 are remotely exploitable vulnerabilities that have a public exploit

and have a mitigating solution… In addition, Risk Based Security has found an additional

849 vulnerabilities that are remotely exploitable but do not have a mitigating solution.”65

Resurfacing with Kaseya, the SolarWinds compromise focuses attention on the

vulnerability of industry to supply chain attacks.66 Exhibit 2 discloses the number of

vulnerabilities reported by Q2 for the period 2017 to 2021.

Exhibit 2 Vulnerabilities reported by Q2 for the period 2017 to 202167

II. THE EVOLUTION OF THE CAREMARK DOCTRINE

Directors of a corporation owe fiduciary duties to that corporation. Those duties

are owed to the corporation itself, not to its shareholders, but shareholders can often bring

64 RiskBased Security, 2021 Mid Year Report: Vulnerability QuickView 2 (2021). 65 Id. 66 Id. 67 2021 Mid Year Report: Vulnerability QuickView, Vulnerability Trends in 2021, RiskBased Security 7 (2021).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 16 All rights reserved

a suit for breach of duty on behalf of the corporation via a derivative suit.68 The fiduciary

duties owed by directors have traditionally been grouped into a duty of care and a duty of

loyalty.69 Due to the protection afforded by the business judgment rule and Section

102(b)(7), it is only duty of loyalty that creates any serious risk of liability for directors.70

Over time, the duty of loyalty doctrine has grown, both as new duties and types of

breaches are added71 and as duties previously thought to reside under the duty of care

have been shifted to the duty of loyalty, as was the case with Caremark doctrine.72

Caremark doctrine, then, is only one piece of what has become quite extensive

caselaw governing directors’ duties. It has not traditionally been a particularly prominent

corner of Delaware corporation law due to the difficulty of bringing a successful

Caremark claim. But Delaware corporation law continues to evolve, and changes to the

Caremark doctrine in Stone v. Ritter set the stage for it to be newly reinvigorated in

Marchand v. Barnhill. With the Delaware Supreme Court’s opinion in Marchand and

68 See Roy Shapira, A New Caremark Era: Causes and Consequences, forthcoming WASH. U. L. REV. at *6 n.14 (“To bring a derivative claim, the plaintiff first has to make a demand on the company’s board to pursue that claim. To survive the demand-requirement stage, plaintiffs practically need to convince the court that demand is futile because the company’s board cannot be trusted to make the right decision, for example, because directors themselves face a significant threat of personal liability.”) (citing Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984); Rales v. Blasband, 634 A.2d 927, 930 (Del. 1993)). 69 Claire A. Hill & Brett H. McDonnell, Stone v. Ritter and the Expanding Duty of Loyalty, 76 FORDHAM L. REV. 1769, 1771 (2007); Lisa Fairfax, Managing Expectations: Does the Director’s Duty to Monitor Promise More than It Can Deliver, 10 U. ST. THOMAS L.J. 416, 419 (2012) (citing Julian Velasco, How Many Fiduciary Duties Are there in Corporate Law?, 83 S. CAL. L. REV. 1231, 1232–32 (2010)). 70 H. Justin Pace, Rogue Corporations: Unlawful Corporate Conduct and Fiduciary Duty, 85 MO. L. REV. 1, 6, 8–9 (2020). 71 See Hill & McDonnell, supra note 69 at 1780–81 (grouping duty of loyalty cases into four categories: “as traditionally conceived” (classic conflict of interest cases), “structural bias” (where the court is concerned about “excessive deference”), “suspect motives” (including doctrines specific to the takeover context), and “conduct including illegality”). 72 See, e.g., Stephen M Bainbridge, Caremark and Enterprise Risk Management, 34 J. CORP. L. 967, 975 (2009) [hereinafter, Bainbridge, ERM] (“In Guttman, however, Vice Chancellor Strine ripped the Caremark claim from its original home in the duty of care and reinvented it as a duty of loyalty.”); Hill & McDonnell, supra note 69 at 1769 (“The court also threw in a bit of a shocker in Stone, characterizing In re Caremark International Inc. Derivative Litigation, until then a paradigmatic duty of care case, as a duty of loyalty case.”) (citations omitted).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 17 All rights reserved

four opinions out of the Chancery Court allowing Caremark claims to survive, we now

have enough information to assess where Caremark doctrine stands today.

Caremark opinions traditionally come at the motion to dismiss stage of

litigation.73 But the usual procedural posture of Caremark claims creates some important

distinctions from, say, your standard issue commercial litigation in federal court. The

distinction is driven by two idiosyncrasies of Delaware corporation law litigation: the

demand requirement and Section 220 books and records requests. Because Caremark

claims are traditionally brought as derivative lawsuits, the dissident shareholder must

either make a demand on the board or plead demand excusal.74 Practically speaking,

73 See, e.g., Pettry v. Smith, No. 2019-0795-JRS, at *3 (Del. Ch. June 28, 2021) (deciding the case on demand excusal and thus not reaching arguments under Rule 12(b)(6)); Richardson v. Clark, No. 2019-1015-SG, 2020 WL 7861335, at *2 (Del. Ch. Dec. 31, 2020) (dismissing the case for failure to sufficiently plead demand excusal); Teamster Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *2 (Del. Ch. Aug. 24, 2020) (“The Defendants have moved to dismiss under Rules 23.1 and 12(b)(6).”); In re GoPro, Inc. S’holder Deriv. Litig., No. 2018-0784-JRS, 2020 WL 2036602, at *2 (Del. Ch. Apr. 28, 2020) (dismissing the case for failure to sufficiently plead demand excusal); In re Metlife, No. 2019-0452-SG, 2020 WL 4746635, at *2 (Del. Ch. Aug. 17, 2020) (dismissing the case because the pled facts “fall[ ] short of a specific pleading of bad faith”); Hughes v. Hu, No. 2019-0112-JTL, 2019 WL 1987029, at *2 (Del. Ch. Apr. 27, 2020) (“The defendants also have moved to dismiss the complaint pursuant to Rule 12(b)(6) . . . . That motion is also denied.”); Owens v. Mayleben; No. 12985-VCS, 2020 WL 748023 (Del. Ch. Feb. 13, 2020); (dismissing the case for failure to sufficiently plead demand excusal); In re LendingClub Corp., No. 12984-VCM, 2019 WL 5678578, at *2 (Del. Ch. Oct. 31, 2019) (dismissing the case for failure to sufficiently plead demand excusal); In re Clovis Oncology, Inc., No. 2017-0222-JRS, 2019 WL 4850188, at *1 (Del. Ch. Oct. 1, 2019) (“Defendants have moved to dismiss each of Plaintiff’s derivative claims under Court of Chancery Rules 23.1 and 12(b)(6) for failure to plead demand futility with particularity and failure to state viable claims. As explained below, Plaintiffs have well-pled that Defendants face a substantial likelihood of liability under Caremark and our Supreme Court’s recent explication of Caremark in Marchand v. Barnhill.”); Rojas v. Ellison, No. 2018-0755-AGB, 2019 WL 3408812, at *1 (Del. Ch. July 29, 2019) (dismissing the case for failure to sufficiently plead demand excusal); Marchand v. Barnhill, No. 2017-0586-JRS, 2018 WL 4657159, at *1 (Del. Ch. Sept. 27, 2018) (dismissing the case for failure to sufficiently plead demand excusal), reversed by Marchand v. Barnhill, 212 A.3d 805 (Del. 2019). The exception is Caremark itself, which involved a motion to approve a proposed settlement. In re Caremark Int’l Inc., 698 A.2d 959, 960 (Del. Ch. 1996). 74 See Stone v. Ritter, 911 A.2d 362, 366–67 (Del. 2006) (“[T]he right of a stockholder to prosecute a derivative suit is limited to situations where either the stockholder has demanded the directors pursue a corporate claim and the directors have wrongfully refused to do so, or where demand is excused because the directors are incapable of making an impartial decision regarding whether to institute such litigation.”) (citing Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984)).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 18 All rights reserved

shareholders will choose the latter option.75 Demand excusal must be pled with

particularity.76 The Chancery Court has traditionally weighed demand futility for

Caremark claims under the Rales test,77 but in September 2021, the Delaware Supreme

Court replaced the Aronson78 and Rales tests with a single, three-part test for demand

futility.79 That new test, though, “is consistent with and enhances Aronson, Rales, and

their progeny” and “cases properly construing Aronson, Rales, and their progeny remain

good law.”80 Where the corporation’s certificate of incorporation exculpates directors for

breaches of the duty of care (as most do), to show a substantial likelihood of liability

under the demand excusal test the plaintiff must adequately plead a duty of loyalty

violation such as under Caremark.81

Section 220 of the Delaware General Corporation Law provides shareholders with

a right to inspect corporate books and records so long as it is not for an improper

75 See Andrew C.W. Lund, Rethinking Aronson: Board Authority and Overdelegation, 11 PENN. J. BUS. L. 703, 712 (2009) (“Demand futility, however, is by far the most popular of these two routes for shareholder-plaintiffs. Indeed, demand futility has been called ‘the critical issue in derivative litigation.’”) (quoting Stephen Bainbridge, The Demand Requirement in Derivative Litigation: Part II, http://www.businessassociationsblog.com/lawandbusiness/comments/the_demand_requirem ent_in_derivative_litigation_part_ii/)). See also id. at 712 n.44 (“The general consensus is that it is almost impossible for shareholder plaintiffs to prevail in a ‘wrongful refusal’ action.”) (citing Randall S. Thompson & Kenneth J. Martin, Litigating Challenges to Executive Pay: An Exercise in Futility?, 79 WASH. U. L. Q. 569, 576–77 (2001)). 76 DEL. CH. CT. R. 23.1 (“The complaint shall also allege with particularity the efforts, if any, made by the plaintiff to obtain the action the plaintiff desires from the directors or comparable authority and the reasons for the plaintiff’s failure to obtain the action or for not making the effort.”). 77 See, e.g., In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *62–63 (Del. Ch. Sept. 7, 2021) (applying the demand futility standard established in Rales v. Blasband, 634 A.2d 927, 934 (Del. 1993)). 78 Aronson v. Lewis, 473 A.2d 805 (1984). 79 United Food & Commercial Workers Union v. Zuckerberg, No. 2018-0671-JTL, at *37–41 (Del. Sept. 23, 2021). 80 Id. at *40. 81 See Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *21–22 (Del. Ch. Oct. 5, 2021) (applying the rule to a derivative action involving Caremark claims against Marriott directors).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 19 All rights reserved

purpose.82 The Chancery Court expects litigants to avail themselves of their rights under

Section 220 before bringing a derivative suit.83 The Delaware Supreme Court also

recently “removed two common defenses that companies use to oppose the production of

corporate records to stockholders.”84 The documents produced will be considered on a

motion to dismiss (and if a document is not produced, the court will infer it does not

exist). The combination of the two means that facts play a significant role in Caremark

opinions even at the motion to dismiss stage.

Prior to Caremark, the leading Delaware case addressing potential liability for

directors after unlawful corporate conduct was Graham v. Allis-Chalmers Manufacturing

Company.85 Four employees of Allis-Chalmers and the company itself were indicted and

pled guilty to violating antitrust law.86 The plaintiffs alleged that the directors had either

actual knowledge of the unlawful corporate conduct or “knowledge of facts which should

82 DEL. CODE ANN. tit. 8, § 220 (2016). 83 See La. Mun. Police Emps’ Ret. Sys. v. Pyott, 46 A.3d 313, 343 (Del. Ch. 2012), overruled on other grounds by 74 A.3d 612 (Del. 2013) (“The Delaware courts have dismissed a steady stream of Caremark claims where the plaintiffs have not first used Section 220 to obtain books and records.”) (citing Wood v. Baum, 953 A.2d 136, 144 (Del. 2008); In re Dow Chem. Co. Deriv. Litig., 2010 WL 66769, at *13 (Del. Ch. Jan. 11, 2010); Desimone v. Barrows, 924 A.2d 908, 951 (2007); Rattner v. Bidzos, 2003 WL 22284323, at *14 (Del. Ch. Sept. 30, 2003); In re Citigroup Inc. S’holders Litig., 2003 WL 21384599, at *3 (Del. Ch. June 5, 2003); Rabinovitz v. Shapiro, 839 A.2d 666 (Del. 2003); Guttman v. Huang, 823 A.2d 492, 493, 504 (Del. Ch. 2003); White v. Panic, 793 A.2d 356, 371–72 (Del. Ch. 2000). Cf. John F. Savarese, et al., Cybersecurity Oversight and Defense—A Board and Management Imperative, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (May 14, 2021), https://corpgov.law.harvard.edu/2021/05/14/cybersecurity-oversight-and-defense-a-board-and- management-imperative/ (“Stockholder inspection demands to review a company’s books and records, including board- and committee-level minutes, in preparation for litigation are increasingly common and allowed by the courts where legal requirements are met.”). 84 Francis Pileggi, Supreme Court Rejects Two Common Defenses to Section 220 Demands, DELAWARE CORPORATE & COMMERCIAL LITIGATION BLOG (Dec. 14, 2020), https://www.delawarelitigation.com/2020/12/articles/delaware-supreme-court-updates/supreme- court-rejects-two-common-defenses-to-section-220-demands/ (relying on AmerisourceBergen Corp. v. Lebanon Cnty. Employees Retirement Fund, 243 A.3d 417 (2020)). 85 188 A.2d 125 (Del. 1963). 86 Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125, 127 (Del. 1963).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 20 All rights reserved

have put them on notice of such conduct.”87 A large manufacturer, Allis-Chalmers’

operations were heavily decentralized.88 In contrast with modern Caremark claims, Allis-

Chalmers was decided after depositions, which produced no evidence to support the

plaintiffs’ allegations.89 This forced the plaintiffs to argue that the directors should be

liable due to “their failure to take action designed to learn of and prevent antitrust

activity.”90 The plaintiffs also argued that the directors were put on notice of potential

antitrust problems by two consent decrees entered by the Federal Trade Commission

against Allis-Chalmers.91 But the defendant-directors had not been on the board at the

time of the consent decrees, and the company did not admit guilt.92 According to the

Delaware Supreme Court, rather than any obligation to “put into effect a system of

watchfulness[,] . . . directors are entitled to rely on the honesty and integrity of their

subordinates until something occurs to put them on suspicion that something is wrong.” 93

The kernel of what would become a duty to respond to red flags or risk a Caremark claim

exists in Allis-Chalmers, then, but the duty to implement a compliance system or face a

Caremark claim is missing. The Allis-Chalmers opinion was widely criticized for failing

to incentivize boards to implement compliance systems.94

a. The Caremark Doctrine is Born

87 Id. 88 Id. at 128. 89 Id. at 127. 90 Id. 91 Id. at 129. 92 Id. 93 Id. at 130. 94 See, e.g., Fairfax, supra note 69, at 422 (describing Allis-Chalmers as setting “the bar of compliance so low as to render the oversight doctrine largely irrelevant”). But see Stephen M. Bainbridge, Don’t Compound the Caremark Mistake by Extending it to ESG Oversight, forthcoming BUS. LAWYER, at *7–13 (2021) (criticizing Caremark for effectively overruling the binding precedent of Allis-Chalmers from below and for “ignoring the policy concerns that justified the [Allis-Chalmers] standard”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 21 All rights reserved

At the time of the derivative suit, Caremark International, Inc. (“Caremark”) was

a publicly-traded corporation that was headquartered outside of Chicago but incorporated

in Delaware.95 A healthcare company, Caremark generated most of its revenue from its

patient care business, with a substantial part of that “derived from third party payments,

insurers, and Medicare and Medicaid reimbursement programs.”96 The Anti-Referral

Payments Law bars healthcare providers from paying referral fees for Medicare and

Medicaid patients.97 Alleged improper payments by Caremark led to multiple criminal

indictments against Caremark officers and Caremark itself that ultimately culminated in

“a guilty plea to a single count of mail fraud by the corporation, the payment of a

criminal fine, the payment of substantial civil damage, and cooperation with further

investigations.98

Shareholders responded by filing five separate derivative actions later

consolidated into a single suit.99 The original complaint characterized the actions (or

inaction) by the Caremark board as a breach of the duty of care.100 The procedural

posture of the Court of Chancery’s opinion is interesting. The issue was not before it on

a motion to dismiss. Rather, the court approved a proposed settlement as “fair and

reasonable.”101 Caremark only proposed minor changes to its corporate practices, but the

court approved the settlement nonetheless for the simple reason that the claims asserted

were very weak.102 The Caremark decision both flags a novel claim for breach of

95 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 961 (Del. Ch. 1996). 96 Id. 97 Id. at 961–62. 98 Id. at 963–65. 99 Id. at 964. 100 Id. 101 Id. at 970. 102 Id. at 970–71.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 22 All rights reserved

fiduciary duty under Delaware corporation law and at the same time flags that claim as

one unlikely to succeed.

The Court of Chancery differentiates the claims in Caremark from “a board

decision that results in a law because that decision was ill advised or ‘negligent.’”103 The

first is safely ensconced within the protective walls of the business judgment rule.104 The

second is what has come to be known as a “Caremark” claim: failure to monitor.105 The

first concerns decisions; the second concerns “unconsidered inaction.”106 Unconsidered

inaction related to decisions made by officers and ordinary employees that cause the

corporation to violated the law, affecting “the welfare of the corporation and its ability to

achieve its various strategic and financial goals.”107

If corporate directors are aware of unlawful corporate behavior due to the

decisions of corporate officers and employees, they have a duty to put a stop to it.108 But

directors can assume integrity on the part of officers and employees “absent grounds to

suspect deception.”109 What they cannot do is avoid taking proactive measures to ensure

that appropriate monitoring systems are in place.110

103 Id. at 967–68. 104 Id. 105 Id. Chancellor Allen first refers to it as a claim for “an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss,” then later refers to it as “[l]iability for failure to monitor.” 106 Id. at 968. 107 Id. at 969. 108 See Pace, supra note 70, at 10 (discussing the application of Delaware corporation law in that situation by the U.S. Court of Appeals for the Seventh Circuit in In re Abbott Laboratories Derivative Shareholders Litigation, 325 F.3d 795, 809 (7th Cir. 2003)). 109 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 969 (Del. Ch. 1996) (relying on Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125, 130–31 (Del. 1963)). 110 Id. at 969–70. See also Robert C. Bird, Caremark Compliance for the Next Twenty-Five Years, 58(1) AM. BUS. L.J. 63 (2021), at *6 (asserting that the world had changed since Allis-Chalmers and “the time was due for boards to assume an affirmative obligation, however, narrow, to take responsibility for attempting to ensure the existence of a reasonable information and reporting system.”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 23 All rights reserved

b. “[T]he most difficult theory in corporation law upon which a plaintiff might hope to win a judgment”111

When Chancellor Allen described a claim as “possibly the most difficult theory in

corporation law upon which a plaintiff might hope to win a judgment,”112 he was not only

referring to what are now known as Caremark duty to monitor claims. He was also

referring to the sorts of claims very safely insulated by the business judgment rule.113

Nonetheless, Chancellor Allen’s words proved prescient in the 23 years between when

Caremark and Marchand were decided. Caremark duty to monitor claims simply were

not a viable route to derivative litigation success for disgruntled shareholders, any more

than suits challenging an ill-advised board decision. This was by design.114

The Caremark decision did, however, establish the analytical framework for duty

to monitor claims, which themselves came to be known as Caremark claims.115 This was

despite the somewhat odd procedural posture of the opinion. The issue before the court

was approval of a settlement; the analysis is dicta.116 The Caremark analysis would

remain influential, and the name would stick, but the Caremark claim would see

important doctrinal development. Caremark was “a paradigmatic duty of care case”

grouped with other duty of care cases in casebooks.117 The fiduciary duties owed by

directors to the corporation are traditionally bifurcated between the duty of care and the

duty of loyalty.118 The Delaware Supreme Court briefly flirted with dividing corporate

111 Id. at 967. 112 Id. 113 Id. at 967–68. 114 Hill & McDonnell, supra note 69, at 1777 (“Caremark duties are deliberately structured to make it extremely hard for plaintiffs to win.”). 115 Paul E. McGreal, Corporate Compliance Survey, 64 BUS. LAW. 253, 272 (2008). 116 See Bainbridge, ERM, supra note 72, at 973. 117 See Hill & McDonnell, supra note 69, at 1776 (citing WILLIAM T. ALLEN, ET AL., COMMENTARIES AND CASES ON THE LAW OF BUSINESS ORGANIZATION 282–92 (2d ed. 2007)). 118 See id. at 1771.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 24 All rights reserved

fiduciary duties among the duties of care, loyalty, and good faith.119 The Delaware

Supreme Court eventually located good faith firmly within the duty of loyalty.120 The

Delaware Supreme Court was following the lead of the Chancery Court, which had

already “reinvented [Caremark] as a duty of loyalty” issue in Guttman v. Huang.121 The

Chancery Court noted in Guttman v. Huang that, although Caremark “is rightly seen as a

prod towards the greater exercise of care by directors,” it was in fact a matter of the duty

of loyalty.122

The Delaware courts’ moves in 2003 with Guttman and 2006 with Stone were

doctrinally important because, unlike duty of care claims, duty of loyalty claims cannot

be exculpated in the corporate charter under Section 102(b)(7).123 That may have been

the entire point.124 If it was, it was unnecessary: Section 102(b)(7) already provides that

liability may not be limited for acts by a director that are “not in good faith.”125 And the

Caremark opinion makes clear that good faith is central to Caremark claims.126 But

119 See Pace, supra note 70, at 65–66 (2020) (relying on Stephen M. Bainbridge, et al., The Convergence of Good Faith and Oversight, 55 UCLA L. REV. 559, 566 (2008) [hereinafter Bainbridge, Good Faith]). 120 See id (relying on Stone v. Ritter, 911 A.2d 362, 369–70 (Del. 2006)). See also Andrew C.W. Lund, Opting Out of Good Faith, 37 FLA. ST. U. L. REV. 393, 401 (2010) [hereinafter, Lund, Opting Out] (describing good faith as having appeared to “largely breezed into and out of Delaware corporate law without any generally agreed-upon meaning” prior to Disney and Stone). 121 See Bainbridge, ERM, supra note 72, at 975 (relying on Guttman v. Huang, 823 A.2d 492, 506 (Del. Ch. 2003)). 122 823 A.2d 492, 506 (Del. Ch. 2003). 123 See Bainbridge, ERM, supra note 72, at 975 (citing Regina F. Burch, “Unfit to Serve” Post- Enron, 42 VAL. U. L. REV. 1081, 1094 (2008)). 124 See, e.g., Fairfax, supra note 69, at 430 (noting arguments that oversight was shifted from the duty of care to the duty of loyalty in order to remove it from the protection of Section 102(b)(7)) (citing Stephen M. Bainbridge, Good Faith, supra note 119, at 597; Robert B. Thompson, The Short, But Interesting Life of Good Faith as an Independent Liability Rule, 55 N.Y.L. SCH. L. REV. 543, 551 (2010/2011)). 125 DEL. CODE ANN. tit. 8, § 102(b)(7) (2016). 126 See In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 968–69, 971 (Del. Ch. 1996) (“[T]he business judgment rule is process oriented and informed by a deep respect for all good faith board decisions. . . . [O]nly a sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability.”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 25 All rights reserved

since most corporate charters include a Section 102(b)(7) exculpatory provision,127 the

doctrinal clarity that Caremark claims fall outside the duty of care has renewed

importance with the reinvigoration of Caremark claims.

Stone v. Ritter was also important because it marked the first time the Delaware

Supreme Court expressly endorsed the analytical framework from Caremark.128 And it

formalized what this paper will henceforth refer to as “Type I” and “Type II” Caremark

claims.129 Type I applies where “the directors utterly failed to implement any reporting

or information system or controls.”130 Type II applies where the board implemented

controls but “consciously failed to monitor or oversee its operations thus disabling

themselves from being informed of risks or problems requiring their attention.”131 It

would have no immediate effect on the viability of Caremark claims, though: they

continued to fall at the motion to dismiss stage.

Prior to Guttman v. Huang, the Chancery court appears to have sustained zero

Caremark claims. During the three-year period from Guttman to Stone, the Chancery

Court sustained one Caremark claims,132 with another sustained shortly after Stone was

decided.133 In Saito v. McCall, the court, on a second try, “barely” sustained a Caremark

claim.134 The board of McKesson Corporation ignored red flags related to “unlawful

accounting improprieties” during due diligence of an acquisition target (a Type II

127 Hill & McDonnell, supra note 69, at 1774. 128 See Bainbridge, ERM, supra note 72, at 976 (citing Stone v. Ritter, 911 A.2d 362 (Del. 2006)). 129 See Lund, Opting Out, supra note 120, at 407 (“After Stone, then, we are left with at least two types of cases. First, clear Caremark/Stone, failure-to-monitor claims, for which Stone offers a specific disjunctive test—absence of monitoring systems or conscious failure to monitor through such systems.”). 130 Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). 131 Id. 132 Saito v. McCall, No. 17132-NC, 2004 WL 3029876 (Del. Ch. Dec. 20, 2004), overruled on other grounds by Lambrecht v. O’Neal, 3 A.3d 277 (Del. 2010). 133 ATR-Kim Eng Fin. Corp. v. Araneta, No. 489-N, 2006 WL 3783520 (Del. Ch. Dec. 21, 2006). The opinion in Araneta was issued a month after the opinion in Stone. 134 No. 17132-NC, 2004 WL 3029876, at *6 (Del. Ch. Dec. 20, 2004).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 26 All rights reserved

claim).135 In ATR-Kim Eng Fin. Corp. v. Araneta, the 10 percent shareholders of a

corporation sued the 90 percent shareholder for transferring away the key assets of a

holding company incorporated in Delaware to members of his family.136 The majority

shareholder had a traditional duty of loyalty issue.137 But two other directors, both of

whom considered themselves to be employees of the majority shareholder, had a duty of

loyalty issue under Caremark.138 No reporting systems were in place and the directors

deferred entirely to the majority shareholder.139 Araneta is notable for being the rare

Caremark claim that made it to trial.140 Of these two cases, then, the earliest to see a

Caremark claim actually succeed, one barely did and the other involved egregious

conduct, with the court describing the directors as “stooges.”141

Guttman was preceded by the 2002 corporate governance crisis exemplified by

Enron and WorldCom.142 Despite the magnitude of the crisis, there was no surge in

successful Caremark suits. The chancery court dismissed a Caremark claim against

Citigroup alleging that its board had ignored red flags related to improper transactions by

Enron and WorldCom (both were Citigroup clients).143 After the first suit failed in part

because of a failure to seek documents under Section 220, another plaintiff remedied that

defect and tried again with equal lack of success.144

135 Saito, 2004 WL 3029876, at *6–7. 136 No. 489-N, 2006 WL 3783520, at *1, 4 (Del. Ch. Dec. 21, 2006). The underlying venture was based in the Philippines. 137 Id. at *15–17 (Del. Ch. Dec. 21, 2006). 138 Id. at *19–21. 139 Id. at *20. 140 Id. at *5. 141 Id. at *19. 142 See, e.g., Fairfax, supra note 69, at 426. 143 In re Citigroup Inc. S’holders Deriv Litig., No. 19827, 2003 WL 21384599 (Del. Ch. June 5, 2003). 144 David B. Shaev Profit Sharing Account v. Armstrong, No. 1449-N, 2006 WL 391931 (Del. Ch. Feb. 13, 2006) aff’d, 911 A.2d 802 (Del. 2006).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 27 All rights reserved

Stone would be followed two years later by the 2008 financial crisis.145 Citigroup

would again be sued under a Caremark theory and again prevail on a motion to

dismiss.146 Goldman Sachs would also face a Caremark claim and come away

unscathed.147 Despite the belief of many that poor board oversight helped lead to both

crises,148 neither the 2002 corporate governance crisis nor the 2008 financial crisis

resulted in the number of successful Caremark claims seen between 2019 and 2021. The

financial crisis did result in one successful Caremark claim—against AIG.149 The

plaintiffs in AIG alleged “widespread illegal misconduct” led to financial restatements

that that wiped out $3.5 billion in shareholder value and resulted in the company paying

$1.6 billion in fines and other costs to resolve litigation and regulatory enforcement

actions against it.150 The director defendants “were directly knowledgeable of and

involved in much of the wrongdoing,” the “diversity, pervasiveness, and materiality” of

which was “extraordinary.”151 If that was true, then the directors must have also known

that AIG’s internal controls were inadequate.152

During the thirteen years between Stone and Marchand, as few as four Caremark

claims were sustained by the Chancery Court (including AIG).153 In Rich v. Yu Kwai

Chong, the court sustained a Caremark claim where the “individual Defendants not only

145 Bernard S. Sharfman, Enhancing the Efficiency of Board Decision Making: Lessons Learned from the Financial Crisis of 2008, 34 DEL. J. CORP. L. 813, 816 (2009). 146 In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d 106 (Del. Ch. 2009). 147 In re Goldman Sachs Group, Inc. S’holder Litig., No. 5215-VCG, 2011 WL 4826104 (Del. Ch. Oct. 12, 2011). 148 See, e.g., Fairfax, supra note 69, at 425–27. 149 In re Am. Int’l Group Inc. (“AIG”), 965 A.2d 763 (Del. Ch. 2009). 150 Id. at 764–65. 151 Id. at 799. 152 Id. 153 In re China Agritech, Inc. S’holder Deriv. Litig., No. 7163-VCL, 2013 WL 2181514 (Del. Ch. May 21, 2013); Rich ex rel. Fuqi Int’l v. Yu Kwai Chong, 66 A.3d 963 (Del. Ch. 2013); In re Am. Int’l Group Inc., 965 A.2d 763 (Del. Ch. 2009); Saito v. McCall, No. 17132-NC, 2004 WL 3029876 (Del. Ch. Dec. 20, 2004), overruled on other grounds by Lambrecht v. O’Neal, 3 A.3d 277 (Del. 2010).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 28 All rights reserved

failed to respond to the demand over the next two years, but allegedly took actions

making meaningful response to the demand unlikely if not impossible.”154 An

investigation of the transfer of “$120 million of cash out of the company” ended after the

audit committee’s advisors were not paid, and all of the corporation’s independent

directors subsequently resigned.155 The company also had accounting issues and lacked

internal controls.156 The Caremark claim in Rich was, again, sustained as a Type II

claim.157 The board ignored red flags including accounting issues that required a

restatement and inadequate internal controls, neither of which were remedied, and known

issues bringing internal controls for a Chinese company into accord with U.S. securities

laws.158

Stewart v. Wilmington Trust SP Services, Inc. involved accounting

irregularities.159 Stewart is procedurally distinct from a standard Caremark claim.

Rather than a shareholder-plaintiff, the Delaware Insurance Commissioner prosecuted the

claims of four Delaware captive insurance companies as receiver in liquidation.160

Wilmington Trust SP Services, Inc. (“Wilmington Trust”) was a Delaware corporation

that provided management and administrative services to four captive insurance

companies (the “SPI Entities”).161 Wilmington Trust struggled to produce audited

financial statements for the SPI Entities.162 An investigation by the Insurance

Commissioner discover that the, contrary to their financial statements, the assets of the

154 Rich, 66 A.3d at 965. 155 Id. at 966. 156 Id. at 970, 982–83. 157 Id. at 970, 983–85. 158 Id. at 983–84. 159 112 A.3d 271 (Del. Ch. 2015). 160 Id. at 278. 161 Id. at 279–80. 162 Id. at 282–86.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 29 All rights reserved

SPI Entities were minimal.163 The court sustained a Caremark claim because the SPI

Entities’ boards “approved the audited financial statements with little or no substantive

discussion, despite warnings that significant irregularities occurred and the companies’

procedures needed to be changed.”164

In China Agritech, a Chinese manufacturer and seller of fertilizer accessed U.S.

securities markets through an inactive Delaware corporation with a NASDAQ listing.165

Like the company in Rich, China Agritech disclosed inadequate internal controls but did

not remedy them.166 Problems were in fact substantial, with little to no manufacturing,

fictional revenue, and ghost factories.167 Although the disclosed-but-not-remedied

inadequate internal controls in Rich served as red flags for a Type II claim, the court in

China Agritech instead appeared to sustain a Caremark claim under a Type I analysis

because China Agritech had “an Audit Committee that existed in name only.”168

Notably, both Rich and China Agritech involved Chinese companies.

Also of note is the Chancery Court’s decision in Massey Energy.169 The plaintiff

framed one of their claims as a Caremark claim, but the court ruled that rather than allow

unlawful corporate action through inadequate oversight, the board instead “knowingly

caus[ed] it to seek profit by violating the law.”170 A claim that the board directed the

163 Id. at 289. 164 Id. at 300. 165 In re China Agritech, Inc. S’holder Deriv. Litig., No. 7163-VCL, 2013 WL 2181514, at *1 (Del. Ch. May 21, 2013). 166 Id. at *2. 167 Id. at *5. 168 Id. at *18–19. 169 In re Massey Energy Co. Deriv. & Class Action Litig., No. 2017-0030-TMR, 2020 WL 756965 (Del. Ch. May 31, 2011). 170 Id. at *18–20.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 30 All rights reserved

corporation to violate the law or knew that it was doing so and turned a blind eye is

conceptually and doctrinally distinct from a Caremark claim.171

The highest profile Caremark case in the years immediately preceding Marchand

involved defects with the ignition switches in General Motors Company (“GM”)

vehicles.172 GM recalled 28 million vehicles via 45 recalls over the course of several

months.173 The defective ignition switches sometimes inadvertently resulted in the

vehicle’s engine, power steering, power breaks, and airbags being disabled during

driving.174 Recall costs alone led to $1.5 billion in charges against earnings and GM set

up a fund to compensate accident victims.175 GM violated the National Traffic and

Motor Vehicle Safety Act of 1996 by not reporting the defect within five days.176 GM

subsequently paid $35 million in fines to the government.177

Certain GM employees had known about the ignition switch defect for years; the

GM board had not, but the plaintiffs argued that they should have known.178 That is, the

plaintiffs argued that the board prevented the issue from reaching them by not

implementing appropriate policies and procedures.179 Notably in light of the Marchand

line of cases, GM did not have a single committee responsible for vehicle safety issues,

although it did initially have a finance and risk committee.180 The finance and risk

committee was eliminated during the relevant time period and its risk management

171 See Pace, supra note 70, at 6–8 (2020). 172 In re General Motors Co. Deriv. Litig., No. 9627-VCG, 2015 WL 3958724 (Del. Ch. June 26, 2015). 173 Id. at *2. 174 Id. 175 Id. 176 Id. at *5. 177 Id. at *2. 178 Id. 179 Id. at *9. 180 Id. at *4–5.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 31 All rights reserved

oversight responsibilities were transferred to the audit committee.181 On the management

side, the chief risk officer position was eliminated and its responsibilities combined with

that of the general auditor.182 The Chancery Court dismissed the Caremark claim

because there were no red flags alerting the board to the issue, and the board did have a

compliance system in place, even if it was poorly designed or did not cause the revelation

of the ignition switch defect.183

Caremark claims’ reputation for being tough to win surely affected litigation

strategy. Plaintiffs lawyers will be less likely to pursue a litigation strategy with a long

history of repeated failure. They will instead explore other avenues to recovery. For

example, the plaintiff in a suit alleging directors of Google parent Alphabet breached

their fiduciary duties in their handling of sexual harassment claims was careful to specify

in the complaint that “This is not a ‘failure to supervise’ case.”184

c. Caremark Newly Invigorated in Wake of Marchand (Blue Bell)

Observers could be forgiven for failing to recognize the Blue Bell ice cream

listeria outbreak as the harbinger of a major change in the reception Caremark claims

would receive before Delaware judges. It got off to an inauspicious start. Vice

Chancellor Slights dispensed with the plaintiff’s Caremark claim in just eight paragraphs

in an unpublished opinion.185 The Vice Chancellor rejected the plaintiff’s arguments,

181 Id. at *7. 182 Id. at *6. 183 Id. at *11–17. See generally Marianne Jennings & Lawrence J. Trautman, Ethical Cultures and Legal Liability: The GM Switch Crisis and Lessons in Governance, 22 B.U. J. SCI. & TECH. L. 187 (2016) (looking at the ignition switch defect debacle in great depth). 184 Compl. at ¶ 12, Martin v. Page, No. 19-civ-00164 (Sup. Ct. Cali. Jan. 10, 2019). See also Pace, supra note 70, at 45–46 (2020) (discussing whether a per se standard might apply on the theory that the board knew of and failed to prevent the unlawful activity). 185 Marchand v. Barnhill, No. 2017-0586-JRS, 2018 WL 4657159, at *16–19 (Sept. 27, 2018).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 32 All rights reserved

finding “no allegation that Blue Bell failed to implement . . . mandated monitoring and

reporting systems” in regards to a Type I Caremark claim and being “unable to discern

whether Plaintiff actually intends to advance a [Type II] Caremark claim.”186 The

plaintiff would fare better before the Supreme Court of Delaware.

The facts leading to the listeria outbreak and Blue Bell’s subsequent emergency,

dilutive injection of cash are integral to understanding why this suit ended differently

than so many previous suits advancing Caremark claims. The facts are equally integral

to understanding the viability of Caremark claims going forward. Blue Bell Creameries

USA, Inc. (“Blue Bell”) makes and sells ice cream.187 That is what they do—nothing

more, nothing less. This subjects them to both heavy FDA regulation and state

regulation.188

Despite food safety being mission critical, Blue Bell had a history of issues. The

Delaware Supreme Court opinion details six separate run-ins with regulators from 2009

to 2012, with multiple infractions per run-in, and notes multiple positive listeria tests in

2013, 2014, and 2015.189 Listeria is a big deal. Listeria monocytogenes is a bacterium

that can be passed through contact with diseased animals or via contaminated food.190

Listeriosis commonly manifests as meningitis in adults; meningitis has a high mortality

rate.191 With mortality rates between 13 and 34 percent, “listeriosis may well be the

leading fatal food-borne infection in the United States.”192 Listeria has been found in a

186 Id. at *17–19. 187 Marchand v. Barnhill, 212 A.3d 805, 811 (Del. 2019). 188 Id. at 810. 189 Id. at 811–13 (citations omitted). 190 J.M. Farber & P.I. Peterkin, Listeria monocytogenes, a Food-Borne Pathogen, 55 MICROBIOLOGICAL REVIEWS 476, 476–78 (1991). 191 Id. at 479. 192 Id.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 33 All rights reserved

variety of dairy products, and it is difficult to prevent, requiring careful quality assurance

in food production.193

Blue Bell responded to positive listeria tests in early 2015 with a limited recall,194

but it was too late. Within a month, listeria was discovered in Blue Bell products in

South Carolina and was linked to a listeria outbreak in Kansas.195 Blue Bell responded

with another limited recall.196 Within a month, the recall had grown to cover all Blue

Bell products.197 Three people in Kansas would die from listeria complications after

eating contaminated Blue Bell products.198

For three Kansans, the consequences of lax food safety were fatal. For Blue Bell,

the legal and financial consequences were just beginning. The Center for Disease

Control and Prevention (“CDC”) launched an investigation and issued its own recall

order.199 The FDA inspected all three Blue Bell production facilities and found major

issues at each.200 Former Blue Bell employees detailed poor food safety practices to

news outlets.201

Remember, Blue Bell was a monoline company. All they made and sold was ice

cream, and all of their ice cream production facilities were shuttered and all of their ice

cream products recalled from store shelves. Understandably, this led to a liquidity

193 Id. at 488–89, 500. 194 Marchand v. Barnhill, 212 A.3d 805, 813 (Del. 2019). 195 Id. at 813–14. 196 Id. at 814. 197Id. Blue Bell employees were at one point directed to “explain simply that there were unspecified quality issues or manufacturing irregularities” when removing Blue Bell ice cream from store shelves. Michael W. Peregrine & David S. Rosenbloom, The Blue Bell Dairy CEO Indictment and its Implications for Executive Liability, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (May 26, 2020), https://corpgov.law.harvard.edu/2020/05/26/the-blue- bell-dairy-ceo-indictment-and-its-implications-for-executive-liability/. 198 Id. 199 Id. 200 Id. 201 Id. at 815.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 34 All rights reserved

crisis.202 Sid Bass’ fund Moo Partners injected cash into Blue Bell via “a $125 million

credit facility and . . . a $100 million warrant to acquire 42% of Blue Bell at $50,000 per

share.”203 This not only diluted the ownership of existing shareholders, it also shifted

control: in return for the cash infusion Blue Bell gave Moo Partners one-third of the

voting power on the board.204

What was the board doing during all of this? Not enough, according to the

Delaware Supreme Court. “[T]he Blue Bell board failed to implement any system to

monitor Blue Bell’s food safety performance or compliance.”205 This was fatal for a

“monoline company that makes a single product,” making food safety a central

compliance issue.206 Management saw red flags (and failed to respond appropriately);

the board was not presented with the red flags, preventing them from fulfilling their

responsibilities.207 Reports on listeria in Blue Bell plants went to management but did

not find their way to the board.208 In fact, until Blue Bell made its first recall, the only

board-level discussion in the record concerned a third-party audit of sanitation issues in

2014.209 Even then, the Blue Bell board met two days after the first recall and continued

to rely on management rather than schedule additional emergency board meetings to

provide oversight for Blue Bell’s response.210

The Delaware Supreme Court held that the plaintiff met his pleading requirement

for a Type I Caremark claim. Type I claims apply where the board fails to put in place

202 Id. 203 Id. 204 Id. 205 Id. at 805 (emphasis added). 206 Id. at 809. 207 Id. 208 Id. at 812. 209 Id. at 812–13. 210 Id. at 813–14.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 35 All rights reserved

any compliance system or controls.211 How could the Blue Bell directors have failed to

meet this standard? Blue Bell complied with various state and federal food safety

regulations, and management took various steps to oversee food safety. The answer lies

in recognizing that the pertinent duty is a director duty. It concerns board action, not the

action of officers and other corporate employees. Blue Bell’s failures were board

failures, whatever management did. The board failed to implement any board-level food

safety compliance system.212 There was no board committee for food safety.213 There

were no protocols requiring management report food safety issues to the board.214 The

positive listeria results and other food safety issues—the sort of thing that might serve as

a “red flag” for a Type II Caremark claim—were never relayed to the board.215 Board

minutes were devoid of evidence that the board discussed food safety issues.216

Accordingly, the Delaware Supreme Court reversed the Chancery Court’s

decision dismissing the plaintiff’s claims.217 The parties settled for $60 million less than

two weeks before trial.218 The CEO of Blue Bell wound up indicated on seven federal

felony counts, and Blue Bell itself pled “guilty to misdemeanor charges of distribution of

adulterated food.”219

211 Stone v. Ritter, 911 A.2d 362, 370–72 (Del. 2006). 212 Marchand v. Barnhill, 212 A.3d 805, 821 (Del. 2019). 213 Id. at 822. 214 Id. 215 Id. 216 Id. 217 Id. at 824. 218 Meredith Kotler, et al., Recent Delaware Court of Chancery Decision Sustains Another Caremark Claim at the Pleading Stage, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (May 25, 2020), https://corpgov.law.harvard.edu/2020/05/25/recent-delaware- court-of-chancery-decision-sustains-another-caremark-claim-at-the-pleading-stage/. 219 Michael W. Peregrine & David S. Rosenbloom, The Blue Bell Dairy CEO Indictment and its Implications for Executive Liability, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (May 26, 2020), https://corpgov.law.harvard.edu/2020/05/26/the-blue-bell-dairy- ceo-indictment-and-its-implications-for-executive-liability/.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 36 All rights reserved

d. Four Subsequent Cases Show Marchard was No Fluke After Marchand was decided, two questions remained. One, was Marchand a

one-off or did it signal a real change in the viability of Caremark claims going forward?

Two, were the implications of Marchand limited to its facts—a monoline company with a

“mission critical”220 compliance issue—or would Caremark start to bite more broadly?

Four subsequent decisions by the Chancery Court provide answers.

i. In re Clovis Oncology, Inc.

Delaware court watchers would not have to wait long. The Delaware Supreme

Court decided Marchand on June 19, 2019221; the Chancery Court decided In re Clovis

Oncology, Inc. on October 1, 2019.222 Clovis Oncology, Inc. (Clovis) was a

pharmaceutical start-up, which had developed a promising cancer drug.223 This drug,

Roci, was the most promising of the three drugs Clovis had in development.224 Clovis

did not have any drugs on the market.225 With an estimated $3 billion annual market,

Roci had the potential to be a blockbuster drug.226 That potential return was balanced by

countervailing risk. Not only was there a risk Roci would not receive FDA approval, but

Clovis was locked in a race for FDA approval with AstraZeneca, which was developing a

competing drug.227

220 See Marchand v. Barnhill, 212 A.3d 805, 824 (Del. 2019) (“In Blue Bell’s case, food safety was essential and mission critical.”). 221 Id. at 805. 222 No. 2017-0222-JRS, 2019 WL 4850188 (Del. Ch. Oct. 1, 2019). 223 In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *1 (Del. Ch. Oct. 19, 2019). 224 Id. at *2. 225 Id. 226 Id. at *4. 227 Id.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 37 All rights reserved

Objective response rate (ORR) is an industry-standard metric for assessing the

success of a new drug during clinical trials.228 While Clovis reported an ORR similar to

that of AstraZeneca’s competing drug, the board knew by mid-2014 that the reported

ORR was improperly calculated.229 Clovis reported an improperly calculated ORR to the

FDA in mid-2015.230 Clovis disclosed an ORR of 60 percent in the prospectus for a

secondary offering around the same time.231 Properly calculated, the ORR was only

42 percent.232 There were a number of other issues with the Roci clinical trials.233 Even

after disclosing an ORR of between 28 percent and 34 percent to the FDA in October

2015, Clovis continued to publicly announce improperly calculated ORR.234

It would soon all fall apart. The FDA noticed the discrepancy and started asking

hard questions in late 2015.235 One week later, Clovis issued a press release disclosing

the accurate, much lower ORR.236 Its stock price promptly dropped 70 percent, erasing

over $1 billion in market capitalization.237 In April 2016, the FDA voted to delay action

on Roci, dropping Clovis’ stock price another 17 percent.238 The next month, Clovis

withdrew its application for FDA approval and ended clinical trials.239

Legal consequences followed. Securities fraud class action lawsuits and an SEC

enforcement action led to payments of over $160 million.240 The FDA opened an

228 Id. at *4–5. 229 Id. at *5–6. 230 Id. at *7. 231 Id. 232Id. 233 Id. at *8–9. 234 Id. at *7. 235 Id. at *8 236 Id. 237 Id. 238 Id. 239 Id. 240 Id. at *9.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 38 All rights reserved

investigation.241 And a derivative lawsuit was filed that included a Caremark claim.242

The result would be the same, but the posture of the Caremark claim would be quite

different than in Marchand. Marchand involved a Type I Caremark claim; the Blue Bell

board ignored food safety altogether. Clovis involved a Type II Caremark claim.

Clovis had controls in place and two board committees were tasked with

overseeing relevant issues.243 The Clovis board was also well aware of the issues with

the Roci clinical trials. In fact, the Chancery Court described it as “hyper-focused on the

drug’s development and clinical trial.”244 The drug’s development was a regular point of

discussion at board meetings, often eating up hours of precious board time.245 The board

was well aware of the importance of ORR.246 The board knew that ORR was being

improperly calculated almost a year and a half before the issue was disclosed to the

public, repeatedly receiving reports that flagged the issue.247 For months and months, the

board was aware that the ORR discrepancy was a deadly threat to one of just three Clovis

drugs in development and to its stock price but did nothing.248 The defendant directors

signed Clovis’ 2014 Annual Report, which included the inflated, improperly calculated

ORR.249 The board was aware both that clinical trial protocols were being violated and

that side effects were being underreported.250 Given the rampant issues and the boards

extensive knowledge and appreciation of their severity, the Chancery Court ruled that the

241 Id. 242 Id. at *10. 243 Id. at *2 (“The Nominating and Corporate Governance Committee is charged with developing and overseeing the effectiveness of Clovis’ legal, ethics and regulatory compliance matters. The Audit Committee oversees typical audit functions and, importantly, reviews earnings reports with management before release to the market.”). 244 Id. at *4. 245 Id. 246 Id. at *5. 247Id. at *5–8. 248 Id. at *6. 249 Id. at *7. 250 Id. at *8.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 39 All rights reserved

defendant directors “consciously ignored red flags,” denying their motion to dismiss the

Type II Caremark claim against them.251

Clovis is important because successful Caremark claims are always noteworthy.

It is important because it is a Chancery Court decision; Clovis signaled that the Chancery

Court would not fight the Delaware Supreme Court’s decision in Marchand or even

attempt to implicitly overrule it from below. It is important because it shows that there is

renewed viability for Type II Caremark claims, not just Type I Caremark claims.

But it does not mark a drastic change in doctrine, or even any change at all. The

board had more red flags waved in its face than a Spanish fighting bull.252 In fact,

analytically Clovis wasn’t a Caremark claim at all.253 It is more properly viewed as

involving a failure by the board to stop known unlawful corporate conduct, which is

treated as the equivalent of the board directing unlawful corporate conduct under

Delaware law and reviewed under a per se standard.254 Clovis also did not provide clarity

as to whether Marchand should be viewed as limited to mission critical risks to a

company with limited products operating in a highly regulated industry.255

ii. Hughes v. Hu Clovis would not be the last time Chancery Court let a Caremark claim survive a

motion to dismiss. Barely half a year later, the Chancery Court sustained another

251 Id. at *13–15. 252 The Chancery Court characterized the directors as acting “[w]ith hands on their ears to muffle the alarms.” In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *7 (Del. Ch. Oct. 19, 2019). 253 Procedurally, both the complaint and the Chancery Court opinion treat it as a Caremark claim. 254 See Pace, supra note 70, at 10 (relying on In re Abbott Labs. Derivative S’holders Litig., 325 F.3d 795, 809 (7th Cir. 2003)) (discussing a case that applied Illinois law but nonetheless reviewed Delaware law and indicated the result would be the same under either). 255 See Clovis, 2019 WL 4850188, at *12 (noting that compliance is context- and industry-specific, the importance of the business’ regulatory environment, and “mission critical regulatory compliance risk”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 40 All rights reserved

Caremark claim in Hughes v. Hu.256 Kandi Technologies Group, Inc. (“Kandi”) is a

Delaware corporation but is based in China.257 Kandi entered into a 50/50 joint venture

with Greely Automobile Holdings Ltd. (“Greely”).258 Kandi sold parts to the joint

venture, which then used the parts in the manufacture of electric vehicles.259 The joint

venture wholesaled the finished electric vehicles to another company, Zhejiang

ZuoZhongYou Electric Vehicle Service Co., Ltd. (“Zhejiang”), which then sold or leased

the vehicles.

Kandi raised some eyebrows with how it structured its business.260 Kandi owned

9.5 percent of Zhejiang.261 Xiaoming Hu, CEO of Kandi and chair of its board, owned

another 13 percent of Zhejiang, along with his 28.4 percent ownership stake in Kandi. 262

His son owned Kandi USA, one of Kandi’s five largest customers.263 The complex joint-

venture-and-service-company structure was allegedly designed to allow Kandi to secure

both subsidies provided by China to producers of electric vehicles and subsidies provided

by China to purchasers of electric vehicles.264 AWC (CPA) Limited (“AWC”), Kandi’s

auditor, had no other clients.265

Kandi was rife with accounting issues over a several-year period. Kandi “parked

large amounts of cash in the personal bank accounts of its officers and employees

256 No. 2019-0112-JTL, 2020 WL 1987029, at *2 (April 27, 2020). 257 Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *2 (April 27, 2020). 258 Id. 259 Id. 260 All of this is based on the allegations in the complaint, taken as true at the relevant stage of litigation. Hughes, 2020 WL 1987029, at *18. 261 Id. at *2. 262Id. 263 Id. 264 Id. 265 Id.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 41 All rights reserved

(including its CEO).”266 AWC neither verified that the cash actually existed nor why it

was parked in personal accounts.267 While AWC discovered $3 million in such cash,

Kandi did not disclose another $4.1 million.268 With $37.9 million in notes receivable, a

single note was outstanding for $33.1 million and the borrower had made zero interest

payments in the prior year.269 “AWC did not evaluate the creditworthiness of the

borrower.”270

Related-party transactions were an ongoing issue. Kandi did extensive business

with both Kandi USA and Zhejiang.271 Transactions with Kandi USA were recorded

under another name.272 Remarkably, AWC rebooked the transactions to another

customer’s account at Kandi’s suggestion and erased Kandi USA from its audit trail.273

Kandi did not disclose that it had engaged in material related-party transactions with

Kandi USA (totaling almost $10 million) until 2016.274 Kandi also did not disclose until

2016 that Zhejiang had owed it over $40 million in 2014 and still owed it $10 million.275

AWC reported multiple key internal control weaknesses to the audit committee.276

Kandi’s securities disclosures also identified material control weaknesses.277 At other

times Kandi described its controls as effective.278 Announcing its financials would have

266 Id. at *3. 267 Id. 268 Id. 269 Id. at *3–4. 270 Id. at *3. 271 See, e.g., Id. at *3, 6 (noting Kandi USA was one of Kandi’s five largest customers and that at one point the audit committee signed off on $42 million in related-party transactions with Zhejiang). 272 Id. at *3. 273Id. 274 Id. at *7. 275 Id. 276 Id. at *3. 277 Id. at *4–5, 8. 278 Id. at *6.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 42 All rights reserved

to be restated, Kandi also announced that it was “reassessing its internal controls.”279 The

audit committee was largely asleep at the wheel during all this. They “never met for

longer than one hour and typically only once per year.280 Determinations were made

after Kandi’s 10-K was filed that should have been made before it was filed.281

Things came to a head in 2016. The Public Company Accounting Oversight

Board sanctioned AWC for its handling of Kandi’s audits in 2010, 2011, and 2012.282

Kandi responded by firing AWC as its auditor.283 The sanctions attracted the attention of

NASDAQ.284 China investigated Kandi and first delayed subsidy payments then decided

to phase them out altogether—the same subsidies that Kandi had structured its business

to take advantage of.285 The next spring, Kandi “announced that its financial statements

from 2014 through the third quarter of 2016 could not be relied upon and needed to be

restated.”286

Interestingly, the Chancery Court treats the Caremark claim in Hughes as a

Type I claim rather than a Type II claim.287 Hughes follows in the wake of Marchand,

not Clovis. From one perspective, this makes sense. A Type I claim was off the table in

Clovis, because the record was clear that the board was sharply attentive to the Roci

clinical trials. But the facts of Hughes are different from Marchand as well. In

Marchand, the board delegated food safety entirely to management, with no board

279 Id. at *8. 280 Id. at *16. 281 Id. at *6. 282 Id. at *7. 283 Id. 284 Id. 285 Id. 286 Id. at *8. 287 See id. at *16(“The complaint’s allegations support a pleading-stage inference that the board never established its own reasonable system of monitoring and reporting, choosing instead to rely entirely on management.”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 43 All rights reserved

committee responsible for food safety and no reports made on or discussion of food

safety at full board meetings. The audit committee in Hughes did in fact meet, and

allegedly reviewed relevant policies, but they “never met for longer than one hour and

typically only once per year” and did not produce the relevant policies.288 Hughes fits

better as a Type II Caremark claim; the Chancery Court’s muddled approach shows the

doctrinal distinction between Type I and Type II will not be sharply applied.

Hughes is notable because a second vice chancellor responded positively to the

Delaware Supreme Court’s signal in Marchand.289 Caremark’s reinvigoration is not the

private crusade of a single vice chancellor. Hughes is important because the plaintiff’s

claim survived a motion to dismiss despite four previously dismissed securities class

actions filed in the United States District Court for the Southern District in New York. 290

Entrepreneurial plaintiffs’ lawyers will shift from securities class actions to derivative

lawsuits if the latter proves more viable than the former,291 and “plaintiffs’ lawyers have

struggled to get traction with cybersecurity-related securities suits.”292 If a Caremark

claim can succeed where securities claims have failed, it may be time to ask whether

Caremark is still “possibly the most difficult theory in corporation law upon which a

plaintiff might hope to win a judgment,”293 Nor will all securities claims fail. Directors

have to worry about Caremark liability in addition to securities claims, not instead of.

288 Id. at *16. 289 Clovis was decided by Vice Chancellor Slights. In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188 (Del. Ch. Oct. 19, 2019). Hughes was decided by Vice Chancellor Laster. Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029 (April 27, 2020). 290 Hughes, 2020 WL 1987029, at *8 (citing In re Kandi Techs. Gp. Inc. Sec. Litig., No. 17-civ- 1944, 2019 WL 4918649, at *3–6 (S.D.N.Y. Oct. 4, 2019)). 291 See Pace, supra note 70, at 10 (“Entrepreneurial plaintiffs’ lawyers are always on the hunt for the next viable theory of liability against corporate directors, after all.”) (citations omitted). 292 Kevin LaCroix, Cybersecurity-Related Securities Suit Dismissed, THE D&O DIARY (Sept. 27, 2021), https://www.dandodiary.com/2021/09/articles/securities-litigation/cybersecurity-related- securities-suit-dismissed/. 293 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 967 (Del. Ch. 1996).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 44 All rights reserved

Finally, Hughes is important because “[o]nce is happenstance, twice is coincidence, three

times is enemy action. This is the third time.”294

iii. Teamsters Local v. Chou (AmerisourceBergen) The fourth case in which Delaware courts refused to dismiss a Caremark claim is

Teamsters Local v. Chou.295 Teamsters Local involved Medical Initiatives, Inc.

(“Medical Initiatives”), an indirect but wholly-owned subsidiary of AmerisourceBergen

Corporation (“AmerisourceBergen”).296 Like Caremark itself, Teamsters Local involved

kickbacks in the healthcare context.297

Medical Initiatives systematically removed the manufacturer overfill from vials of

oncology drugs, used them to fill additional syringes, and sold them.298 This was an

unsterile process that left the drugs “so grossly contaminated that particulates were

visible to the naked eye.”299 In addition to the kickbacks and the pooling of overfill,

Medical Initiatives sought to avoid FDA oversight through the use of sham

prescriptions.300 The scheme was profitable, with Medical Initiatives selling over one

million pre-filled syringes per year and netting over $14 million in profit for

AmerisourceBergen per year at its height.301

Much as in Marchand, the facilities and practices used by Medical Initiatives

were unsanitary and dangerous. The vials were designed and approved by the FDA to be

294 IAN FLEMING, GOLDFINGER (1969). 295 No. 2019-0816-SG, 2020 WL 5028065 (Aug. 24, 2020). 296 Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *1 (Aug. 24, 2020). AmerisourceBergen owned ASD Specialty Healthcare, LLC d/b/a Oncology Supply, which owned Medical Initiatives. Id. at *3. 297 Id. at *2. 298 Id. at *1. 299 Id. 300 Id. at *2. 301 Id. at *5.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 45 All rights reserved

opened and used once, but Medical Initiatives staff frequently opened them several

times.302 FDA instructed that vials containing visible particulates not be used, but

Medical Initiatives instead filtered the particulates and sold the drugs anyway, to the tune

of 32,000 syringes containing visible particulate in a six-year period.303 “[S]yringes

tested positive for bacteria”; equipment “in the cleanroom tested positive for bacteria in

excess of acceptable levels”; “air in the cleanrooms tested positive for fungal

contamination and/or bacterial contamination.”304 Medical Initiatives responded with

cleaning efforts but did not test to confirm their success or even stop operations during

the cleaning.305 Employees routinely violated basic cleanroom protocols.306 Medical

Initiatives did not notify its customers of any issues.307 Medical Initiatives shut down its

operations in 2014.308

Unsurprisingly, these practices created compliance issues. The plaintiffs alleged

that there were four that were “red flags” under the Caremark framework. First was the

2006 board vote on the capital expenditure necessary to expand Medical Initiative’s

facility.309 The board did not discuss any compliance issues related to the facility.310 But

the Chancery Court saw no red flag at that time; not asking enough questions does not

alone establish a claim under Caremark.311 The second alleged red flag was a report

prepared by the David Polk & Wardwell (“David Polk”) law firm.312 Davis Polk

302 Id. 303 Id. at *6. 304 Id. 305 Id. 306 Id. 307 Id. 308 Id. at *8. 309 Id. at *10. 310 Id. 311 Id. at *19. 312 Id. at *10, 19.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 46 All rights reserved

assessed compliance at AmerisourceBergen and reported its findings to the audit

committee.313 The Davis Polk report flagged that Medical Initiatives was not integrated

into AmerisourceBergen’s compliance program.314 It never was, and the audit committee

never received reports on compliance specific to Medical Initiatives.315 The Chancery

Court saw the Davis Polk report as a red flag that could trigger Caremark liability when

viewed in conjunction with other red flags, even if it would not trigger Caremark liability

by itself.316

The third alleged red flag was concerns raised by Michael Mullen, the former

Chief Operating Officer of the AmerisourceBergen subsidiary that was the parent of

Medical Initiatives.317 Mullen raised concerns about regulatory exposure to other senior

managers and the then-CEO but was let go without his concerns being addressed. 318 The

board was not informed of either Mullen’s concerns nor his termination despite all

severance agreements requiring the approval of the compensation committee.319 After his

termination, Mullen filed a qui tam action under seal that AmerisourceBergen

management did not initially disclose to the board.320 Under a qui tam action, a

whistleblower brings a false claims action on behalf of the government, typically

receiving a cut of the recovery if the action is successful.321 Mullen’s qui tam complaint,

which was inadvertently disclosed publicly, alleged mission critical compliance issues

313 Id. at *10. 314 Id. at *10, 19–20. 315 Id. at *20. 316 Id. at *20. 317 Id. at *11, 21. 318 Id. at *11–12. 319 Id. at *12. 320 Id. at *13. 321 Justice Department Recovers over $3 Billion from False Claims Act Cases in Fiscal Year 2019, THE UNITED STATES DEPARTMENT OF JUSTICE, OFFICE OF PUBLIC AFFAIRS (Jan. 9, 2020), https://www.justice.gov/opa/pr/justice-department-recovers-over-3-billion-false-claims-act-cases- fiscal-year-2019.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 47 All rights reserved

that included overfill by Medical Initiatives.322 The board failed to respond, allowing

Medical Initiatives to continue to operate for another four years.323 As the board knew

about the qui tam action but did not take any remedial action, it was a red flag for

Caremark purposes.324

The fourth alleged red flag was a search warrant that the FDA executed at

Medical Initiative’s facility and a subpoena AmerisourceBergen received from federal

prosecutors.325 The search warrant could not have been a red flag, because the board did

not know about it.326 The subpoena, on the other hand, was disclosed in

AmerisourceBergen’s 10-K. Since it does not appear in the board’s minutes, the

Chancery Court inferred the board knew there was an issue but did not take remedial

action.327

The United States Department of Justice (“DOJ”) filed a criminal information

against AmerisourceBergen in 2017, alleging that it violated the Food and Drug

Commission Act by operating an illegal operation “known to and approved at the highest

levels” of AmerisourceBergen.328 An AmerisourceBergen subsidiary pled guilty, paying

the DOJ $260 million.329 One month later, the subsidiary settled “civil claims under the

False Claims Act for $625 million.”330

322 Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *21 (Aug. 24, 2020). 323 Id. 324 Id. at *22–24. 325 Id. at *24. 326 Id. 327 Id. 328 Id. at *7. 329 Id. at *7–8. 330 Id. at *8.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 48 All rights reserved

In Teamsters Local, a third vice chancellor allowed a Caremark claim to survive a

motion to dismiss.331 Notably, Vice Chancellor Glasscock dismissed Caremark claims

both shortly before and shortly after deciding Teamsters Local,332 further confirming the

lack of a split on the court when it comes to Caremark claims.333 Teamsters Local is

important because it demonstrates that red flags are cumulative.334 Teamsters Local is

interesting because the plaintiffs advanced both Type I and Type II claims

simultaneously.335 The nature of the distinction between Type I and Type II means the

two are largely mutually exclusive336; to allege both should be rare. In fact, Teamsters

Local may not have analytically fit as a Caremark claim at all. To the extent that the

plaintiffs were arguing that AmerisourceBergen was operating an illegal business with

the knowledge of the board, a much stricter per se standard would apply rather than either

Caremark test.337

iv. In re The Boeing Company Derivative Litigation

331 Id. Teamsters Local was decided by Vice Chancellor Glasscock and the previous two by Vice Chancellor Slights and Vice Chancellor Laster. 332 Richardson v. Clark, No. 2019-1015-SG, 2020 WL 7861335 (Del. Ch. Dec. 31, 2020); In re Metlife, No. 2019-0452-SG, 2020 WL 4746635 (Del. Ch. Aug. 17, 2020) 333 Vice Chancellor Slights, who sustained a Caremark claim in Clovis, would dismiss two Caremark claims less than one year later. In re GoPro, Inc. S’holder Deriv. Litig., No. 2018-0784- JRS, 2020 WL 2036602 (Del. Ch. Apr. 28, 2020); Pettry v. Smith, No. 2019-0795-JRS (Del. Ch. June 28, 2021). 334 See Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *20 (Aug. 24, 2020) (“[T]he Davis Polk Report serves as a backdrop against which the other pled red flags must be viewed.”). 335 Id. at *17. The Chancery Court ultimately ruled that the Type II claims survived and thus there was no need to reach the Type I claim. Id. at *26. 336 Id. at *21 (“[T]he Plaintiffs plead mutually exclusive occurrences, that is, the Board was not informed of Mullen’s allegations (supporting a “prong one” Caremark claim) and that the Board consciously ignored Mullen’s allegations (supporting a “prong two” Caremark claim).”). See also Lund, Opting Out, supra note 120, at 407 (referring to the post-Stone test as “disjunctive”). 337 See Pace, supra note 70, at 10 (discussing the application of Delaware corporation law in that situation by the U.S. Court of Appeals for the Seventh Circuit in In re Abbott Laboratories Derivative Shareholders Litigation, 325 F.3d 795, 809 (7th Cir. 2003)).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 49 All rights reserved

The fifth and most recent case in which the Chancery Court allowed a Caremark

claim to survive is In re The Boeing Co. Derivative Litigation. Boeing came in the wake

of an even bigger corporate disaster than the Blue Bell listeria—the fatal crashes of two

Boeing 737 MAX airplanes.338 “Boeing is a global aerospace corporation” and “the

largest manufacturing exporter in the United States” with over$ 100 billion in revenue

and $8 billion in profit in 2018.339 But Boeing began falling behind Airbus, its primary

competitor, when Airbus introduced the A320neo.340 To rush a competing airplane into

production, Boeing chose to develop a “derivative plane,” the 737 MAX, that would only

require Federal Aviation Administration (“FAA”) certification for changes from the base

plane, not the entire plane.341 That would prove to be a fatal error.

The larger engine on the 737 MAX shifted the airplane’s center of gravity,

causing the plane to tend to tilt up during flight.342 Boeing responded with a software

solution that would incorrectly push the plane down if a single, temperamental sensor

failed.343 This was a known issue, but a proposed fix was rejected due to “additional cost

and pilot training.344 The pilot could prevent catastrophic results but only if they

responded within ten seconds.345 Boeing convinced the FAA to allow flight training for

the 737 MAX on a tablet computer rather than a flight simulator, a policy it would later

338 In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *1 (Del. Ch. Sept. 7, 2021). 339 Id. at *4, 29–30; David Gelles, ‘I Honestly Don’t Trust Many People at Boeing’: A Broken Culture Exposed, THE NEW YORK TIMES (Jan. 13, 2020), https://www.nytimes.com/2020/01/10/business/boeing-737-employees- messages.html?action=click&module=Top. 340 In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *19 (Del. Ch. Sept. 7, 2021). 341 Id. at *19–20. 342 Id. at *22. 343 Id. at *22–23. 344 Id. at *23–24. 345 Id. at *24.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 50 All rights reserved

use in its sales pitch for the 737 MAX.346 The issue was raised in neither “airplane

manuals [or] pilot training materials for U.S.-based airlines.”347

In October 2018, a new 737 MAX crashed in the Java Sea off “Indonesia, killing

all 189 passengers and crew.”348 In March 2019, another new 737 MAX crashed in

Ethiopia “shortly after taking off, killing all 157 passengers and crew.”349 Both crashes

were caused by the known software issue.350 Within three days, every major aviation

regulator had grounded the 737 MAX, and the 737 MAX would stay grounded for the

better part of two years.351 The board responded by firing the Boeing CEO.352 Any

scapegoating aside, the financial cost to Boeing was enormous. With litigation ongoing,

Boeing estimated in 2020 “that it had incurred non-litigation costs of $20 billion, and

litigation-related costs in excess of $2.5 billion.”353 Boeing also “consented to the filing

of a criminal information charging [it] with conspiracy to defraud the United States.”354

The plaintiffs’ careful pleading avoids muddling the distinction between Type I

and Type II Caremark claims, arguing that the board’s inaction prior to the first crash

constituted a Type I claim and that its inaction between the first and second crash

constituted both a Type I and Type II claim.355 Boeing’s board fell short in a number of

ways, resulting in “‘a sustained or systematic failure of the board to exercise

346 Id. at *25, 29. 347 Id. at *27. 348 Id. at *32. 349 Id. at *45. 350 Id. at *32, 45. 351 Id. at *45, 48, 58. 352 Id. at *56. 353 Id. at *58. 354 Id. 355 Id. at *70.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 51 All rights reserved

oversight.’”356 Boeing did not have a board directly responsible for monitoring airplane

safety, and “the Audit Committee did not regularly or meaningfully address or discuss

airplane safety.357 The board as a whole did not devote meaningful time to monitoring

safety either.358 It’s first meeting to address the first crash, two months after the crash

occurred, only concerned the “restoration of profitability and efficiency, but not product

safety.”359

Boeing did not have an internal reporting system for whistleblowers.360 The

board did not “expect or demand that management would deliver safety reports or

summaries to” it on a regular basis.361 The board’s reliance on management to report on

safety at their discretion continued after the first crash.362 The Chancery Court

interpreted emails between director—suggesting the devotion of a full board meeting to

safety and on the value of management safety briefings during prior service on another

board—as showing the directors knew their current efforts were inadequate.363

After four cases, another Caremark claim surviving a motion to dismiss should

hardly come as a surprise, but Boeing remains important for a number of reasons. It

confirms that Caremark remains reinvigorated in 2021. It confirms that the logic of

Marchand is not limited to monoline companies364 and emphasizes that Caremark

356 Id. at *71(quoting In re Citigroup Inc. S'holder Deriv. Litig., 964 A.2d 106, 131 (Del. Ch. 2009)). 357 Id. at *74–75. 358 Id. at *76. 359 Id. at *77. 360 Id. at *76. 361 Id. at *80. 362 Id. at *84. 363 Id. at *90. 364 Boeing’s commercial airplane division accounted for “approximately 61.7% of the Company’s revenue in 2017 and 45% of its revenue in 2019,” but Boeing has other divisions and sells commercial airplanes other than the 737 MAX. Id. at *4.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 52 All rights reserved

liability threatens where risks are “mission critical,” a term the opinion uses six times.365

Boeing is important for its careful parsing of when both a Type I and a Type II Caremark

claim could successfully be brought together, even if the opinion does not reach the Type

II claim.366 Boeing is important because it shows that Caremark’s reinvigoration does

not mean that all bad faith claims are similarly reinvigorated: the Chancery Court

dismissed claims related to the compensation paid to the ousted Boeing CEO.367 Boeing

also leaves open the question of whether officers can be liable under the Caremark

doctrine.368 The Boeing decision was written by yet another vice chancellor; four of the

seven sitting chancery judges have now written opinions sustaining Caremark claims.369

e. Reassessing Caremark Doctrine After Marchand et al.

None of the opinions from the 2019–2021 Caremark quintet of cases purport to

change Caremark doctrine. Nor can they be said to change black letter law. Caremark

doctrine is the same today as it was before Marchand. But it is a doctrine with

considerably more bite today than it had before Marchand. Five successful Caremark

claims in a short interval after twenty-five years as “the most difficult theory in

corporation law upon which a plaintiff might hope to win a judgment”370 signals a newly

invigorated doctrine. At the same time, Caremark claims have not become an easy route

to establishing director liability. At least seven Caremark claims have been dismissed

365 Id. at *72–74, 92. 366 Id. at *70, 92–96. 367 Id. at *97–100. 368 Id. at *100–01. 369 See id. (decided by Vice Chancellor Zurn); Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065 (Del. Ch. Aug. 24, 2020) (decided by Vice Chancellor Glasscock); Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029 (April 27, 2020) (decided by Vice Chancellor Laster); In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188 (Del. Ch. Oct. 19, 2019) (decided by Vice Chancellor Slights). 370 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 967 (Del. Ch. 1996).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 53 All rights reserved

since the Delaware Supreme Court decided Marchand.371 The question, then, is what fact

patterns we can expect to result in successful Caremark claims in the future.

There are three possibilities. The first is that successful Caremark claims will be

limited to monoline companies. The Delaware Supreme Court’s Marchand opinion

stresses that Blue Bell only sold ice cream.372 Clovis was a pharmaceutical start-up with

only three drugs in development,373 and Medical Initiatives’ entire business was putting

drugs from vials into syringes.374 But it was AmerisourceBergen that was the nominal

defendant in the Teamsters Local derivative lawsuit, not AmerisourceBergen’s indirect

subsidiary Medical Initiatives.375 Medical Initiatives was only a small part of

AmerisourceBergen’s total business,376 although, as a large pharmaceutical company,

compliance with FDA regulations was still a “primary regulatory concern” for

AmerisourceBergen.377 And the Hughes court never mentions whether Kandi was a

monoline company, implying that it was not relevant.378 It is unlikely that Marchand

would have been decided differently had Blue Bell also sold Pez dispensers so long as the

financial impact of the listeria outbreak was the same. Blue Bell’s reliance on a single

product made it vulnerable, but it was ultimately the scale of the impact that mattered.

371 Pettry v. Smith, No, 2019-0795-JRS (Del. Ch. June 28, 2021); Richardson v. Clark, No. 2019- 1015-SG, 2020 WL 7861335 (Del. Ch. Dec. 31, 2020); In re GoPro, Inc. S’holder Deriv. Litig., No. 2018-0784-JRS, 2020 WL 2036602 (Del. Ch. Apr. 28, 2020); In re Metlife, No. 2019-0452- SG, 2020 WL 4746635 (Del. Ch. Aug. 17, 2020); Owens v. Mayleben, No. 12985-VCS, 2020 WL 748023 (Del. Ch. Feb. 13, 2020); In re LendingClub Corp., No. 12984-VCM, 2019 WL 5678578 (Del. Ch. Oct. 31, 2019); Rojas v. Ellison, No. 2018-0755-AGB, 2019 WL 3408812 (Del. Ch. July 29, 2019). 372 See, e.g., Marchand v. Barnhill, 212 A.3d 805, 809 (Del. 2019) (“As a monoline company that makes a single product—ice cream—Blue Bell can only thrive if its consumers enjoyed its products and were confident that its products were safe to eat.”). 373 In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *2 (Del. Ch. Oct. 19, 2019). 374 Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *1 (Aug. 24, 2020). 375 Id. 376 Id. at *2. 377 Id. at *18. 378 Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029 (April 27, 2020).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 54 All rights reserved

This logic was reaffirmed by the Chancery Court in Boeing, where the 737 MAX was

only one of several commercial airplanes sold by Boeing, with commercial airplanes, as a

whole, accounting for between two- and three-fifths of company revenue.379

The second possibility is that successful Caremark claims will be limited to

highly regulated industries or maybe even only industries regulated by the FDA. Blue

Bell, Clovis, Medical Initiatives were all regulated by the FDA.380 The DOJ is

particularly active in pursuing healthcare companies, with $2.6 billion out of $3 billion

total in 2019 DOJ civil litigation fraud and false claims recoveries coming from

healthcare companies.381 But the FDA is far from the only active regulator, and the food

and drug industries are far from the only heavily regulated industries. Kandi was not

regulated by the FDA.382 Boeing is highly regulated by the FAA and the National

Transportation Safety Board,383 which at least dispenses with the possibility that

successful Caremark claims will be limited to industries regulated by the FDA.

The third and most plausible possibility is that successful Caremark claims will

be limited to mission critical operations. As a “monoline company that makes a single

product,” food safety was an “essential and mission critical” compliance risk for Blue

379 In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *4 (Sept. 7, 2021). 380 See Marchand v. Barnhill, 212 A.3d 805, 810 (Del. 2019) (noting that the FDA regulates food safety and that Blue Bell was required to comply with FDA regulations); Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *2 (Aug. 24, 2020) (noting that Medical Initiatives used sham prescriptions to avoid FDA oversight); In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *1 (Del. Ch. Oct. 19, 2019) (“Clovis conducted its clinical trial of Roci subject to strict protocols and associated FDA regulations. Yet, assuming the pled facts are true, the Board ignored red flags that Clovis was not adhering to the clinical trial protocols, thereby placing FDA approval of the drug in jeopardy.”). 381 Justice Department Recovers over $3 Billion from False Claims Act Cases in Fiscal Year 2019, THE UNITED STATES DEPARTMENT OF JUSTICE, OFFICE OF PUBLIC AFFAIRS (Jan. 9, 2020), https://www.justice.gov/opa/pr/justice-department-recovers-over-3-billion-false-claims-act-cases- fiscal-year-2019. 382 Hughes, 2020 WL 1987029. 383 Boeing, No. 2019-0907-MTZ, at *9–10, 79.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 55 All rights reserved

Bell.384 For Clovis, the improperly calculated ORR and failure to follow clinical trial

protocols was “a mission critical failure to comply.”385 For AmerisourceBergen,

compliance with FDA regulations was “absolutely critical to its business.”386 The

Chancery Court in Teamsters Local did not say that the AmerisourceBergen board must

always “actively exercise its oversight duties,” but rather that it must do so “when

regulations governing drug health and safety are at issue,” because compliance with those

regulations is mission critical.387 The Chancery Court in Boeing quotes the term “mission

critical” six times.388

The final remaining question is whether the 2019–2021 Caremark quintet provide

any clarity on the question of whether Caremark doctrine requires underlying unlawful

conduct. Caremark doctrine does not by its own terms require unlawful corporate

conduct.389 Nonetheless, the application of Caremark doctrine shows that the presence of

unlawful corporate conduct really does matter.390 That has not changed. All five cases

from the 2019–2021 Caremark quintet involved unlawful conduct.391 Again, black letter

384 Marchand, 212 A.3d at 809, 824 (emphasis added). 385 In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *15 (Del. Ch. Oct. 19, 2019) (emphasis added). 386 Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *18 (Aug. 24, 2020) (emphasis added). 387 Id. See also Shapira, supra note 68, at *9 (“Following Marchand and Clovis, Teamsters Local implies an enhanced oversight duty for ‘mission critical’ risks.”). 388 In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *72–74, 92 (Del. Ch. Sept. 7, 2021). 389 See Bainbridge, ERM, supra note 72 at 968 (“There is no doctrinal reason that Caremark claims should not lie in cases in which the corporation suffered losses, not due to a failure to comply with applicable laws, but rather due to lax risk management.”). 390 See Pollman, supra note 53, at 115 (“[C]ourts have drawn a line between the oversight of business risk and legal risk—the former given wide allowance and the latter deemed improper.”) 391 See Marchand v. Barnhill, 212 A.3d 805, 813–15 (Del. 2019) (noting that the FDA was involved in the recall process and also found food contamination and other issues when it inspected Blue Bell’s production facilities); Boeing, No. 2019-0907-MTZ, at *44, 48 (noting that DOJ “opened a criminal investigation into whether Boeing had defrauded the FAA” resulting in a total payment by Boeing of over $2.5 billion and that all major aviation regulators grounded the 737 MAX); Teamsters Local, 2020 WL 5028065, at *6–8 (noting that the DOJ filed a criminal information against an AmerisourceBergen subsidiary for violating the Food and Drug

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 56 All rights reserved

Caremark doctrine has not changed. But as to this particular aspect, at least, the

application remains the same. It seems unlikely that a claim not tied to underlying

unlawful corporate conduct would succeed.

Success on a Caremark claims remains hard enough to find even with unlawful

corporate conduct. But mission criticality will be determined based on overall impact,

not just on the direct impact of the unlawful corporate conduct. Blue Bell would have

suffered a severe customer backlash after the listeria outbreak even if it had not been

legally obligated to recall its products. Clovis’ business was devastated because its most

promising drug did not work; this would have been the case regardless of whether they

faced FDA sanction.

The bottom line is that the black letter law is the same, but its application is much

more vigorous. The Caremark standard may not quite be the great hurdle it has

traditionally been, but nor is it easily surmounted. The conscious disregard standard

remains.392 All five cases from the 2019–2021 Caremark quintet qualify as egregious.393

But it does not necessarily follow that a newly reinvigorated Caremark doctrine will

continue to lead to two or more successful Caremark claims every year. Caremark has

Commission Act and that it subsequently pled guilty to violations); Hughes v. Hu, No. 2019-0112- JTL, 2020 WL 1987029, at *8 (April 27, 2020) (noting that the company faced four unsuccessful securities class actions); In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *8–10 (Del. Ch. Oct. 19, 2019) (noting that the FDA voted to delay action on the drug in question and that both an SEC complaint and securities class action were filed against Clovis and its CEO and CFO). 392 Compare Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006) (“Where directors fail to act in the fact of a known duty to act, thereby demonstrating a conscious disregard for the responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.”) (emphasis added) (citing In re Walt Disney Co. Deriv. Litig., 906 A.2d 27, 67 (Del. 2006); Guttman v. Huang, 823 A.2d 492, 506 (Del. CH. 2003)) with Marchand, 212 A.3d at 821 (quoting language from Stone). 393 The one possible exception is Teamsters Local. What happened at Medical Initiatives was egregious, but Medical Initiatives was a mere indirect subsidiary of AmerisourceBergen and only accounted for a small part of its overall business. It may not have been egregious when considered at the level of the parent company.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 57 All rights reserved

more bite than it used to, but avoiding Caremark liability is something entirely within a

board’s power. Just as “Caremark spurred the development of corporate internal

controls,”394 the 2019–2021 Caremark quintet will spur greater board attention to internal

controls.

Caremark doctrine’s reinvigoration has already been tested in the cybersecurity

context, with inconclusive results. Directors of Marriott International, Inc. (“Marriott”)

were sued in a derivative action filed on December 3, 2019 after discovery of “a data

breach that had exposed the personal information of up to 500 million guests.”395 Not

only was this “one of the biggest data breaches in history,” it exposed the “names,

passport numbers, birth dates, email and mailing addresses, [and] payment card details”

of hotel guests.396

Marriott had continued to run the allegedly deficient reservation system of

Starwood Hotels and Resorts (“Starwood”) after acquiring Starwood in 2016.397 Marriott

was alerted “that an unknown user had run a query in Starwood’s guest reservation

database” on September 7, 2018.398 Marriott’s outside investigators discover malware on

the Starwood system ten days later.399 CEO Arne Sorenson notified the board the next

day, just eleven days after Marriott’s first inklings of a data breach.400 Both the audit

committee and the full board would receive regular updates from management as the

investigation continued.401 Marriott publicly announced the data breach on November

394 See Fairfax, supra note 69, at 439. 395 Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *1, 16 (Del. Ch. Oct. 5, 2021). 396 Id. at *13 397 Id. at *1. 398 Id. at *11. 399 Id. 400 Id. at *12. 401 Id.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 58 All rights reserved

30, 2018.402 The legal fallout was significant. Marriott faced investigations by state

attorneys general (all of them), the SEC, the FTC, and Congress and “class action

lawsuits for violations of federal securities laws, violations of state and federal consumer

protection laws, and violations of state disclosure laws.”403

The Chancery Court dismissed the Caremark claims against the Marriott directors

because they “were ‘routinely apprised’ on cybersecurity risks and mitigation, provided

with annual reports . . . that specifically evaluated cyber rusks, and engaged outside

consultants to improve and auditors to audit corporate cybersecurity practices.”404 Red

flags were reported to the board, and management took a number of steps to remediate

those failures, even if those efforts were ultimately unsuccessful.405

Another Caremark suit related to a cyber incident (actually two) was filed in

April 2020 against directors of Laboratory Corporation of America Holdings

(“LabCorp”) and bears watching.406 The first exposed names and addresses, social

security numbers, medical information, and credit card information were exposed for

over ten million LabCorp patients, and the second exposed over 10,000 documents, often

including social security numbers and medical information.407 LabCorp disclosed the

first breach only after disclosure by another company and news reports and disclosed the

second in a press release rather than directly to affected customers or in an SEC filing.408

402 Id. at *13 403 Id. at *14. 404 Id. at *35. 405 Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *35–36, 44 (Del. Ch. Oct. 5, 2021). 406 Compl., Eugenio v. Berberian, No. 2020-0305-PAF (Del. Ch. filed Apr. 28, 2020). 407 Id. at ¶¶ 2–5, 8, 9, 12, 196. 408 Id. at ¶¶ 9, 11, 109–12, 200.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 59 All rights reserved

LabCorp was subsequentially sued in a class action for a number of claims409 and “spent

$11,500,000 during 2019 for response and remediation costs” for the first breach

alone.410

LabCorp was subsequently sued in a class action for “negligence, negligence per

se, unjust enrichment, breach of contract, and multiple violations of state health care

information acts, privacy acts, and identify theft protection acts.”411 The data breaches

will prove expensive for LabCorp. In addition to any legal fees and settlement or

judgment costs associated with the class action, this derivative lawsuit, and any

government enforcement actions, LabCorp “spent $11,500,000 during 2019 for response

and remediation costs” for the first breach alone.412

LabCorp had both an audit committee (with cybersecurity responsibilities) and a

quality and compliance committee.413 Management reported regularly to the audit

committee and full board on cybersecurity.414 The plaintiff alleges both Type I and Type

II Caremark violations.415 Per the complaint, the directors “failed to implement . . .

effective internal controls,” failed to monitor legal compliance, failed “to ensure that

[LabCorp] utilized proper cybersecurity safeguards,” and failed “to have a sufficient

incident response plan to immediately respond to the Data Breaches” (allegations of a

Type I claim).416 But the complaint also alleges that the directors “refused to act in the

fact of numerous red flags demonstrating the insufficient data security practices of its

409 Id. at ¶¶ 13–14 (citing Am. Medical Collection Agency, Inc. Customer Data Security Breach Litig., No. 19-md-2904 (MCA)(MAH) (D.N.J. filed July 31, 2019)). 410 Id. at ¶¶ 16, 209. 411 Id. at ¶¶ 13–14 (citing Am. Medical Collection Agency, Inc. Customer Data Security Breach Litig., No. 19-md-2904 (MCA)(MAH) (D.N.J. filed July 31, 2019)). 412 Id. at ¶¶ 16, 209. 413 Id. at ¶¶ 78–80, 82, 235. 414 Id. at ¶¶ 191, 192, 232. 415 Id. at ¶¶ 18, 246. 416 Id. at ¶ 85.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 60 All rights reserved

vendor . . . and the internal [LabCorp] practices, and failed to implement controls

designed to protect against a data breach” (allegations of a Type II claim).417

III. TECHNOLOGICAL CHALLENGES TO CORPORATE GOVERNANCE

Within the last two decades alone, rapid technological change has created a daily

struggle to keep pace by both corporate boards,418 and regulators alike.419 New

technologies such as: those based on the blockchain;420 the Internet of Things (IoT);421

growth in adoption of virtual currencies and payment systems;422 privacy issues;423 and

cybersecurity vulnerabilities424 are responsible for consuming considerable board

417 Id. at ¶ 237. 418 See Lawrence J. Trautman, Rapid Technological Change and U.S. Entrepreneurial Risk in International Markets: Focus on Data Security, Information Privacy, Bribery and Corruption, 49 CAPITAL U. L. REV. 67 (2021), https://ssrn.com/abstract=2912072. 419 See Neal Newman & Lawrence J. Trautman, Securities Law: Overview and Contemporary Issues, 16 OH. ST. BUS. L.J. (2021), http://ssrn.com/abstract=3790804. Lawrence J. Trautman & George P. Michaely, The SEC & The Internet: Regulating the Web of Deceit, 68 CONSUMER FIN. L. Q. REP. 262 (2014), http://www.ssrn.com/abstract=1951148. 420 See Lawrence J. Trautman & Mason J. Molesky, A Primer for Blockchain, 88 UMKC L. REV. 239 (2019), https://ssrn.com/abstract=3324660; Lawrence J. Trautman, Virtual Art and Non- fungible Tokens, 50 HOFSTRA L. REV. (forthcoming), http://ssrn.com/abstract=3814087. 421 See Lawrence J. Trautman, Mohammed T. Hussein, Louis Ngamassi & Mason Molesky, Governance of The Internet of Things (IoT), 60 JURIMETRICS 315 (2020), http://ssrn.com/abstract=3443973; Lawrence J. Trautman & Peter C. Ormerod, Industrial Cyber Vulnerabilities: Lessons from Stuxnet and the Internet of Things, 72 U. MIAMI L. REV. 761 (2018), http://ssrn.com/abstract=2982629. 422 See Lawrence J. Trautman & Alvin C. Harrell, Bitcoin Versus Regulated Payment Systems: What Gives?, 38 CARDOZO L. REV. 1041 (2017), http://ssrn.com/abstract=2730983; Lawrence J. Trautman, E-Commerce, Cyber and Electronic Payment System Risks: Lessons from PayPal, 17 U.C. DAVIS BUS. L. J. 261 (2016), http://www.ssrn.com/abstract=2314119; Lawrence J. Trautman, Bitcoin, Virtual Currencies and the Struggle of Law and Regulation to Keep Pace, 102 MARQ. L. REV. 447 (2018), https://ssrn.com/abstract=3182867; Lawrence J. Trautman, Is Disruptive Blockchain Technology the Future of Financial Services?, 69 CONSUMER FIN. L. Q. REP. 232 (2016), http://ssrn.com/abstract=2786186; Lawrence J. Trautman, Virtual Currencies: Bitcoin & What Now After Liberty Reserve, Silk Road, and Mt. Gox?, 20 RICH. J. L. & TECH. 13 (2014), http://www.ssrn.com/abstract=2393537. 423 See Lawrence J. Trautman, Governance of the Facebook Privacy Crisis, 20 PITT. J. TECH. L. & POL’Y 41 (2020), http://ssrn.com/abstract=3363002; Lawrence J. Trautman, How Google Perceives Customer Privacy, Cyber, E-Commerce, Political and Regulatory Compliance Risks, 10 WM. & MARY BUS. L. REV. 1 (2018), https://ssrn.com/abstract=3067298. 424 See Lawrence J. Trautman, Mohammed T. Hussein, Emmanuel U. Opara, Mason J. Molesky and Shahedur Rahman, Posted: No Phishing, 8 EMORY CORP. GOV. & ACCT. REV. 39 (2021), http://ssrn.com/abstract=3549992; David D. Schein & Lawrence J. Trautman, The Dark Web and Employer Liability, 18 COLO. TECH. L.J. 49 (2020), http://ssrn.com/abstract=3251479.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 61 All rights reserved

attention and resources.425 Following the highly disruptive Covid-19 pandemic,426 to be

expected, board nominating committees are challenged to recruit experienced talent

having backgrounds and experience in computer science and cybersecurity issues.427

Recently, many boards assign cyber risk oversight to the audit committee,428 while others

have a designated “risk” committee.429

IV. GOOD FAITH CYBERSECURITY

Cyberthreats have become so pervasive and dangerous that cybersecurity is now

mission critical to every publicly traded U.S. company. For publicly traded U.S.

companies incorporated in Delaware—and over two-thirds of the Fortune 500 are430—the

reinvigoration of Caremark and the rise of cyberthreats combine to create a serious

425 See Lawrence J. Trautman, The Board’s Responsibility for Crisis Governance, 13 HASTINGS BUS. L. J. 275 (2017), http://ssrn.com/abstract=2623219; Lawrence J. Trautman, Managing Cyberthreat, 33 SANTA CLARA HIGH TECH. L.J. 230 (2016), http://ssrn.com/abstract=2534119. 426 See U.S. Congresswoman Eddie Bernice Johnson & Lawrence J. Trautman, The Demographics of Death: An Early Look at Covid-19, Cultural and Racial Bias in America, 48 HASTINGS CONST. L.Q. 357 (2021), http://ssrn.com/abstract=3677607. 427 See Lawrence J. Trautman, The Matrix: The Board’s Responsibility for Director Selection and Recruitment, 11 FLA. ST. U. BUS. REV. 75 (2012), http://www.ssrn.com/abstract=1998489; Mohammed T. Hussein, Lawrence J. Trautman & & Reginald Holloway, Technology Employment, Information and Communications in the Digital Age, http://ssrn.com/abstract=3762273. 428 See Lawrence J. Trautman, Who Qualifies as an Audit Committee Financial Expert Under SEC Regulations and NYSE Rules?, 11 DEPAUL BUS. & COMM. L.J. 205 (2013), http://www.ssrn.com/abstract=2137747; Lawrence J. Trautman, Who Sits on Texas Corporate Boards? Texas Corporate Directors: Who They Are and What They Do, 16 HOU. BUS. & TAX L. J. 44 (2016), http://ssrn.com/abstract=2493569. 429 See Lawrence J. Trautman, Seletha Butler, Frederick Chang, Michele Hooper, Ron McCray & Ruth Simmons, Corporate Directors: Who They Are, What They Do, Cyber and Other Contemporary Challenges, 70 BUFFALO L. REV. (forthcoming), http://ssrn.com/abstract=3792382. 430 2020 Annual Report Statistics, DELAWARE DIVISION OF CORPORATIONS 1 (2020), https://corpfiles.delaware.gov/Annual-Reports/Division-of-Corporations-2020-Annual-Report.pdf. Caremark doctrine is specific to Delaware, but the influence of Delaware corporation law and Delaware courts means that changes to Caremark doctrine can affect the law in other states as well. See, e.g., In re Cardinal Health Inc. Deriv. Litig., No. 2:19-cv-2491, 2021 WL 425966 (S.D. Oh. Feb. 8, 2021) (denying a motion to dismiss claims under Ohio law against directors for failing to provide good faith oversight by responding to red flags related to the opioid epidemic and violations of the Controlled Substances Act). But see Keith Paul Bishop, Still No California Caremark?, CAL. CORP. & SECURITIES LAW (Jan. 28, 2021), https://www.calcorporatelaw.com/still-no-california-caremark (“Although a quarter century has passed, the California courts have yet to adopt Caremark as the standard of liability for directors of California corporations.”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 62 All rights reserved

danger of director liability. Directors who fail to ensure that the corporation addresses

cybersecurity at the board level are exposing themselves to liability. Luckily for

directors, the Marchard opinion lays out a roadmap for boards asking what constitutes

“good faith.”

The first and most important principle is that cybersecurity is too important to

simply delegate to management, even if management is competent and puts extensive

processes and protocols in place. The board must take an active hand, even if

management remains the primary actors in the space. Just what that active hand looks

like is “context- and industry-specific,”431 but Blue Bell’s deficiencies translate well to

the cybersecurity context.

A board committee should either be devoted entirely to cybersecurity or have

cybersecurity as a significant part of its portfolio.432 It is common to give

responsibility over cybersecurity to the audit committee.433 This is probably a mistake.

Cybersecurity is too technical to give to a committee with an existing need for a different

set of skills and expertise.434 An audit committee will already have a substantial portfolio

unrelated to cybersecurity.435 An audit committee that is responsible for cybersecurity

431 Marchand v. Barnhill, 212 A.3d 805, 821 (Del. 2019). 432 Cf. id at 822 (Del. 2019) (noting that “no board committee that addressed food safety existed”). See also Guttman v. Huang, 823 A.2d 492, 506–07 (Del. Ch. 2003) (noting that a contention such as the lack of an audit committee is vital to a Caremark claim). 433 Savarese, supra note 83. See also Armour, Board Compliance, supra note 45, at 1198 (“One approach towards formalizing board oversight of compliance is for boards to add compliance to the remit of their audit committees.”). 434 Cybersecurity is also too important for the full board to avoid altogether. 435 See Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *5 (April 27, 2020) (inferring that “there was no possible way that the Audit Committee could have fulfilled all of the responsibilities it was given under the Audit Committee Charter” when it met for less than an hour a year after its last meeting).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 63 All rights reserved

but does not discuss cybersecurity on a regular basis invites a Caremark claim.436 But

very few (less than ten percent) of corporations have a compliance or cybersecurity

committee.437 Even if multiple committees have cybersecurity responsibilities, a court is

likely to focus on the committee with the most significant cybersecurity

responsibilities.438 Creating a dedicated cybersecurity committee “can help communicate

that the board hears [cybersecurity] concerns and takes them seriously.”439

The responsible committee must meet on a regular basis, meet for a sufficient

duration, and devote sufficient time during the meeting to cybersecurity if the

committee’s portfolio also includes unrelated issues.440 The members of the responsible

committee must have sufficient expertise to monitor the company’s cybersecurity

efforts,441 and the effectiveness of the committee should be reviewed by the full board on

an annual basis.442 The “mere existence” of a committee responsible for cybersecurity is

436 Cf. Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *9 (Aug. 24, 2020) (noting that the full board “did not set aside a portion of Board meetings devoted to drug safety and compliance”). 437 Armour, Board Compliance, supra note 45, at 1225; Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025, GARTNER (Jan. 28, 2021), https://www.gartner.com/en/newsroom/press-releases/2021-01-28-gartner-predicts-40--of-boards- will-have-a-dedicated-. 438 Cf. Teamsters Local, 2020 WL 5028065, at *9 (noting that all board committees but the executive committee had risk oversight responsibility but otherwise focusing on the audit committee in its analysis). 439 Paul DeNicola, Questions to Ask Before Forming a New Board Committee, Harvard Law School Forum on Corporate Governance (Oct. 10, 2021), https://corpgov.law.harvard.edu/2021/10/10/questions-to-ask-before-forming-a-new-board- committee/. 440 See Hughes, 2020 WL 1987029, at *16 (“[T]he Audit Committee never met for longer than one hour and typically only once per year. . . . The plaintiff is entitled to the inference that the board was not fulfilling its oversight duties.”); Gutman v. Huang, 823 A.2d 492, 507 (Del. Ch. 2003) (noting that an allegation that “the company had an audit committee that met only sporadically and devoted patently inadequate time to its work” can sustain a Caremark claim). 441 See Hughes, 2020 WL 1987029, at *15 (noting that the audit committee “lacked the expertise necessary to” provide the required oversight, forcing it to instead defer to management). 442 See id. at *4 (listed weaknesses disclosed in the company’s 10-K, which included not evaluating the effectiveness of the audit committee).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 64 All rights reserved

not enough to defeat liability.443 And establishing a board committee after a major data

breach may be too little, too late, as Boeing found when it only created an Aerospace

Safety Committee after two fatal crashes.444 Companies may be sluggishly rising to the

challenge, with one technology consultancy predicting that “[b]y 2025, 40% of boards of

directors will have a dedicated cybersecurity committee overseen by a qualified board

member.”445

Protocols should be set to require management to report to the board on

cybersecurity “compliance practices, risks, or reports.”446 In Stone v. Ritter, for

example, the board “enacted written policies and procedures designed to ensure

compliance with . . . regulations.”447 In Hughes v. Hu, the audit committee allegedly

approved a number of policies and procedures but did not produce them in response to a

Section 220 request so the Chancery Court inferred they did not in fact exist.448 In

Boeing, the board relied on “intermittent, management-initiated communications” about

safety.449 In Teamsters Local, neither the audit committee nor the full board received

reports on compliance at Medical Initiatives,450 in contrast with both the audit committee

443 See id. at *14 (noting the same in the context of an audit committee and accounting irregularities) (comparing Ash v. McCall, 2000 WL 1370341, at *15 n.57 (Del. Ch. Sept. 15, 2000) with Rich ex rel. Fuqi Int’l, Inc. v. Yu Kwai Chong, 66 A.3d 963, 983 (Del. Ch. 2013)). 444 In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *53 (Del. Ch. Sept. 7, 2021). 445 Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025, GARTNER (Jan. 28, 2021), https://www.gartner.com/en/newsroom/press-releases/2021-01-28- gartner-predicts-40--of-boards-will-have-a-dedicated-. 446 Marchand v. Barnhill, 212 A.3d 805, 822 (Del. 2019). 447 Stone v. Ritter, 911 A.2d 362, 372 (Del. 2006). 448 See Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *4–5 (April 27, 2020) (inferring that a “sales contract entered into with Eliteway [Kandi USA],” “Approval Procedures for Relationship Transaction,” “Internal Audit Activity Charter,” and “Management Policy on Related-Party Transactions.” Kandi may have hoisted itself on its own petard. It did not produce an “Audit Committee Charter,” but that charter did in fact exist and was available publicly so the Chancery Court credited its existence. Id., at *5. It may be that the Chancery Court punished Kandi for other documents that did in fact exist because Kandi failed to produce them. 449 Boeing, No. 2019-0907-MTZ, at *80. 450 Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *10 (Aug. 24, 2020)

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 65 All rights reserved

and the full board in Marriott receiving regular reports on cybersecurity.451 Compliance

officers are reporting to the board more often,452 but they must report specifically on

cybersecurity.453 The board should receive reports from multiple members of

management rather than rely exclusively on a compliance officer.454

The board must discuss cybersecurity on a regular basis.455 It should discuss

cybersecurity during or after any serious cyber incident, of course. But it should also

discuss cybersecurity issues on a regular basis regardless of whether there was recently a

cyber incident.456 Generic discussion of compliance are not enough; the board and

relevant committees should discuss cybersecurity discretely and document the same.457

Regular time should be set aside to discuss cybersecurity.458 In Stone v. Ritter, for

example, the audit committee oversaw Bank Secrecy Act and anti-money laundering

regulation compliance quarterly and received training on the same annually.459 The

451 Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *35 (Del. Ch. Oct. 5, 2021). 452 See Shapira, supra note 68, at *23 (“The proliferation of compliance personnel within organizations, and the credible threat of liability they face, have gradually increased the chances that these compliance officers will report to the board on thorny aspects of the company’s compliance.”). 453 See Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *2 (Del. Ch. Oct. 5, 2021) (“Cybersecurity has increasingly become a central compliance risk deserving of board level monitoring.”). 454 See Sean Joyce, et al., Principles for Board Governance of Cyber Risk, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (June 10, 2021) (“Directors, recognizing that cyber risk is an enterprise-wide concern, should look to a variety of executives and managers in order to ascertain the full impact of cyber risk on the organization. Each member of the management team has a responsibility to understand the impact of cyber risk within her or his remit and can therefore support the board’s effort to develop a holistic view.”). 455 See Marchand v. Barnhill, 212 A.3d 805, 822 (Del. 2019) (noting “the board minutes are devoid of any suggestion that there was any regular discussion of food safety issues”). 456 Id. (noting there was “no schedule for the board to consider on a regular basis, such as quarterly or biannually, any key food safety risks existed”). 457 Cf. Teamsters Local, 2020 WL 5028065, at *20 (discounting discussion of a report on compliance and efforts to increase oversight over compliance because it was unclear whether it “targeted the mission critical compliance risk that undergirds the Complaint”). 458 Cf. id. at *9 (noting that “the Board did not set aside a portion of Board meetings devoted to drug safety and compliance”). 459 Stone v. Ritter, 911 A.2d 362, 372 (Del. 2006).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 66 All rights reserved

board cannot simply defer to management on mission critical matters such as

cybersecurity.460

Red flags should be reported up to the board.461 Type II Caremark claims can

result in liability where directors ignore red flags. After Marchand, Type I Caremark

claims can result in liability where directors do not ensure that they see red flags. Focus

is on board action, not management action. Management may hide red flags from the

board, but the board must take steps to attempt to prevent that. One option is for the

officer charged with cybersecurity to report directly to the relevant board committee

rather than to the CEO or another officer.462 That officer should at the very least have

board-level reporting obligations.463 To trigger liability under Caremark, red flags must

be “numerous, serious, directly in front of the directors, and indicative of a corporate-

wide problem.”464 The third requirement—“directly in front of the directors”—cannot be

circumvented by the board simply not getting reports from management. Red flags

460 See Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *16 (April 27, 2020) (“Caremark envisions some degree of board-level monitoring system, not blind deference to and complete dependence on management.”). The recent line of Caremark decisions, then, resurrect Smith v. Van Gorkom’s, 488 A.2d 858 (Del. 1985) suspicion of excessive board deference to management. See Hill & McDonnell, supra note 69, at 1780 (discussing Van Gorkom). 461 See Marchand v. Barnhill, 212 A.3d 805, 822 (Del. 2019) (noting that management received reports containing “red, or at least yellow, flags” that were not “disclosed to the board”). 462 See Hughes, 2020 WL 1987029, at *4 (noting that the company’s 10-K described the head of internal audit reporting to the CEO rather than the audit committee as impairing internal audit’s objectivity and independence). See also Armour, Board Compliance, supra note 45, at 1218 (“Moreover, it is increasingly thought that a direct channel of reporting from compliance to the board is a means of fostering not only autonomy within the compliance program but also an open upward transmission of information.”) (citing U.S. DEP’T OF JUSTICE, CRIMINAL DIV., FRAUD SECTION, EVALUATION OF CORPORATE COMPLIANCE PROGRAMS (2014), https://www.justice.gov/criminal-fraud/page/file/937501/download (last updated June 2020)). 463 Cf. id. at *9, 11 (noting that the Corporate Security and Regulatory Affairs unit had “no Board- level reporting obligations” and that the Ethics Committee did not appear to report to the board). 464 Regina F. Burch, Director Oversight and Monitoring: The Standard of Care and the Standard of Liability Post-Enron, 6 WYO. L. REV. 481, 498 (2006).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 67 All rights reserved

should be considered cumulatively.465 The board must also respond to and follow up on

red flags, not just passively receive reports on them.466 And it must respond to red flags

that it learns of outside of normal management channels.467

Board reports on cybersecurity must include unfavorable information, not

just favorable information.468 Again, management might hide unfavorable information,

but the board must take steps to ensure they receive the bad with the good, including by

asking hard questions of members of management presenting on cybersecurity.469 Nor

can the board receive unfavorable information passively.470 The board must take

appropriate action when presented with mission critical compliance issues.471 The board

should follow up on remediation efforts472 rather than simply direct management to do

so.473

465 See Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *20 (Aug. 24, 2020) (“[T]he Davis Polk Report serves as a backdrop against which the other pled red flags must be viewed.”). 466 See id. at *20 (“Defendants have not pointed to any part of the Section 220 production that refers to actions taken with regard to the shortcomings at [Medical Initiatives] concerning mission critical drug health and safety regulations.”). 467 See In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *94 (Del. Ch. Sept. 7, 2021) (noting that “the Board did not require an internal system to learn about the Lion Air Crash and the attendant MCAS failures[,] . . . a red flag . . . that the Board should have heeded but instead ignored”). 468 See Marchand v. Barnhill, 212 A.3d 805, 822 (Del. 2019) (noting “the board was given certain favorable information about food safety by management, but was not given important reports that presented a much different picture”). See also In re The Boeing Co. Deriv. Litig., No. 2019-0907- MTZ, at *53 (Del. Ch. Sept. 7, 2021) (“Management’s ad hoc reports were also one-sided at best and false at worst.”). 469 See Boeing, No. 2019-0907-MTZ, at *80 (faulting the board for “not press[ing] for further information” when management reported on safety). 470 See id. at *80 (faulting the board for “passively accept[ing] management’s assurances and opinions”). 471 See Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *25 (Aug. 24, 2020) (“The defendants have put forth nothing from the Section 220 production showing a tangible reaction to—as opposed to a review of—the mission critical compliance failures at [Medical Initiatives].”). 472 See id. at *21–25 (ruling that red flags triggered Caremark in part because the audit committee and full board did not present documentation of remediation efforts or of otherwise following up to confirm issues were addressed). 473 See id. at *12 (Aug. 24, 2020) (noting that the audit committee directed management follow up on recommendations in a law firm report on compliance deficiencies).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 68 All rights reserved

The board should make “use of third-party monitors, auditors, or

consultants.”474 It will necessarily rely on those third parties, but it cannot display

“blind deference to and complete dependence on” them.475 The Delaware courts have a

long history of encouraging boards to make use of third parties; “more reliance on and

more fees for lawyers, investment bankers, accountants, management consultants, and

economists” was one of the lessons of Smith v. Van Gorkom, after all.476 The Chancery

Court in Marriott specifically credited the directors for leveraging outside consultants

and auditors to improve company cybersecurity practices.477 Third-party reports that the

board will be unwilling to produce in an attempt to protect attorney-client privilege will

be of limited use in defending a Caremark claim, though.478

Board minutes should reflect the above. Marchand was decided on a motion to

dismiss, settling before trial.479 The Chancery and Supreme Court decisions, then, were

made on the basis of board minutes and other board documents appended to the

complaint. Board discussion of cybersecurity not reflected in the minutes is of limited to

no value at the motion to dismiss stage, and it is on that ground that Caremark battles will

continue to be fought. Dissident shareholders will have access to board minutes and

supporting materials under Section 220 of the Delaware General Corporation Law, and

474 Marchand v. Barnhill, 212 A.3d 805, 823–24 (Del. 2019). 475 Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *16 (April 27, 2020). 476 See Leo Herzel & Leo Katz, Smith v. Van Gorkom: The Business of Judging Business Judgment, 41 BUS. LAW. 1187, 1191 (1985) (criticizing the formalism of Smith v. Van Gorkom for incentivizing board reliance on experts). 477 Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *35 (Del. Ch. Oct. 5, 2021). 478 See Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *23 (Aug. 24, 2020) (“It is unclear what Ober Kaler’s recommendations were because the report was withheld as privileged. . . . Consequently, without knowing what these recommendations were, it is not possible at this time to draw an inference regarding the extent of the measures implemented.”). 479 As is typically the case for Caremark claims.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 69 All rights reserved

Delaware courts will expect them to take full advantage.480 A books and records request

by the plaintiff in Stone v. Ritter, for example, produced a company-wide, board-enacted

Bank Secrecy Act and anti-money laundering regulation policy that was appended to the

plaintiff’s complaint.481 Conversely, if the corporation fails to produce relevant

documents, the Chancery Court will assume that it does not exist.482 This includes where

documents are referenced in board documents but not produced.483 Books and records

request have been an important step in successful Caremark claims.484

Compliance with government regulations alone is not enough. The Delaware

Supreme Court rejected the defense that Blue Bell complied with FDA regulations.485

Nor did compliance with FAA regulations save the Boeing directors, because it is not

evidence of board-level oversight and it is board-level oversight that Caremark

measures.486 Government regulations are a floor, not a ceiling. And, again, there is a

laser focus on the board that may not have been present in Caremark opinions pre-

Marchand.

480 See, e.g., Savarese, supra note 83 (“Stockholder inspection demands to review a company’s books and records, including board- and committee-level minutes, in preparation for litigation are increasingly common and allowed by the courts where legal requirements are met.”). 481 Stone v. Ritter, 911 A.2d 362, 372 (Del. 2006). 482 See Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *2 (April 27, 2020) (“Given this stipulation [that materials requested and not produced do not exist] if [Kandi Technologies] failed to produce a document that it would reasonably be expected to possess if a particular event had occurred, then the plaintiff is entitled to a reasonable inference that the event did not occur.”) (citing Morrison v. Berry, 191 A.3d 268, 275 n.20 (Del. 2018)). 483 See, e.g., id. at *4 (“The Audit Committee also purportedly reviewed a document titled ‘Approval Procedures of Relationship Transaction.’ The Company failed to produce this document in response to the plaintiff’s inspection demand. It is reasonable to infer that the Audit Committee did not receive or review this document.”). 484 Teamsters Local v. Chou, No. 2019-0816-SG, 2020 WL 5028065, at *2 (Aug. 24, 2020); Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *2 (April 27, 2020); In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *9 (Del. Ch. Oct. 19, 2019). 485 Marchand v. Barnhill, 212 A.3d 805, 823 (Del. 2019) 486 In re The Boeing Co. Deriv. Litig., No. 2019-0907-MTZ, at *79 (Del. Ch. Sept. 7, 2021) (relying on Marchand, 212 A.3d at 823).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 70 All rights reserved

Boards must respond as appropriate to cybersecurity incidents and known

cybersecurity vulnerabilities. Marchand involved a Type I Caremark claim. After

Marchand, keep-your-head-in-the-sand is no longer a viable strategy for directors

seeking to avoid liability. The specter of Type II claims remains, though. Directors must

take steps to ensure red flags are raised to the board; once they have been, they cannot be

ignored without risking a Type II claim.

i. The Role of Positive Law in Caremark Claims

Under both the original analytical framework in Caremark and as revised and

restated in Stone v. Ritter, underlying unlawful corporate activity is not a predicate to

Caremark liability.487 But underlying unlawful corporate activity has been ubiquitous to

high-profile Caremark claims, whether successful or unsuccessful. The Chancery Court

in Clovis emphasized the importance of the presence of a regulatory scheme and relevant

positive law to a successful Caremark claim.488

A Caremark claim remains highly unlikely to survive a motion to dismiss without

an allegation of underlying unlawful corporate conduct. But damages for a successful

Caremark claim will not be limited to the direct injury from, say, an SEC enforcement

487 See Bainbridge, ERM, supra note 72 at 968 (“There is no doctrinal reason that Caremark claims should not lie in cases in which the corporation suffered losses, not due to a failure to comply with applicable laws, but rather due to lax risk management.”). But see Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *32 (Del. Ch. Oct. 5, 2021) (citations omitted); Pollman, supra note 53, at 115 (“[C]ourts have drawn a line between the oversight of business risk and legal risk—the former given wide allowance and the latter deemed improper.”); Fairfax, supra note 69, at 427–28 ([I]n . . . Citigroup . . . , the Delaware Supreme Court appeared to indicate that oversight liability could not be extended to board inattentiveness related to business risks”) (citing In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d 106, 123 (Del. Ch. 2009)). 488 In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222-JRS, 2019 WL 4850188, at *12 (Del. Ch. Oct. 19, 2019).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 71 All rights reserved

action. Other monetary harm and reputational harm can also be recovered.489 While

there must be “a causal nexus between the breach of fiduciary duty and the corporate

trauma,”490 it is only the breach of fiduciary duty that must be tied to unlawful corporate

conduct. The corporate trauma can and has reached much further. The claim in

Marchand survived a motion to dismiss because food safety is heavily regulated in the

United States, but Blue Bell would have suffered a massive, negative fallout regardless,

simply because customers will avoid a product that recently killed multiple people. The

same is true for Boeing. Under Delaware Supreme Court precedent, damages for a

breach of fiduciary duty are to be calculated liberally.491 Damage models an include

incidental damages such as the cost to fix the issue, reputational harm, and the cost to

defend resulting lawsuits.492

The Chancery Court’s recent decision in Marriott493 would seem to undercut

much of the above. Investigations by dozens of government bodies and multiple class

actions on multiple theories were not enough for the court.494 The court refused to

consider pending lawsuits against Marriott in part because they were not brought against

the directors personally.495 The court stated that “[s]imply listing statutes ‘in vague,

broad terms’ without alleging what law was violated and how is insufficient to state a

489 Id. at *15. 490 Id. 491 See Thorpe ex rel. Castleman v. CERBCO, Inc., 676 A.2d 436, 445 (Del. 1996) (“Delaware law dictates that the scope of recovery for a breach of the duty of loyalty is not to be determined narrowly.”). 492 Hughes v. Hu, No. 2019-0112-JTL, 2020 WL 1987029, at *17 (April 27, 2020) (citing Thorpe ex rel. Castleman v. CERBCO, Inc., 676 A.2d 436, 445 (Del. 1996)). 493 Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW (Del. Ch. Oct. 5, 2021). 494 Id. at *14. 495 Id. at *48 (citing In re Marriott Int’l, Inc. Customer Data Security Breach Litig., 440 F.Supp.3d 447, 487, 490 (S.D. Md. 2020); Pfeiffer v. Toll, 989 A.2d 683, 690 (Del. Ch. 210)).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 72 All rights reserved

Caremark claim.”496 Perhaps the claims in Marriott were the victim of sloppy pleading. But

the approach taken by the court in Marriott is hard to square with Marchand and its progeny, and

the decisions it cites do not involve Caremark claims. Marriott (a Chancery Court decision)

cannot overturn Marchand (a Delaware Supreme Court decision) and should not be relied on

uncritically.

ii. Existing Cybersecurity Regulatory Framework Cybersecurity is already regulated in the United States,497 and it is only going to

become more regulated.498 The Cyber Incident Notification Act of 2021 would provide

some protection from legal liability for certain companies that disclose a cyberbreach to

the Department of Homeland Security Cybersecurity and Infrastructure Security

Agency.499 The carrot is paired with a stick: the proposed statutory language provides for

civil penalties of up to 0.5 percent of the company’s gross revenue each day the violation

continues.500

496 Id. at *38 (citing Wilkin v. Narachi, 2018 WL 1100372, at *12 (Del. Ch. Feb. 28, 2018); Desimone v. Barrow, 924 A.2d 908, 928 (Del. Ch. 2007)). 497 JEFF KOSSEFF, CYBERSECURITY LAW xxiv–xxv (2020) (“[C]ybersecurity law [consists] of six broad areas of law: private sector data security laws, anti-hacking laws, public-private cybersecurity efforts, government surveillance laws, cybersecurity requirements for government contractors, [and] privacy law.”). 498 See Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW, at *32 (Del. Ch. Oct. 5, 2021) (“Regulators in the United States and abroad have become more active in issuing cybersecurity guidance and undertaking enforcement activities in response.”) (citing CAL. CIV. CODE §§ 1798.110, 1798.150 (West 2021); European Union General Data Protection Regulation, Council Regulation 2016/679; Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 FED. REG. 8,166 (Feb. 22, 2018); Jared Ho, Corporate Boards: Don’t Underestimate Your Role in Data Security Oversight, FED TRADE COMM’N (Apr. 28, 2021)). 499 Senators introduce cyber incident notification act, SECURITY (July 22, 2021), https://www.securitymagazine.com/articles/95693-senators-introduce-cyber-incident-notification- act. 500 Id.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 73 All rights reserved

The SEC has published guidance on how publicly traded companies should

disclose cybersecurity risks and incidents.501 Of particular note in the Caremark context,

the SEC states that the board’s role in providing oversight of cybersecurity should be

disclosed if cybersecurity risks are material.502 The SEC recently announced that it had

settled with First American Financial Corporation (“First American”) for “inadequate

disclosure controls and procedural violations. ”503 The First American settlement is

notable both because it did not involve a cybersecurity breach, only a vulnerability, and

because it was based on inadequate controls, not fraud.504 As cyber incidents grow in

scale, they are more and more likely to prove material to a company’s financials and the

relevance of SEC regulation will grow. And publicly traded companies “must disclose

material cybersecurity lapses, breaches, and vulnerabilities just like they must disclose

any other material corporate events.”505 The SEC announced that its 2021 regulatory

agenda would include rulemaking related to cybersecurity risk disclosure.506

Cybersecurity looks to be a major enforcement priority after Chairman Gary Gensler’s

501 Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 CFR 229, 249 (Feb. 26, 2018), https://www.sec.gov/rules/interp/2018/33-10459.pdf. 502 Vivek Mohan, et al., SEC Increasingly Turns Focus Toward Strength of Cyber Risk Disclosures, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (July 25, 2021), https://corpgov.law.harvard.edu/2021/07/25/sec-increasingly-turns-focus-toward-strength-of- cyber-risk-disclosures/ (relying on Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 CFR 229, 249 (Feb. 26, 2018), https://www.sec.gov/rules/interp/2018/33-10459.pdf). 503 William Johnson, et al., SEC Returns Spotlight to Cybersecurity Disclosure Enforcement, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (Aug. 1, 2021), https://corpgov.law.harvard.edu/2021/08/01/sec-returns-spotlight-to-cybersecurity-disclosure- enforcement/. 504 John F. Savarese, et al., A New Angle on Cybersecurity Enforcement from the SEC, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (June 26, 2021), https://corpgov.law.harvard.edu/2021/06/26/a-new-angle-on-cybersecurity-enforcement-from-the- sec/. 505 Johnson, supra note 507. 506 SEC Announces Annual Regulatory Agenda, U.S. SECURITIES AND EXCHANGE COMMISSION OFFICE OF INFORMATION AND REGULATORY AFFAIRS (June 11, 2021), https://www.sec.gov/news/press-release/2021-99.

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 74 All rights reserved

first 100 days,507 and President Biden has named it a “top priority and essential to

national and economic security.”508

Regulated industries frequently have their own cybersecurity requirements. SEC-

regulated broker-dealers and investment advisors, for example, have to follow SEC

requirements in handling client data.509 Health care providers must conform to the

standards for patients’ electronic health information in the HIPAA Security Rule.510 The

Federal Energy Regulatory Commission promulgated a rule in 2008 setting cybersecurity

reliability standards for power companies.511

The Wall Street Journal reports that “Ransomware is likely to remain a threat to

U.S. economic and national security for years to come, the country’s top military cyber

official said.”512 “Ransomware attacks won’t end anytime soon,” according to Army Gen.

Paul Nakasone, the director of the National Security Agency.513 Ransomware payments

can implicate an array of laws. Ransomware payments may violate laws setting

economic sanctions.514 Ransomware payments may also run afoul of the Patriot Act and

other anti-money laundering laws and regulations.515 Companies must comply with a

507 See Randall R. Lee, et al., Early SEC Enforcement Trends from Chairman Gensler’s First 100 Days, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (Aug. 11, 2021), https://corpgov.law.harvard.edu/2021/08/11/early-sec-enforcement-trends-from-chairman- genslers-first-100-days/ (identifying cybersecurity as one of five early enforcement priority areas). 508 Exec. Order No. 14,208, 86 FED. REG. at 26,633 (2021). 509 Johnson, supra note 507. 510 HIPAA Security Rule, 45 CFR 160, 164. 511 Order No. 706, 18 CFR 40 (Jan. 18, 2018). 512 James Rundle, Ransomware Attacks Expected to Prolong, WALL ST. J., Oct. 6, 2021, at B2. 513 Id. 514 Advisory on Potential Sanction Risks for Facilitating Ransomware Payments, DEP’T OF THE TREASURY OFFICE OF FOREIGN ASSETS CONTROL (Oct. 1, 2020), https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf. 515 Antonia M. Apps & Adam Fee, What Companies Need to Know About Modern Ransomware Attacks and How to Respond, HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE (July 14, 2021), https://corpgov.law.harvard.edu/2021/07/14/what-companies-need-to-know-about- modern-ransomware-attacks-and-how-to-respond/. See also Treasury Takes Robust Actions to Counter Ransomware, U.S. DEP’T OF THE TREASURY (Sept. 21, 2021), https://home.treasury.gov/news/press-releases/jy0364 (“The United States has been a leader in

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 75 All rights reserved

patchwork of state laws setting data breach notification obligations.516 One might require

companies notify customers of a breach “as expeditiously as possible and without

reasonable delay,”517 another within 30 days,518 and a third state within 90 days.519

Legislators in at least four states have proposed laws banning ransomware payments.520

In discussing federal contractors, on October 6, 2021, “Deputy Attorney General

Lisa Monaco unveiled a new policy… saying ‘For too long, companies have chosen

silence under the mistaken belief that it’s less risky to hide a breach than to bring it

forward and to report it. Well, that changes today.”521 Ms. Monaco continues, “Where

those who are entrusted with government dollars… to work on sensitive government

systems fail to follow required cybersecurity standards, we’re going to go after that

behavior and extract very hefty fines.”522 Cybersecurity regulation is also attracting

international attention.523

applying its anti-money laundering/countering the financing of terrorism (AML/CFT) framework in the virtual currency area, including with the Financial Crimes Enforcement Network (FinCEN) publishing guidance regarding the application of Bank Secrecy Act rules in this area in 2013 and 2019.”). 516 See The 50 state data breach notification laws by state, IT GOVERNANCE USA, https://www.itgovernanceusa.com/data-breach-notification-laws (last accessed Aug. 5, 2021) (surveying data breach notification laws in all 50 states). 517 See, e.g., Ala. Code § 8-38-1 et. seq. 518 See, e.g., Fla. Stat. § 501.171. 519 See, e.g., Conn. Gen. Stat. § 36a-701b. 520 Cynthia Brumfield, Four states propose laws to ban ransomware payments, CSO ONLINE (June 28, 2021 2:00AM PDT), https://www.csoonline.com/article/3622888/four-states-propose-laws-to- ban-ransomware-payments.html. 521 James Rundle & Kim S. Nash, U.S. Contractors Must report Breaches, WALL ST. J., Oct. 8, 2021 at A4. 522 Id. 523 Treasury Takes Robust Actions to Counter Ransomware, U.S. DEP’T OF THE TREASURY (Sept. 21, 2021), https://home.treasury.gov/news/press-releases/jy0364 (“At the Group of Seven (G7) meeting in June, participants committed to working together to urgently address the escalating shared threat from criminal ransomware networks. The G7 is considering the risks surrounding ransomware, including potential impacts to the finance sector.”).

Electronic copy available at: https://ssrn.com/abstract=3938128

EARLY DRAFT-COMMENTS WELCOME- 10/15/2021 4:08 PM

© 2021 H. Justin Pace & Lawrence J. Trautman Page 76 All rights reserved

V. CONCLUSION

This Article makes four key arguments. Black letter Caremark doctrine has not

changed, but it is newly reinvigorated and the risks of Caremark liability for directors is

greater than just a few years ago. Future Caremark liability will be centered on failure to

provide board-level oversight of mission critical risks. Cybersecurity is mission critical

to effectively all large companies today. The risk of Caremark liability can be mitigated

by taking a few simple steps to ensure that the board is addressing cybersecurity. This

Article is the first to make these arguments together and the first to make the final

argument.

Electronic copy available at: https://ssrn.com/abstract=3938128