In 1996, the Delaware Court of Chancery issued its seminal decision in In re Caremark International Inc. Derivative Litigation,1 establishing the conditions for director oversight liability under Delaware law. Adopted a decade later by the Delaware Supreme Court in Stone v. Ritter,2 the Caremark test imposes liability under two “prongs”: where “(a) directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”3
In the 25 years since Caremark was decided, the Delaware courts have repeatedly emphasized that claims for breach of the duty of loyalty premised on lack of oversight are exceedingly difficult to plead. In order to state a Caremark claim, a plaintiff must “plead with particularity that the board cannot be entrusted with the claim because a majority of the directors may be liable for oversight failures,” which is “extremely difficult to do.”4 In fact, Delaware jurisprudence suggests that “the claim that corporate fiduciaries have breached their duties to stockholders by failing to monitor corporate affairs is ‘possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.’”5 As a result, oversight claims have been few and far between and, when such claims were brought, they rarely survived motions to dismiss.
Then, things changed unexpectedly in 2019. In four cases alleging that boards failed in their duty of oversight, one decided by the Delaware Supreme Court, and three by the Court of Chancery, complaints have survived motions to dismiss. These decisions suggest that directors may be more exposed to such claims than they have been in the past.
In Marchand v. Barnhill in 2019, the Delaware Supreme Court concluded that a complaint stated a claim for lack of board oversight where food safety at an ice cream company was the “most central safety and legal compliance issue facing the company,” yet there was no board-level compliance reporting for food safety.6
Three months later, the Court of Chancery held in In re Clovis Oncology, Inc. Derivative Litigation that the board of a drug manufacturer “consciously ignored red flags that revealed a mission critical failure to comply with [a clinical trial] protocol and associated FDA regulations,” despite the fact that Clovis was a “monoline company [that] operates in a highly regulated industry.”7 The Court of Chancery explained, “[a]s Marchand makes clear, when a company operates in an environment where externally imposed regulations govern its ‘mission critical’ operations, the board’s oversight function must be more rigorously exercised.”8
In a 2020 decision, Hughes v. Hu, the Court of Chancery held that “chronic deficiencies” in internal controls over financial reporting “support[ed] a reasonable inference that the Company’s board of directors, acting through its Audit Committee, failed to provide meaningful oversight over the Company’s financial statements and system of financial controls.”9
Later in 2020, in Teamsters Local 443 Health Services & Insurance Plan v. Chou, the Court of Chancery held that the board of a pharmaceutical sourcing and distribution company ignored “red flags” and “permitted a woefully inadequate reporting system with respect to the business line in which [its subsidiary] operated.”10
On the heels of those cases, the Delaware Court of Chancery has issued two more recent opinions highlighting the critical importance of establishing and monitoring company reporting systems for “essential and mission critical” compliance risk.
Boeing: Bad Faith Adequately Alleged in ‘Mission Critical’ Context
In In re Boeing Company Derivative Litigation (Boeing), the Court of Chancery sustained a Caremark claim at the pleadings stage, holding that stockholder plaintiffs had adequately pled that a majority of the Boeing board of directors faced a substantial likelihood of liability for failing both prongs of Caremark’s two-part test.11
According to plaintiffs, in 2017, the global aerospace corporation began to fulfill customer orders for its new Boeing 737 MAX airplanes, which had been aggressively designed, developed, marketed and produced. In the development and marketing of the 737 MAX, the complaint alleged, Boeing “prioritized (1) expediting regulatory approval and (2) limiting expensive pilot training required to fly the new model.” Boeing’s “frenetic” pace for the 737 MAX program led, in part, to undisclosed safety issues with the airplanes. These safety issues ultimately led to two separate airline crashes, each killing 150 to 200 passengers. By 2020, Boeing estimated that these disasters, the resulting grounding of the 737 MAX fleet and other fallout had already caused Boeing to incur $22.5 billion in total costs.
In describing the Caremark standard, the Court of Chancery emphasized that a well-pled oversight claim “requires not only proof that a director acted inconsistently with his fiduciary duties but also most importantly, that the director knew he was so acting.”12 Because the test is rooted in concepts of bad faith, “a showing of bad faith is a necessary condition to director oversight liability.”13 Notwithstanding the high bar for pleading bad faith, however, the court held that plaintiffs adequately pled a claim for breach of the duty of loyalty predicated on lack of oversight under both prongs of the Caremark test.
On prong one, based on plaintiffs’ allegations, the court concluded that airplane safety was “essential and mission critical” to Boeing’s business, yet the board: (i) had no committee charged with direct responsibility to monitor airplane safety; (ii) did not monitor, discuss, or address airplane safety on a regular basis; (iii) had no regular process or protocols requiring management to update the board of airplane safety and instead only received ad hoc management reports that included only positive information; (iv) never received information on yellow and red flags that management saw; and (v) made statements that demonstrated they knew they should have had processes in place to receive safety information.
On prong two, the court found that the complaint adequately alleged that the board ignored the red flags of the first plane crash and consequent revelations about the problems with the 737 MAX. For these reasons, the court denied the motion to dismiss the Caremark claim.
Within a couple months after the Boeing decision issued, the parties filed settlement papers seeking the court’s approval of a settlement that includes a $237.5 million monetary payment as well as corporate governance reforms.
Marriott: Complaint Dismissed Where Board Was Apprised of Risks and Did Not Disregard Them
In contrast to Boeing, in Firemen’s Retirement System of St. Louis v. Sorenson (Marriott), the Court of Chancery dismissed a Caremark claim, holding that the allegations in the complaint did not meet the “high bar” for pleading a bad faith oversight claim.14
Plaintiffs alleged that two years after Marriott International Inc. acquired Starwood Hotels and Resorts Worldwide, Inc. in 2016, Marriott discovered a data security breach that had exposed personal information of up to 500 million guests. An investigation revealed that the cyberattack was perpetrated through Starwood’s legacy reservation database. Plaintiff alleged that a majority of the Marriott board faced a substantial likelihood of liability under Caremark for their “conscious and bad faith decision not to remedy Starwood’s severely deficient information protection systems.”
While the court acknowledged that “[t]he corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place,” it nevertheless concluded that “[t]he growing risks posed by cybersecurity threats do not, however, lower the high threshold that a plaintiff must meet to plead a Caremark claim.”15 The court highlighted that for either prong of Caremark’s test, “a showing of bad faith conduct . . . is essential to establish director oversight liability,”16 and only a “sustained or systemic failure of the board to exercise oversight . . . will establish the lack of good faith that is a necessary condition to liability.”17
With this “high threshold” in mind, the court held that plaintiff failed to state a claim under either prong of Caremark.18 Under prong one, plaintiff acknowledged that “the Board and Audit Committee were routinely apprised on cybersecurity risks and mitigation, provided with annual reports on the Company’s Enterprise Risk Assessment that specifically evaluated cyber risks, and engaged outside consultants to improve and auditors to audit corporate cybersecurity practices.”19 Furthermore, “[t]he Complaint also describe[d] internal controls over the Company’s public disclosure practices” and then noted that when “management received information that the plaintiff describes as ‘red flags’ indicating vulnerabilities, the reports were delivered to the Board.” 20
On prong two, the court held that plaintiff had not pled particularized factual allegations that the board “knowingly permitted Marriott to violate the law.” 21 As for the three “red flags” plaintiff cited for board knowledge of cybersecurity issues, the court concluded that none “were deliberately disregarded.”22 Instead, Marriott management “told the Board that it was addressing or would address the issues presented.” 23 Therefore, the court granted the motion to dismiss the Caremark claim.
- Since the Delaware Supreme Court’s 2019 ruling in Marchland, Caremark claims have been more frequently pursued, and a larger than expected number of them have survived motions to dismiss.
- Despite two and a half decades of Caremark decisions stressing the high bar for pleading a breach of the duty of loyalty premised on oversight liability, the recent decisions from the Delaware courts indicate a willingness to entertain well-pled oversight claims involving “essential and mission critical” issues for a company’s compliance risk. While these cases repeat the prior court statements about how difficult these claims are to plead, they suggest that, in practice, that may no longer be the case.
- In the past two years, five of 17 Caremark claims raised in the Court of Chancery have survived a motion to dismiss — an approximately 30% success rate. It remains to be seen whether the Delaware courts will continue to sustain Caremark oversight claims with increased frequency.
- These Delaware law developments highlight the critical importance for companies and their boards to adopt and regularly assess, evaluate and update their internal controls and reporting systems to avoid potential liability under Caremark.
1 698 A.2d 959 (Del. Ch. 1996).
2 911 A.3d 362 (Del. 2006).
3 Id. at 370.
4 In re Boeing Company Deriv. Litig., 2021 WL 4059934, at *1 (Del. Ch. Sept. 7, 2021).
5 Id. at *67 & n.224.
6 212 A.3d 805, 824 (Del. 2019).
7 2019 WL 4850188, at *1, *15 (Del. Ch. Oct. 1, 2019).
8 Clovis, 2019 WL 4850188, at *13.
9 2020 WL 1987029, at *15 (Del. Ch. Apr. 27, 2020).
10 2020 WL 5028065, at *2 (Del. Ch. Aug. 24, 2020).
11 Boeing, 2021 WL 4059934, (Del. Ch. Sept. 7, 2021).
12 Boeing, 2021 WL 4059934, at *25.
13 Id. (emphasis in original).
14 2021 WL 4593777 (Del. Ch. Oct. 5, 2021).
15 Id. at *12.
18 Notably, the court applied the newly adopted, three-part demand futility standard from the Delaware Supreme Court’s recent decision in United Food and Commercial Workers Union and Participating Food Industry Employers Tri-State Pension Fund v. Zuckerberg, 2021 WL 4344361 (Del. 2021). See our September 28, 2021 client alert “Delaware Supreme Court Issues Two Opinions Simplifying Delaware Law on Derivative Claims.”
19 Id. at *1.
20 Id. at *13.
21 Id. at *14.
22 Id. at *16.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.