Takeaway: With the surge of data and cybersecurity breaches, corporate directors and officers have become targets for shareholder derivative lawsuits. Fortunately, there are procedural measures that directors and officers can put in place in order to mitigate the risk of litigation.
The standard in shareholder derivative actions is based off the seminal Caremark case. In the Caremark 1996 decision, the Delaware Chancery Court stated that, in data breach actions, directors can be personally liable for failing to “appropriately monitor and supervise the enterprise.” The court stressed that a company’s board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so can constitute an “unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”
In the Caremark decision, the Court set forth a two-prong test for analyzing shareholder derivative actions. To prevail under the Caremark test as later clarified by the Court in Stone v. Ritter, the plaintiff must plead particularized facts showing that either (1) “the directors utterly failed to implement any reporting or information system or controls” or (2) “having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”
The application of this test was recently broadened in the Firemen’s Retirement System of St. Louis on Behalf of Marriott International, Inc. v. Sorenson case. In that case, Marriott announced its intent to acquire Starwood Hotels and Resorts Worldwide, Inc. on November 16, 2015. Prior to the acquisition, Marriott engaged in 11 months of due diligence wherein Marriott’s Board of Directors ranked cybersecurity as the number one risk in the upcoming 2016 year. Despite knowing that cybersecurity was a pervasive risk in the hospitality industry that could affect Marriott’s ability to achieve its goals, the Pre-Acquisition Board did not order any specific due diligence into cybersecurity in connection with the planned Acquisition. Shortly after the acquisition agreement was signed by the parties, Starwood’s point of sale systems became infected with malware. It was discovered that Starwood’s systems lacked certain protections such as tokenization and point-to-point encryption across its point-of-sale systems. None of this information reached the Board before the acquisition closed.
Subsequent to the acquisition, however, the Board and Audit committee were routinely apprised of cybersecurity issues. The Post-Acquisition Board was also advised that Marriott had undertaken several “Key Mitigating Activities” to address the Company’s top risks, including cybersecurity. However, in September of 2018, outside investigators engaged by Marriott uncovered malware on Starwood’s system that had the potential to access, surveil, and gain administrative control over the system computer. This resulted in one of the biggest data breaches in history where guests’ names, passport numbers, birth dates, email and mailing addresses, and payment card details were all exploited. Marriott publicly announced the data security incident on November 30, 2018 and explained that there had been unauthorized access to the Starwood network since 2014 that exposed the personal information of approximately 500 million guests.
As a result of the data breach, Marriott faced a shareholder derivative lawsuit alleging personal liability against 11 members of the Pre-Acquisition Board for their “decision to complete the acquisition without conducting any due diligence into Starwood’s cybersecurity.” The Court quickly found inapplicable plaintiff’s claims of fraudulent concealment and equitable tolling. More importantly, in its application of the Caremark test, the Court could not find any evidence that Marriott acted with scienter despite plaintiff’s numerous protestations that Marriott’s failure to improve its deficient systems risked the violation of various laws.
In addition, the plaintiff asserted that the Post-Acquisition Board was exposed to Caremark liability for its failure to immediately discontinue the use of the guest reservation system and because the Board failed to disclose the data breach. The Court, however, found that no personal liability could be attributed to the directors sitting on a Post-Acquisition Board committee when internal reports were made to the committee regarding potential security risks prior to and subsequent to the acquisition. This is because the Post-Acquisition Board stated that all “red flags” were being addressed and because Directors cannot be liable for violations they did not know about. In finding no liability on behalf of the Directors, the Court concluded, “… [t]he difference between a flawed effort and a deliberate failure to act is one of extent and intent. A Caremark violation requires a plaintiff to demonstrate the latter.”
Recently, courts have been deferential to companies that instituted an internal investigation committee and performed marginal investigations to refuse bringing forward a derivative lawsuit. The courts consider that a board’s decision to refuse to bring a derivative lawsuit is protected by the business judgment rule. A stockholder, however, may rebut that presumption by pleading with particularity that the demand refusal was made in bad faith or based on an unreasonable investigation. It is important to bear in mind that these cases do not represent the future landscape and thus companies must consider stricter safeguards as courts continue to develop this mercurial area of the law.
Some of the internal safeguards corporate directors and companies can institute in an effort to prevent personal liability resulting from a data breach or cybersecurity attack are:
Nevertheless, as cybersecurity breaches become more prevalent, litigation against directors is seemingly inevitable. To shield directors from liability against these breaches, a security program that is designed to thwart attackers can ensure the company’s protection of sensitive information while at the same time mitigating the risk of exposure.
 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 961 (Del. Ch. 1996)
 Id. at 967
 Id. at 967-969
 Stone v. Ritter, 911 A.2d 362, 370 (Del. Ch. 2006)
 Firemen’s Retirement System of St. Louis on Behalf of Marriott International, Inc. v. Sorenson, 2021 WL 4593777, at *2 (Del. Ch. Ct. Oct. 5, 2021)
 Id. at *4
 Id. at *4-5
 Id. at *8
 Id. at *8
 Id. at *12
 Id. at *16
 Id. at *17
 Id. at *18
 Lucie R. Huger, Esq., et. al., Director and Officer Liability for Data Breaches, 2016 WL 3245382, at *2
 Id. at *3