CEO Indictment and Derivative Litigation May Foretell the Next Chapter in Privacy and Cyber Liability
Privacy Plus+
Privacy, Technology and Perspective
CEO Indictment and Derivative Litigation May Foretell the Next Chapter in Privacy and Cyber Liability. This week, the former president and CEO of Blue Bell Creameries was criminally charged for concealing the company’s 2015 listeria outbreak. A link to the New York Times article describing the indictment follows:
Let’s take a step back to consider why the indictment of Blue Bell’s ex-CEO matters to privacy and cybersecurity liability, especially for executives and boards of directors.
In re Caremark Int'l Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996): Let’s start by revisiting Delaware’s Caremark Doctrine, under which directors have a duty "to exercise oversight" and to monitor a corporation's operational viability, legal compliance, and financial performance. Under Caremark, directors may be held personally liable when:
the directors fail to implement any reporting or information system or controls; or
having implemented such a system or controls, [the directors] consciously fail to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.
Historically, Caremark claims asserted by shareholder-plaintiffs have rarely survived motions to dismiss because they’ve failed to plead specific facts demonstrating that the directors would face a substantial likelihood of personal liability. But that may be changing.
Marchand v. Barnhill, 212 A.3d 805 (Del. 2019): Last summer, the Delaware Supreme Court revisited the Caremark Doctrine in a notable case which also related to Blue Bell’s listeria outbreak, reversing the dismissal of a breach of fiduciary duty case against Blue Bell’s board of directors. There, shareholders claimed that the directors had breached their fiduciary duties by knowingly disregarding contamination risks and failing to oversee the safety of Blue Bell's food-making operations because:
- no board committee that addressed food safety existed;
- no regular process or protocols that required management to keep the board apprised of food safety compliance practices, risks, or reports existed;
- no schedule for the board to consider on a regular basis, such as quarterly or biannually, any key food safety risks existed;
- during a key period leading up to the deaths of three customers, management received reports that contained what could be considered red, or at least yellow, flags, and the board minutes of the relevant period revealed no evidence that these were disclosed to the board;
- the board was given certain favorable information about food safety by management, but was not given important reports that presented a much different picture; and
- the board meetings were devoid of any suggestion that there was any regular discussion of food safety issues.
The Delaware Supreme Court held that a claim for breach of the duty of loyalty is stated where, as here, the plaintiff shareholders plead facts that a board has undertaken no efforts to make sure it is informed of a compliance issue “intrinsically critical” to the company’s business operation. As explained in Marchand, "to satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it." Id. at 821 (emphasis supplied).
A link to the Marchand opinion follows:
https://www.leagle.com/decision/indeco20190619048
In re Clovis Oncology Inc. Derivative Litig., C.A. No. 2017-0222- JRS (Del. Ch. Oct. 1, 2019): Even more recently, the Delaware Court of Chancery followed Marchand and denied a motion to dismiss in the face of “bad faith” allegations of board oversight, where plaintiffs claimed the board “consciously ignored red flags that revealed a mission critical failure to comply with FDA regulations.” (emphasis supplied).
A link to the Clovis Oncology opinion follows:
https://www.leagle.com/decision/indeco20191002094
Together, these important Delaware cases show that when strong regulations govern a company’s "mission critical" operations, the board must exercise its oversight function more rigorously. We expect to see more derivative litigation of Caremark claims in the context of privacy regulations, especially where less mature boards fail to have a visible system for monitoring and ensuring compliance with privacy and cyber regulations facing the company.
Be aware that in absence of the implementation of a board-level system to monitor privacy and cyber risks, directors may bear personal liability (and perhaps, a CEO may now bear criminal liability).
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.