Mission Critical: Caremark, Blue Bell, and Director Responsibility for Cybersecurity Governance

Abstract

If the potential for Caremark liability hangs like the sword of Damocles over corporate directors of Delaware corporations, then that sword has been considerably more secure than that of the original myth. For decades, Chancellor Allen’s description of a Caremark claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment” held true. Caremark claims that survived a motion to dismiss were for decades few and far between. That changed in 2019. In the space of little over a year, Delaware courts have allowed five Caremark claims to survive in the corporation context and one claim to survive in the limited partnership context. The thread holding that sword is beginning to look more like the single horse hair of myth. The scope and likelihood of Caremark liability are matters of considerable interest and concern for directors. Under most circumstances, a board simply doing its job poorly is relevant only to the directors’ duty of care and protected by the business judgment rule, exculpatory provisions under Section 102(b)(7), and advancement and indemnification. Failure to monitor under Caremark, however, is a breach of the duty of loyalty. A breach of the duty of loyalty is not protected by the business judgment rule. It cannot be exculpated. And it cannot be covered by indemnification. 2019 marked an abrupt shift in Caremark in application, if not in theory. In June of that year the Supreme Court of Delaware (“Delaware Supreme Court”) reversed a decision by the Delaware Court of Chancery (“Chancery Court”) dismissing a claim against the directors of Blue Bell Creameries, Inc. (“Blue Bell”) under Caremark. Within a little over a year, the Chancery Court would sustain Caremark claims in four cases. In Clovis, the Chancery Court sustained a Caremark claim against directors of a pharmaceutical company who allowed the company to misrepresent the clinical trial success of one of its three drugs. In Hughes, the Chancery Court sustained a Caremark claim against directors of a Chinese company incorporated in Delaware that suffered from severe and pervasive accounting issues. In Teamsters Local, the Chancery Court sustained a Caremark claim against directors of a large pharmaceutical company who allowed an indirect subsidiary to essentially operate a criminal enterprise. And in Boeing, the Chancery Court sustained a Caremark claim against directors of an airplane manufacturer who did not pay attention to safety issues. Cybersecurity has become just such a mission critical risk for large corporations. This Article makes four key arguments. Black letter Caremark doctrine has not changed, but it is newly reinvigorated and the risks of Caremark liability for directors is greater than just a few years ago. Future Caremark liability will be centered on failure to provide board-level oversight of mission critical risks. Cybersecurity is mission critical to effectively all large companies today. The risk of Caremark liability can be mitigated by taking a few simple steps to ensure that the board is addressing cybersecurity. This Article is the first to make these arguments together and the first to make the final argument.