Here’s something John blogged last week on DealLawyers.com: Don’t look now, but the Delaware Chancery Court just upheld another Caremark claim in the face of a motion to dismiss. In his 50-page opinion in In re Clovis Oncology Derivative Litigation, (Del. Ch.; 10/19), Vice Chancellor Slights held that the plaintiffs had adequately pled that the board breached its fiduciary duties by failing to oversee a clinical trial for the company’s experimental lung cancer drug and then allowing the company to mislead the market regarding the drug’s efficacy.
In declining to dismiss the case, the Vice Chancellor observed that Delaware courts are more likely to find liability under Caremark for oversight failures involving compliance obligations under regulatory mandates than for those involving oversight of ordinary business risks:
Caremark rests on the presumption that corporate fiduciaries are afforded “great discretion to design context- and industry-specific approaches tailored to their companies’ businesses and resources.” Indeed, “[b]usiness decision-makers must operate in the real world, with imperfect information, limited resources, and uncertain future. To impose liability on directors for making a ‘wrong’ business decision would cripple their ability to earn returns for investors by taking business risks.”
But, as fiduciaries, corporate managers must be informed of, and oversee compliance with, the regulatory environments in which their businesses operate. In this regard, as relates to Caremark liability, it is appropriate to distinguish the board’s oversight of the company’s management of business risk that is inherent in its business plan from the board’s oversight of the company’s compliance with positive law—including regulatory mandates.
As this Court recently noted, “[t]he legal academy has observed that Delaware courts are more inclined to find Caremark oversight liability at the board level when the company operates in the midst of obligations imposed upon it by positive law yet fails to implement compliance systems, or fails to monitor existing compliance systems, such that a violation of law, and resulting liability, occurs.”
VC Slights cited the Delaware Supreme Court’s recent decision in Marchand v. Barnhill, and noted that that case “underscores the importance of the board’s oversight function when the company is operating in the midst of ‘mission critical’ regulatory compliance risk.”
Caremark requires a plaintiff to establish that the board either “completely fail[ed] to implement any reporting or information system or controls” or failed to adequately monitor that system by ignoring “red flags” of non-compliance. While the board’s governance committee was responsible for overseeing compliance with regulatory requirements applicable to the clinical trial, the Vice Chancellor held that the plaintiff adequately pled that it knowingly ignored red flags indicating that the company was not complying with those requirements. Accordingly, he declined to dismiss the case.
Ann Lipton has some interesting perspectives on VC Slights’ distinction between business & legal compliance risks over on her Twitter feed. Check it out.
Caremark still may be, as former Chancellor Allen put it, “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” But after decades of routinely dismissing Caremark claims at the pleading stage, this marks the second time this year that the Delaware courts have declined to do so – and it’s the third case in the last two years in which they’ve characterized a Caremark claim as “viable.”
Is Caremark becoming a more viable theory of liability, or is board’s conduct in these cases just more egregious than in prior cases? It’s hard to say based on the limited evidence we have. For now, maybe the ’60s band Buffalo Springfield put it best – “There’s something happening here. What it is ain’t exactly clear. . .”
ISS Proposes Policy Changes: Comment By October 18th!
1. Clarifying a maximum 7-year sunset and other parameters for multi-class capital structures at newly public companies
2. Codifying ISS’s existing approach to “independent chair” shareholder proposals by identifying factors that will weigh in favor of a “For” recommendation – e.g. a “weak or poorly defined lead director role” – and moving some info into the “Policy FAQs”
3. Adding safeguards against “abusive practices” to the policy to vote “For” management proposals for buyback programs – e.g. the use of buybacks to boost EPS-based pay metrics
Submit comments to email@example.com by next Friday – October 18th. Unless otherwise specified in writing, all comments will be disclosed publicly upon release of final policies – which is expected during the first half of November.
Ransomware: Preparing for a Growing Threat
According to a recent NYT article, more than 40 municipalities have been victims of ransomware attacks this year, including the 23 towns in Texas that were hit recently. This Wachtell Lipton memo predicts that ransomware is a growing threat for companies too – and offers these preparation & response tips (also see the suggestions in this “Accounting Today” article):
Before an attack:
– Reduce ransomware exposure by implementing reliable backup processes for IT systems & critical data
– Get cyber insurance that covers costs associated with ransomware incidents
– Implement incident response plans – including elevation procedures
– Foster pre-attack relationships with law enforcement
Responding to an attack:
– Protect attorney-client privilege by assigning legal counsel a leadership response role & engaging other advisers through counsel
– Assess disclosure obligations – e.g. state & international data breach notifications, SEC and industry-specific disclosure requirements
– Determine notice requirements for insurers, vendors and customers
– Approach the decision whether to pay a ransom with great caution & careful deliberation
On that last point about whether to pay a ransom, this ProPublica article outlines the pros & cons for victims – and suggests insurers have an incentive to accommodate the attackers even if (or because?) doing so leads to more incidents. According to the article, cyber insurance is now a $7-8 billion/year market, and insurers know that could fall apart if nobody is worried about getting hacked.
– Liz Dunshee