January 27, 2022

Cybersecurity: Beware of Caremark Claims Over Data Breaches

Delaware courts have become more accommodating to Caremark claims in recent years and this recent Sidley blog cautions that the claims, which are premised on a board’s failure to fulfill its oversight responsibilities, may become increasingly attractive to plaintiffs in situations involving data breaches. Here’s an excerpt:

To successfully allege a Caremark claim, a plaintiff must plead facts demonstrating that either “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” Put differently, the directors must have acted in bad faith in failing to oversee. Furthermore, this failure must be related to some aspect of the business that is “essential and mission critical.”

As our “data economy” has fed an increase in data security incidents, failures in data security have in turn created significant risks to corporations. These risks take many forms, including loss of access to business-critical data and IT infrastructure, successful consumer class action lawsuits, regulatory liability, or loss of commercial counterparties or liability to those counterparties. Not surprisingly, shareholder lawsuits have also followed, seeking to hold corporate boards responsible for lax oversight that results in harm to the corporation following a data security incident.

To date, Caremark claims based on data security incidents have mostly failed to gain traction; the vast majority have been dismissed at the motion to dismiss stage and a smaller portion have settled, as our colleagues noted in an article for Bloomberg Law back in 2017. Several recent cases have confirmed that Caremark claims remain difficult to bring (much less win), even when those claims are based on data security incidents. But these cases also reveal potential avenues that shareholder plaintiffs may pursue when bringing data security-related Caremark claims.

The blog highlights recent Caremark claims against Solar Winds & T-Mobile arising out of data breaches. The Solar Winds complaint focuses on Caremark’s first prong, and alleges that the Solar Winds board failed to implement necessary controls.  In support of that allegation, the plaintiffs point to, among other things, the board’s failure to respond to an outside consultant’s warnings about data system vulnerabilities.

The T-Mobile case focuses on the second prong, and alleges that the company’s data security shortcomings involved violations of law – which in recent years have proven to be a fertile ground for Caremark claims. In particular, the complaint points to an FCC investigation and resulting fine to support allegations that the Board was “long aware of” yet “failed to heed . . . red flags” related to the company’s cybersecurity inadequacies.

John Jenkins