by M. Todd Scott, Alex Talarides and Jim Kramer
What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?
In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty.
As Delaware courts have repeatedly held, a Caremark claim is possibly the most difficult theory in corporations law upon which a plaintiff might hope to win a judgment. To succeed, a plaintiff must establish:
• The existence of facts suggesting that the board knew that internal controls were inadequate and could leave room for materially harmful behavior, and
• That the board chose to do nothing about the control deficiencies that it knew existed.
Put another way, the plaintiff must be able to show a “sustained or systematic failure of the board to exercise oversight.” While this standards are strict, one could easily envision a situation whereby a company suffers a serious cyber attack and then, months later, suffers another. The board surely knew of the first attack and knew of the damage it caused the company, so to the extent a plaintiff could show the board’s response was insufficient – to the extent a plaintiff could show the board ignored the “red flag” of the prior attack – a claim could arise.