This post was prepared by Frank Reynolds, who has been following Delaware law and writing about it in various publications for over 30 years.
The Delaware Chancery Court recently threw out a shareholder’s oversight claim against SolarWinds Corporation’s directors because it failed to show they were unfit to review plaintiffs’ negligent supervision suit over a costly Russian hacker cybercrime — even though under the milestone Marchand opinion, cybersecurity was a “mission critical” area for the online software provider’s business, in Construction Industry Laborers Pension Fund et al. v. Bingle et al., C.A. No. 2021-0940-SG opinion issued (Del. Ch. Sept. 6, 2022).
In his September 6 opinion, Vice Chancellor Sam Glasscock said he granted the directors’ motion to dismiss the so-called Caremark negligent supervision charge because the Delaware Supreme Court’s Marchand v. Barnhill opinion required more than the plaintiffs’ allegation that SolarWinds’ board of directors negligently received no cybersecurity reports in more than two years. Marchand v. Barnhill 212.3d 805, 822 (Del. 2019). He said according to Marchand, the complaint lacked particularized pleadings to support a scienter claim that the SolarWinds directors demonstrated bad faith in fulfilling their fiduciary duty of oversight, commonly called a Caremark claim.
Chancellor William Allen’s pioneering 1996 opinion in Caremark first set the standards for a claim of breach of duty to supervise. In re Caremark Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).
Importantly for corporate law specialists, Vice Chancellor Glasscock’s Sept. 6 opinion said “to plead potential liability sufficient to cause directors to be unable to consider a demand and thus justify a derivative claim under Rule 23.1, the lack of oversight pled must be so extreme that it represents a breach of the duty of loyalty. This in turn requires a pleading of scienter demonstrating bad faith—in then-Chief Justice (Leo) Strine’s piquant formulation, a failure to fulfill the duty of care in good faith.”
The Vice Chancellor said additionally, the plaintiffs, led by the Construction Industry Laborers and Central Laborers pension funds, were dismissed because, “only utter failures by directors to impose a system for reporting risk, or failure to act in the face of “red flags” disclosed to them so vibrant the lack of action implicates bad faith, in connection with the corporation’s violation of positive law, have led to viable claims under Caremark.”
SolarWinds, a Delaware corporation that went public in 2018, provided information technology infrastructure management software for clients ranging from the Fortune 500 to United States government agencies and was entirely dependent on the sale of its management software – which requires access to clients’ information technology systems. Plaintiffs said that made the system highly vulnerable to attack by a malware called Sunburst, which was very injurious for SolarWinds and its clients.
Consolidated shareholder suits filed December 2020 in the wake of costly Sunburst damage, charged that the SolarWinds board created two director committees to split the job of advising and updating the board on cybersecurity issues but neither did the job and neither made any report to the board during a 26-month period in which the board negligently neglected its duty to monitor the mission critical area of cybersecurity. That failure to monitor allowed Russian hackers to use SolarWinds own program as a Trojan horse that infected client software during updates, the complaints said.
As federal agencies investigated the alleged theft of government data through an infected SolarWinds Orin software, the director defendants filed motions to dismiss the now-consolidated complaints in January 2022, focusing on whether the derivative suit properly alleged that a majority of the board of directors could not impartially review the charges because of the likelihood of their liability.
What standard applies?
Plaintiffs alleged both that:
- A majority of the demand Board utterly failed “to implement and monitor a system of corporate controls and reporting mechanisms” regarding cybersecurity, and that
- Even if a monitoring system was in place, the directors failed to “oversee” such system of oversight in breach of their fiduciary duties because they overlooked “red flags” signaling corporate risk.
But the vice chancellor ruled that:
Plaintiffs in Caremark cases must “plead with particularity ‘a sufficient connection between the corporate trauma and the [actions or inactions of] the board,’” and “a stockholder cannot displace the board’s authority simply by describing the calamity and alleging that it occurred on the directors’ watch.” He said a meritorious Caremark claim demonstrates a breach of the duty of loyalty, by way of a failure by the directors to act in good faith
Carelessness absent scienter not bad faith.
Marchand means that “the lack of a system of controls with respect to a particular incarnation of risk does not itself demonstrate bad faith; the lack of such system must be the result of action or inaction taken in bad faith,” the Vice Chancellor said. “This distinction is heightened, I believe, in consideration of risk outside the realm of positive law.”
“Without a satisfactorily particularized pleading allowing reasonably conceivable inference of scienter, a bad faith claim cannot survive a motion to dismiss,” the vice chancellor said in summarizing reasons for dismissal – and the reason why so many Caremark claims are short-lived. Therefore, he said, “to plead potential liability sufficient to cause directors to be unable to consider a demand and thus justify a derivative claim under Rule 23.1, the lack of oversight pled must be so extreme that it represents a breach of the duty of loyalty.”
And, he said, that explains why Caremark claims have recently “bloomed like dandelions after a warm spring rain” but “remain, however, one of the most difficult claims to cause to clear a motion to dismiss.”