In the Age of Data Mega-Breaches, Delaware Chancery Court Explains Legal Standard for Imposing Oversight Liability on Corporate Directors
December 1, 2016
Paul K. Schrieffer, Esq.
P. K. SCHRIEFFER LLP
In Reiter v. Fairbank, C.A. No. 11693-CB (Del. Ch. Oct. 18, 2016), the Delaware Court of Chancery recently discussed the standard under Delaware law for imposing oversight liability on corporate directors. The case involved a derivative action by a shareholder of Capital One Financial Corporation. The plaintiff asserted that the company’s directors breached their fiduciary duty of loyalty and unjustly enriched themselves by shirking their responsibility to oversee the company’s compliance with the Bank Secrecy Act and other anti-money laundering laws (“BSA/AML”). The plaintiff’s core allegation was that the directors ignored red flags that Capital One’s BSA/AML compliance program failed to satisfy statutory requirements relating to check-cashing services, which poses a risk for money laundering.
Before filing suit, the plaintiff obtained Capital One’s books and records. The documents revealed that the board’s Audit and Risk Committee received at least 25 reports over a three-and-a-half-year period warning of the company’s BSA/AML compliance risk, which escalated from “low” in early 2011 to “high” in early 2013, where it remained in 2014. In December 2013, moreover, Capital One received a grand jury subpoena from the New York District Attorney requesting information regarding the company’s AML control and check-cashing clients. The next month, in January 2014, management reported to the Audit and Risk Committee that the company had decided to exit the business of check-cashing altogether.
The plaintiff contended that these reports should have prompted the directors to impose greater internal AML controls. The court disagreed, finding that the plaintiff failed to allege facts sufficient to infer that the directors consciously allowed Capital One to violate BSA/AML statutory requirements. The court explained that Delaware has a stringent standard for imposing oversight liability on directors. This standard, known as the Caremark standard, requires evidence of bad faith, meaning that “the directors knew that they were not discharging their fiduciary obligations.” Slip. Op., p. 2 (quoting Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006)). To establish oversight liability under Caremark, “plaintiffs would have to show either (1) that the directors knew or (2) should have known that violations of law were occurring and, in either event, (3) that the directors took no steps in a good faith effort to prevent or remedy that situation, and (4) that such failure proximately resulted in the losses complained of.” Slip Op., p. 17 (quoting In re Caremark Int’l Inc. Derivative Litigation, 698 A.2d 959, 971 (Del. Ch. 1996)).
Although Reiter did not involve the issue of data security, directors of Delaware corporations should carefully review the Caremark standard governing oversight liability. Data security laws are numerous, and companies are more frequently becoming the targets of domestic, international, and nation-sponsored data breaches. Directors should consider the nature and sensitivity of the data being stored by the company, the potential risks of unauthorized access, the company’s compliance with laws and regulations governing data security, and the strength of the company’s internal data security controls. Directors should also make sure they are kept informed by management of any potential or ongoing cybersecurity threats or breaches. Directors may also consider inquiring into whether the company has sufficient liability and data breach expense insurance coverage to mitigate such risks.