There is no denying it: Corporate board members are increasingly at risk because of their duty to exercise oversight and monitor corporate actions. At the first whiff of a corporate scandal, shareholders, prosecutors and regulators, among others, all ask the same question: 'Who is responsible?" And as President Harry Truman might have said, "The buck stops with the board."
If history is our guide, however, the likelihood of a board member being held personally liable for poor oversight of a public company is on par with the chance of being struck by lightning. This is because director and officer insurance almost always covers any liability or settlement. According to a 2006 study, between 1980 and 2005 there were only 12 cases in which directors were forced to make payments that were not covered by insurance, including legal fees. Specifically for Delaware companies, there were only two instances in which directors were required to payout of their own pockets for their actions.
Claims Against Directors
Director liability law is fairly well established, and claims typically arise in one of two scenarios:
- The directors should be liable because they made a decision or took that an action was either negligent or ill-advised (i.e., they breached their duty of care).
- The directors failed to act in a situation in which they could have prevented a loss, (i.e., they breached their duty of loyalty).
Claims alleging a breach of the duty of care are unlikely to succeed because directors enjoy the protections of the director-friendly business judgment rule. Essentially, this immunizes a director's conduct from judicial scrutiny as long as the decision is informed, made in good faith and made with the genuine belief that the decision was made in the company's best interest. Even if a plaintiff can overcome the presumptions in favor of a director by showing gross negligence, many companies have adopted charter or bylaw provisions consistent with Delaware law, thereby insulating directors from liability for a breach of their duty of care.
In the second scenario, a director is not insulated from liability under Delaware law, and a director's conduct is evaluated under the standards enunciated in Caremark International Inc. Derivative Litigation and its progeny. This oversight liability attaches when directors consciously disregard their responsibilities, either 1) by failing to implement a sufficient reporting system; or 2) after implementing a reporting system, failing to properly oversee or monitor its operations by serving as passive recipients of information. Outside of the legal arena, this is often referred to as "burying one's head in the sand" or just looking the other way. Simply put, making no decision may indeed be worse than making any decision, even a bad one.
Directors today are under more scrutiny than ever, as corporate scandals have led to the adoption of Sarbanes-Oxley and the more recent Dodd-Frank Act. One of the main objectives of Dodd-Frank is to increase transparency and improve accountability in the corporate financial world. As a result, board members are now required to spend more time on oversight of a company's operations than perhaps was the case in prior years.
A key determinant of directors' liability is how they act once a red flag is identified. When a warning sign appears, a director is required by law to diligently undertake a reasonable investigation. But an open issue at hand is how much training companies provide to their directors so that they are able to properly identify potential issues and respond accordingly, or to actively oversee the compliance program. In light of many recent cases, the answer is: Not enough. One potential proactive approach would be for a corporate board to annually review all of the material events that impacted their company over the past year (both external and internal) and assess how prepared the management team was for each event.
"Corporate Investigation" Lawyers
Lately it appears that a cottage industry has emerged among lawyers who claim to specialize in "corporate investigations." These corporate investigations formerly were the purview of a company's general counsel or legal staff. However, courts became less likely to apply the business judgment rule if an investigation was conducted in-house. This reluctance has spawned the exponential growth of corporate investigations and more or less established that the standard of care is to retain outside counsel. Even though the costs of these investigations can be prohibitive, there appears to be no consensus on a different tactic.
In the face of a government enforcement action, whether from the U.S. Securities and Exchange Commission or the U.S. Department of Justice, a director's playbook is pretty straightforward. Directors establish a committee to exercise day-to-day supervision of an internal investigation and to monitor the progress in order to best ensure the company's protection. One way for directors to limit their exposure-and perhaps even cut down on corporate misconduct-is to provide the same oversight on an ongoing, day-to-day basis. From the company's perspective, the likely result of such proactive conduct would be a decrease in the number of required corporate investigations and the identification and remediation of issues before they become significant liabilities. And viewed through the eyes of a director, such an approach could lessen the likelihood of future liability.
Other Emerging Risks
New technologies and cybersecurity issues also present challenges for directors and pose potential increases in their liability. As technology continues to advance, companies of all sizes are becoming more dependent on technology for all facets of operations, ranging from communicating via texts and emails, to storing records electronically, to maintaining key proprietary information digitally. As a result, cybersecurity should be at or near the top of the agenda for boards of directors. On a regulatory level, fines for data breaches can be substantial and civil litigation is guaranteed to follow.
The recent Target Corp. data-breach incident serves as a stark reminder of the significant dollar and reputational costs of a breach. In this situation, the national retail giant experienced a massive data breach between November 27 and December 15, 2013, exposing as many as 40 million customers who had used debit or credit cards at Target stores to potential fraud. The company did not acknowledge the security breach until December 19, after the news was leaked via a security blog, KrebsOnSecurity.com, and in the Wall Street Journal. In January 2014, Target disclosed that an additional70 million customers had their personal information stolen during the breach. The company also noted that sales were "meaningfully weaker-than-expected" after news of the data breach was disclosed. Although Target has yet to provide an estimate of the full cost of the breach, at least one expert has suggested that the cost could be as high as $400 million to $450 million. This estimate excludes any reputational damages, which are significant and may continue to increase over time.
Absent an incident, how much of board members' time is spent evaluating or analyzing risk? Most likely, not enough. How many corporate boards have members with significant IT experience? Certainly not most. And how many boards are truly informed about cyber-risks so that they are not dependent on the company's IT department? Very few. Yet multiple surveys report that data security is a top concern for corporate executives. The obvious question for directors, then, is whether they are taking sufficient steps today to protect their company's digital assets, or whether hindsight will prove they were asleep at the wheel.
In no way are directors expected to be omniscient or able to predict every potential liability that a company may face. But they must be engaged and provide constant oversight. Indemnification provisions in bylaws or charters and insurance policies are two ways that directors can limit their own out-of-pocket liability. The law has further built-in protections as exemplified in the business judgment rule, but directors must be mindful of their oversight responsibilities and the liability that can attach when shirking those duties. The hard costs can be quantified. The reputational damages cannot.