On September 6, 2022, Vice Chancellor Sam Glasscock III of the Delaware Court of Chancery granted a motion to dismiss derivative claims for breach of fiduciary duty brought by stockholders of a software company (the “Company”) against its directors following a cyberattack. Construction Industry Laborers’ Pension Fund v. Bingle, No. CV 2021-0940-SG (Del. Ch. Sep. 6, 2022). After the Company allegedly fell victim to hackers who accessed confidential information on the systems of thousands of its customers, plaintiffs alleged that defendants had failed to adequately address the risk to cybersecurity in breach of their oversight obligations under Caremark. The Court indicated that cybersecurity is “mission critical” for online service providers and the complaint alleged oversight practices that were “far from ideal.” But the Court held that pre-suit demand was not excused because the complaint did not plead “specific facts” from which the Court could “infer bad faith liability.”
The Court noted that derivative cases alleging oversight failures—under In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996)—have recently “bloomed like dandelions after a warm spring rain.” The Court explained that these cases “superficially at least, seem easy to conjure up: find a corporate trauma; allege the truism that the board of directors failed to avert that trauma; and hey, presto! an oversight liability claim is born.” But the Court emphasized that such claims remain among the “most difficult claims to cause to clear a motion to dismiss” because directors are not liable for “simple negligence” or in most cases, even gross negligence (as exculpation clauses under Delaware General Corporation Law Section 102(b)(7) such as in the Company’s charter have become ubiquitous). As a result, “the lack of oversight pled must be so extreme that it represents a breach of the duty of loyalty,” and this entails a particularized pleading of “scienter, demonstrating bad faith.”
As alleged, the directors “failed to prevent a large corporate trauma.” After the cyberattack, the Company’s stock allegedly suffered “significant losses” with its value discounted by more than 30% and license revenues and other financial metrics were also allegedly “negatively affected.” However, the Court concluded that defendants (1) were not “credibly alleged” to have allowed the Company to violate positive law; (2) did ensure “at least a minimal reporting system” with respect to risk, including cybersecurity; and (3) were not alleged to have “ignored sufficient ‘red flags’ of cyber threats.”
The Court highlighted that the complaint itself indicated that two committees of the board were “charged with oversight responsibility for cybersecurity.” And the Court concluded that an inference of bad faith was “unwarranted” notwithstanding the allegation that these committees did not specifically report to the full board on cybersecurity risk for two years in advance of the attack. The Court noted that a “subpar reporting system” between a committee and the fuller board is “not equivalent to an utter failure to attempt to assure that a reporting system exists.” The Court also found that the allegations of ignored red flags did not support an inference of bad faith. The Court explained, for example, that a “Cybersecurity Briefing” given to one of the committees, which indicated the Company “might become” the target of a cyberattack and described the Company’s success to that date in preventing such trauma, was “in fact, an instance of oversight” rather than a red flag.