Court of Chancery Finds That Complaint Fails To Adequately Plead Caremark Claim In Context Of SolarWinds Cybersecurity Breach
Construction Industry Laborers Pension Fund v. Bingle, C.A. No. 2021-0940-SG (Del. Ch. Sept. 6, 2022)
Under the Delaware Supreme Court’s Caremark decision and its progeny – including its most recent articulation in Marchand v. Barnhill – corporate directors who in bad faith fail to impose systems for monitoring important risks or fail to act in response to known “red flags” conceivably face monetary liability for breaching the fiduciary duty of loyalty. This decision discusses that, where Caremark claims have survived a motion to dismiss under Court of Chancery Rule 23.1, the alleged breaches generally have been in the context of violations of positive law or regulations.
In this case, plaintiffs alleged that the directors of SolarWinds, an online provider of information technology management services, purportedly failed to oversee a cybersecurity threat and subsequent breach. Because the plaintiffs did not plead any violation of positive law or regulations arising from the directors’ supposed lack of oversight, the Court viewed the claim as an alleged failure to protect from business risk. According to the Court, the directors’ monitoring business risk is not typically the basis for an oversight claim because, among other reasons, that generally implicates directors’ duty care, breaches of which are often exculpated. However, the Court recognized that cybersecurity threats are a “peculiar kind of business risk” for an online company and could potentially form the basis of a Caremark claim even absent violations of positive laws or regulations. Ultimately, the Court determined that it did not have to address this issue because the complaint failed to adequately plead that the directors engaged in a bad faith failure to implement a monitoring system or ignored red flags, the normal prerequisites for viable Caremark claims.Share