Director Liability: Boards are on the hot seat over data breaches, illegal sales practices and more.
By Maureen Milford

Directors and officers might want to start 2018 by doubling down on their oversight systems.

Last year, boards and senior managers at several large corporations faced significant shareholder lawsuits over allegations they were not minding the store when their companies suffered high-profile traumas surrounding data breaches, sexual harassment and discrimination scandals or improper sales practices.

“What I’ve seen in these cases is there were a lot of red flags out there and the board just ignored them,” says Jorge Amador, an attorney representing shareholders in a case against Wells Fargo & Co. over phony customer accounts.

In addition to Wells Fargo, directors and top leaders at Home Depot Inc. and Twenty-First Century Fox Inc. found themselves on the hot seat after investors filed derivative cases seeking to hold them personally liable for losses stemming from the crises.

In a derivative lawsuit, shareholders sue a third party on behalf of the company for harm done to the enterprise. Proceeds from a winning case go to the company, not the plaintiffs. In the recent cases against Wells Fargo, Home Depot and Twenty-First Century Fox, shareholders allege the damages resulted from a failure by directors and managers to uphold their fiduciary duties of due care, loyalty and good faith.

For boards, these lawsuits serve as cautionary tales highlighting the obligation to assure there are adequate corporate information and reporting systems to help avoid shocks to the company. Failure at such proper oversight could result in board members and officers being forced to make the company whole, Delaware Court of Chancery ruled in the 1996 landmark Caremark International Inc. derivative case, which alleged that directors did not put in place adequate internal control measures that opened the door to employee criminal activity. All three companies are incorporated in Delaware.

In Caremark, the court ruled that a director’s obligation includes a good faith duty to make certain that there are sufficient information and reporting systems so that “appropriate information will come to its attention in a timely manner as a matter of ordinary operations.” Directors could, in theory, be held liable for losses if they failed at this obligation, the ruling says.

“Directors and officers must be cognizant of issues, ask questions and reach a level of satisfaction with the quality of information that they are obtaining,” says Melissa Krasnow, a privacy partner at VLP Law Group.

Special Report

Read More

Board Size: Governance experts see smaller boards as more effective, but who’s listening?

Environmental, Social & Governance: Key transparency and performance issues for 2018.

Shareholder Engagement: BlackRock, CalSTRS, among other investors, upping pressure on boards.

Truth in Financial Reporting: Is Your CEO Lying?

Blockchain: ‘Fraud’ or Fortune?

Gender Diversity: Former DuPont CEO looks to bolster gender diversity in the C-suite and boardroom.

Sexual Harassment: Boards Can’t Be Silent

One emerging oversight risk that could become an important part of the directors’ and officers’ litigation landscape is data security.

“Any entity that receives, transmits, holds or uses data electronically needs to pay attention to this topic,” says Molly McGinnis Stine, cybersecurity attorney at Locke Lord LLP.

While several derivative cases involving cyber intrusions were dismissed, a new development came in 2017 when Home Depot settled a lawsuit in federal court over a massive 2014 cyberattack of its payment card data system.

 A number of former and current officers and board members were sued for allegedly failing to institute sufficient internal controls monitoring the risks the company would face in the event of a breach, court papers say. In addition, they allegedly disbanded a board committee overseeing the risks.

The case was dismissed initially at the district court level but was settled after shareholders appealed. It is the first and only settlement of a shareholder derivative lawsuit related to a company data breach, lawyers says.

The agreement’s corporate governance reforms involving cybersecurity could help guide boards in overseeing cyber risks, Krasnow says.

Among other things, the settlement provides for an executive-level committee focused on data security; a partnership with a dark-web mining service to search for Home Depot information; and reports to the board on the information technology budget and the amount spent on cybersecurity measures.

It also allows the board and audit committee to retain their own IT, data and security experts and consultants when necessary.

Stuart Guber, a lawyer representing shareholders in the Home Depot case, says the outcome of the case could make settlement more attractive to companies battling similar litigation. The court approved legal fees of more than $1 million.

But it could encourage lawyers seeking to capitalize on chronic cybersecurity risks, warns Kevin LaCroix, an attorney who consults with companies on directors’ and officers’ liability insurance matters.

Another significant development came in 2017 when directors and officers at Twenty-First Century Fox approved a $90 million settlement of a lawsuit brought by pension funds and individual shareholders in Delaware Chancery Court. The shareholders alleged the senior management and board failed in its duty to monitor sexual harassment and racial discrimination developments at Fox News Channel.

The settlement, to be paid by directors and officers liability insurance, is one of the 10 largest derivative settlements in history, lawyers say.

That settlement provides for governance and compliance enhancements, including the creation of a Fox News workplace professionalism and inclusion council that reports to the board.

“If shareholders bring one of these suits (at other companies) and it comes out the directors hadn’t asked about exposure, it starts to have the markers of a board that’s asleep at the wheel,” says Eric Talley, a corporate law and governance professor at Columbia Law School.

Still being litigated is a case brought in federal court by pension funds against directors and officers at Wells Fargo & Co. over the creation of millions of unauthorized checking accounts, credit cards and services.

Shareholders allege the board members and senior managers ignored red flags, endorsed unreasonable sales quotas and cross-selling requirements, and had inadequate risk controls.

Wells Fargo senior executives and directors, LaCroix says, were lulled by a “better than others” set of assumptions that grew out of its good performance during the credit crisis.

The lesson of derivative cases is that directors should ask questions and be proactive at the first red flag, maintains Amador, the lawyer who represented Wells Fargo shareholders.

“I think a lot of times boards are persuaded by management that they’ve looked at it and taken care of it,” he says. “Don’t take the first response.”

Maureen Milford is a Delaware-based business writer focused on corporation law and corproate governance matters.



Other related articles