Caremark claims, named after the landmark case In re Caremark International Inc. Derivative Litigation, have been described as one of the most difficult theories for plaintiffs to pursue. These claims allege that directors breached their fiduciary duties by failing to make a good-faith effort to oversee the company's operations. Delaware courts have consistently held that a failure of oversight claim may only be established where “(a) directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.”
The Bar Remains High
Starting in 2019 with Marchand v. Barnhill, several decisions allowed Caremark claims to survive motions to dismiss, thus calling into question whether such claims remained one of the “most difficult” upon which plaintiffs might hope to win a judgment. These decisions emphasized the need for rigorous oversight, particularly where “externally imposed regulations govern [the company's] ‘mission-critical' operations.”
However, a growing number of recent decisions have dismissed Caremark claims at the pleading stage, reaffirming failure of oversight claims are intended to address only “the extraordinary case where fiduciaries' ‘utter failure' to implement an effective compliance system or ‘conscious disregard' of the law gives rise to a corporate trauma.” Certain takeaways emerge from these recent cases.
New types of threats do not lower the pleading threshold. In Firemen's Retirement System of St. Louis v. Arne M. Sorenson, et al. (Marriott International Inc.), the court dismissed a claim alleging the board's “bad-faith decision” not to update the company's “severely deficient information protection systems” led to a cybersecurity breach. While the court recognized new risks “increasingly call upon directors to ensure that companies have appropriate oversight systems in place,” it concluded that such “growing risks” “do not, however, lower the high threshold that a plaintiff must meet to plead a Caremark claim.”
Oversight claims are reserved for legal — not business — risks. In Segway Inc. v. Cai, the Court of Chancery rejected attempts to extend oversight liability to ordinary business risks, as opposed to legal risks. In granting defendants' motion to dismiss, the Court reaffirmed that “generic financial matters are far from the sort of red flags that could give rise to Caremark liability if deliberately ignored.” Similarly, in In re ProAssurance Corp. Stockholder Derivative Litigation, the court dismissed duty of oversight claims explaining that “[t]he only so-called red flags were of business risks – not illegality. How (and whether) to respond was entirely within the directors' discretion.”
Good-faith response to potential red flags — even if imperfect—undermines any inference of bad faith. In Bricklayers Pension Fund of Western Pennsylvania v. Brinkley et al., the board was accused of failing to implement and monitor compliance policies, leading to regulatory enforcement actions. The Court dismissed the complaint, holding that the stockholders had “fallen short” of pleading that a majority of the board acted in bad faith: “[T]he Board accepted management's statements that both the compliance issues and the regulatory risks were being handled” and “did not make a conscious decision to violate the law.”
More recently, in In re TransUnion Derivative Stockholder Litigation, the Court dismissed an oversight claim alleging that the board “resisted the terms of the [Consumer Financial Protection Bureau] Consent Order” by waiting to implement remedial efforts based on “knowingly incorrect and unsupported” legal advice. The Court held that “an inadequate, delayed or misguided response to red flags cannot support a claim for breach of the duty of loyalty — no matter how it is categorized.” Thus, “directors' efforts to comply with [a consent order]” undermines a failure of oversight claim — “even where corporate traumas unfold.”
Context is necessary to determine whether the board acted in bad faith. InConte on behalf of Sketchers U.S.A. Inc. v. Greenberg, the Court held that the plaintiff did not meet his “significant burden” of showing that the board acted in bad faith by awarding management “excessive compensation” and allowing personal use of the company's airplanes because those risks were not part of widespread operational deficiency or questionable legality. The Court noted, however, that “[s]ome risks are so severe” that “inaction alone can support an inference of bad faith.” “But as the magnitude or severity of the risk decreases, more facts are required to support an inference of bad faith: continued monitoring, or even intentional inaction, may not alone rebut the business judgment rule.”
Best Practices
Companies of all industries, sizes and locations face risks that can impact — both positively and negatively — a company's business model and strategies. Boards should continue to establish and carefully monitor compliance systems and make genuine efforts to address yellow or red flags as they arise.In fulfilling these duties, boards should keep the following points in mind.
Remember that risk assessment and oversight is an ongoing process. Boards should continue to assess any changes in the company's overall business environment as well as any compliance or operational issues. For example, prior to 2020, many companies may not have anticipated the risks related to a global pandemic, and risks relating to cybersecurity threats and issues relating to artificial intelligence are now top-of-mind for many companies. Boards should prioritize potential risks and should ensure responsibilities relating to risk management, including oversight, are clearly delineated within the company and at the board committee level.
Ensure systems are in place and monitor to ensure they are effective. Boards need to ensure that the maturity of their company's approach to risk management keeps up the increasing complexities of risks that companies face. Thus, not onlydoboards have a duty to ensure robust compliance policies and systems are in place, but they must also regularly assess, monitor and update the company's compliance systems.
Ensure systems delineate how red flags are identified and potentially escalated. Protocols should be in place to ensure the board is timely informed of any red flags or significant compliance-related issues and that management has a clear understanding of the board's expectations. While boards are permitted to rely on reports from management, boards should devote enough time to properly understand any compliance-related issues, ask probing questions, and require regular updates confirming that any such risks are being mediated and appropriate steps are being put in place to prevent recurrence.
Ensure minutes and other risk management related materials are properly documented. Board and committee minutes should adequately reflect the board's discussion of key issues relating to risk management and potential compliance-related issues. Documentation reflecting the board's oversight of compliance-related systems, involvement in monitoring and responding to red flags, and informed decision-making (including seeking advice from experts) can be crucial to establishing an effective defense in any future litigation.
Establish a culture of risk management and compliance. The board should make sure that executives understand the strategic value of proactive risk management, including through appropriate training as needed. Risk management should not be seen as bureaucratic and non-value-adding and should not be siloed within certain departments. Instead, risk management and compliance should be values that are embraced throughout the organization.
Caremark liability requires more than imperfect compliance and will not extend to every business decision that carries risk. Nonetheless, the case law in this area continues to evolve and board members should continue to ensure that companies have compliance systems in place, that there are clear expectations regarding how and when red flags are escalated to the board level, and that any response to red flags is well formulated and documented.