Two lawsuits against directors – a data breach and an environmental disaster – offer guidance.
As risks continue to evolve and socially conscious, activist shareholders wait in the wings, boards must be proactive in their oversight role. In particular, boards must take an active role to protect companies from emerging cyber threats and potential environmental catastrophes.
Fortunately, recent cases in which claims against directors have been dismissed offer guidance as to the standards of care that boards must bring to their oversight role in the face of modern corporate threats.
For instance, following a cyberattack against the Home Depot that resulted in the financial information of 56 million customers being compromised, shareholders brought suit against the board. The shareholder-plaintiffs alleged that the board had failed to protect the company from the attack either by failing to identify the risk or by failing to implement controls to eliminate the risk.
In November 2016, the United States District Court for the Northern District of Georgia dismissed the claims against the board, noting that the Home Depot’s board had committees tasked with identifying and evaluating the cyber threats and that these committees had been informed by management of potential cyber threats. The committees had reported to the board as a whole, a remediation plan had been approved, and the plan was in the process of being implemented when the attack occurred. The shareholder-plaintiffs claimed that the board had acted too slowly in protecting the company, but the court disagreed and acknowledged that the board’s decisions to address known threats were reasonable under the circumstances.
In addition, a recent case involving the spill of toxic wastewater further illuminated the standards to which directors and officers will be held in their risk management and oversight roles. In a case involving a Duke Energy environmental disaster, the Delaware Court of Chancery dismissed claims in 2017 brought against the company’s board members following the rupture of a storm water pipe at a energy facility which sent toxic coal ash and other pollutants into a nearby river.
The shareholder-plaintiffs alleged that the board had failed to exercise proper oversight based on the board’s knowledge of the complex environmental risks at the site. The court found, however, that while the board was aware of the risks, a specially designated committee was actively working with regulatory authorities to mitigate risks and bring the site into compliance when the accident occurred. Accordingly, the court found that the shareholder-plaintiffs could not demonstrate the requisite bad faith to maintain their claims against the individual board members.
These cases offer important guidance regarding how boards will be judged for their response or lack thereof to changing corporate threats. While the core function of oversight and risk management may not have changed, how successful boards are implementing these functions is evolving as quickly as the threats. At a fundamental level, a board that is providing effective oversight does so by identifying potential risks, implementing a strategy to address the risks, and integrating that concern into corporate culture through ongoing communication – without micro-managing — with high level executives.
Data breaches, such as the Home Depot case, provide a good example of how modern boards must take a proactive approach in order to provide effective oversight. In the case of cyber threats, even the task of identifying risks requires that boards and, in particular, any appropriate subcommittee, first identify the company’s digital assets and then stay abreast of new schemes and attacks that other companies are facing. Similarly, to implement an effective strategy to meet these threats, the board must also be up to date on all available technologies available to meet these threats. Also, because the weakest link in any digital defense is usually the users, instilling a corporate sensitivity to the issue through effective trainings is essential.
Similarly, the complex environmental risks and mitigation technologies in energy production and the harvesting of natural resources require board members be knowledgeable of industry developments. In the Duke Energy case, the board’s active engagement with regulators and meaningful efforts to investigate and plan for potential environmental risks proved to be critical aspects of the risk management culture that avoided additional liability for the company and the board itself. Moreover, the large-scale compliance projects required extensive work between the board, management, and on-the-ground employees.
The challenge of effectively identifying risks and instilling a company-wide appreciation of those risks is not a new task for boards. However, successful boards are realizing that as technology continues to evolve rapidly and shareholders mindful of social issues stand ready to hold boards accountable, directors must be proactive to understand the risks on the horizon and take steps to address them today.
Stephanie Resnick and John C. Fuller are attorneys for Fox Rothschild.