In the wake of major cybersecurity incidents, it is becoming increasingly common for shareholders to bring derivative lawsuits alleging that the officers or board members failed to exercise proper governance over cybersecurity. Some companies have paid settlements to resolve such matters, but few derivative actions have ended in judgment on the merits in favor of plaintiffs, largely because plaintiffs are rarely able to show that directors failed to execute their oversight responsibilities. A recent ruling by the Delaware Court of Chancery dismissing a derivative lawsuit against Marriott International, Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW (Del. Ch. Oct. 5, 2021), reiterates that directors who monitor cybersecurity governance, work to mitigate cyber risks, and seek outside advice on data protection issues will usually not face liability.

Background

In the fall of 2018, Marriott discovered and eventually disclosed that hackers had infiltrated Starwood Hotels & Resorts Worldwide, which Marriott had acquired in 2016. As part of the attack, hackers allegedly retained access to the Starwood reservation system from 2014 through 2018, a breach that exposed sensitive information—names, addresses, credit card numbers, and, in some cases, passport numbers—of hundreds of millions of people. The incident marked one of the largest data breaches in history, surpassed only by cyberattacks against Yahoo! in 2013 and 2014. A series of federal lawsuits, including this shareholder derivative action, ultimately ensued.

In the derivative complaint against Marriott, the Firemen’s Retirement System of St. Louis, a Marriott shareholder, claimed that directors breached their fiduciary duties by failing to conduct adequate due diligence into a target company’s cybersecurity system. The court held that this pre-acquisition claim was time-barred because it arose more than three years before the complaint was filed and no basis for tolling applied. Additionally, the plaintiffs in Sorenson alleged that, following the Starwood acquisition, the Marriott board failed to oversee cybersecurity issues, including the implementation of adequate security controls, the operation of Starwood’s compromised systems, and the timely disclosure of the data breach, and, accordingly, breached their duty of loyalty.

Application of the Caremark Standard to Marriott

The standard for corporate governance was established in In re Caremark International Inc., 698 A.2d 959 (Del. Ch. 1996). Under the Caremark standard, directors must “exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.” Caremark was not a cybersecurity case, but this standard has been applied in the wake of data breaches, where derivative suits allege that the board failed in its duty to oversee cybersecurity issues. Even though the court in Sorenson found that the directors fulfilled their oversight responsibilities under the Caremark standard, the case is a good reminder of the importance of sound corporate governance structures for cybersecurity risks.

In finding that the plaintiffs’ claims in Sorenson fell short of establishing liability for oversight failures under Caremark, the court noted that the Marriott board acted in good faith to fulfill its oversight duties: it was regularly updated on cybersecurity risks and engaged outside consultants and auditors to improve data management practices. Moreover, the court found that the Marriott-Starwood systems were not in violation of any law or regulation, and that the board did not deliberately disregard red flags but rather relied on management’s reports that it was addressing or would address cybersecurity issues. As the court noted, the Caremark standard requires plaintiffs to establish that there was not merely a “flawed effort” at oversight, but an intentional and “deliberate failure to act.”

What this means going forward

The court in Sorenson was clear: While cybersecurity threats pose “growing risks” that must be taken seriously, “a showing of bad faith conduct” is still required to establish director oversight liability. The Marriott directors were able to avoid such liability because, in spite of the incident, the board was not turning a blind eye to cybersecurity but rather was focused on the issue. Board-level monitoring and reporting systems were in place, and “the Board and Audit Committee were ‘routinely apprised’ on cybersecurity risks and mitigation, provided with annual reports on the Company’s Enterprise Risk Assessment that specifically evaluated cyber risks, and engaged outside consultants to improve and auditors to audit corporate cybersecurity practices.” The measures taken by the Marriott board show that the board was working to educate itself on the evolving privacy and cyber threat environment.

Data is a valuable asset, and failure to protect a company’s data or systems can create substantial risk. To carry out these duties, boards must keep pace with increasingly complex cyber threats and comply with evolving data-security laws and regulations. Corporate boards would be wise to apply similar measures to ensure their directors have the necessary knowledge to fulfill their oversight obligations.