From: Orrick — Securities Litigation and Enforcement Blog
by M. Todd Scott, Alex Talarides and Jim Kramer
What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?
In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty.
As Delaware courts have repeatedly held, a Caremark claim is possibly the most difficult theory in corporations law upon which a plaintiff might hope to win a judgment. To succeed, a plaintiff must establish:
• The existence of facts suggesting that the board knew that internal controls were inadequate and could leave room for materially harmful behavior, and
• That the board chose to do nothing about the control deficiencies that it knew existed.
Put another way, the plaintiff must be able to show a “sustained or systematic failure of the board to exercise oversight.” While this standards are strict, one could easily envision a situation whereby a company suffers a serious cyber attack and then, months later, suffers another. The board surely knew of the first attack and knew of the damage it caused the company, so to the extent a plaintiff could show the board’s response was insufficient – to the extent a plaintiff could show the board ignored the “red flag” of the prior attack – a claim could arise.
![Share on Facebook Facebook](https://www.thecre.com/fisma/wp-content/plugins/social-media-feather/synved-social/image/social/regular/96x96/facebook.png)
![Share on Twitter twitter](https://www.thecre.com/fisma/wp-content/plugins/social-media-feather/synved-social/image/social/regular/96x96/twitter.png)
![Share on Google+ google_plus](https://www.thecre.com/fisma/wp-content/plugins/social-media-feather/synved-social/image/social/regular/96x96/google_plus.png)
![Share on Reddit reddit](https://www.thecre.com/fisma/wp-content/plugins/social-media-feather/synved-social/image/social/regular/96x96/reddit.png)
![Pin it with Pinterest pinterest](https://www.thecre.com/fisma/wp-content/plugins/social-media-feather/synved-social/image/social/regular/96x96/pinterest.png)
![Share on Linkedin linkedin](https://www.thecre.com/fisma/wp-content/plugins/social-media-feather/synved-social/image/social/regular/96x96/linkedin.png)
![Share by email mail](https://www.thecre.com/fisma/wp-content/plugins/social-media-feather/synved-social/image/social/regular/96x96/mail.png)
Leave a Reply