The trend in many legal quarters toward imposing upon businesses affirmative duties to implement measures to help prevent data breaches and comply with ever-expanding data privacy regulation—and liability if they fail to do so—has brought increased scrutiny of the actions, or more likely inactions, of corporate directors in the cybersecurity arena. A series of cases applying Delaware law, culminating in the June 2019 opinion in Marchand v. Barnhill, 212 A.3d 805, 824 (Del. 2019), indicate that directors who leave cybersecurity and data privacy compliance to management may run a substantial risk of personal liability if they turn a blind eye toward the adequacy of management's response. These developments are of interest to New Jersey attorneys who advise companies on these matters, because many in-state corporations were incorporated in Delaware and because many states, including New Jersey, follow many aspects of Delaware corporate law. In re Merck & Co. Sec., Derivative & ERISA Litig., 493 F.3d 393, 399 (3d Cir. 2007).

Delaware cases decided before Marchand, including the seminal case of In re Caremark Int'l Derivative Litig., 98 A.2d 959 (Del. Ch. 1996), established that directors breach their duty of loyalty if they fail to make a good faith effort to monitor and oversee a company by either "utterly fail[ing] to implement any reporting or information system" that would allow information to reach the board or, if such a system exists, by "consciously fail[ing] to monitor or oversee" the company's operations through that system. Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 370 (Del. 2006). While most so-called "Caremark claims" fail because the plaintiff concedes at least some form of board level monitoring and reporting, the allegations in Marchand presented the type of "utter failure" to monitor a company's "essential and mission critical" compliance issues that would be sufficient to support a Caremark claim. 212 A.3d at 822-24.

The court in Marchand found that the plaintiffs had adequately alleged that the directors overseeing operations at Blue Bell Creameries had no board-level system of monitoring and reporting to oversee a "central compliance issue" of the company, namely whether its sole product—ice cream—was safe to eat. At the pleading stage, those allegations were sufficient to support an inference that the board had "not made the good faith effort that Caremark requires." Id. at 822. While "directors have great discretion to design context- and industry-specific approaches tailored to their companies' businesses and resources," a board must at least "make a good faith effort—i.e., try—to put in place a reasonable board-level system of monitoring and reporting" for "compliance issue[s] intrinsically critical to the company's business operation." Id. at 821. In other words, directors have a duty not only to respond to critical compliance issues that come to their attention, but must also set up a system of monitoring and reporting to ensure that information about those issues reaches them in the first place.

Thus, Marchand involved the directors' failure to monitor, and thus detect, management's failure to comply with food safety regulations and practices, but the court did not define the outer bounds of what constitutes a "central compliance issue" which is "intrinsically critical to the company's business operation" for which a board's failure to monitor opens the door to a Caremark claim. However, the increasing trend of governments everywhere to enact stricter cybersecurity and data privacy laws that impose substantial penalties for their violation, as well as the prevalence of cybersecurity enforcement actions, suggests that at least some aspects of a business's cyber practices—legal, operational and technical—fall within this zone of intrinsically critical compliance issues.

For example, New Jersey has already collected over $6.4 million through data breach settlements in 2019, and the attorney general has stated that privacy enforcement is "clearly something that's very important to the attorney general's office overall."  Allison Grande, NJ AG to Keep Privacy Pressure on as Breach Reports Drop, https://www.law360.com. Even beyond the risks associated with government enforcement actions or private litigation, data breaches are massively costly in terms of detection and escalation, complying with breach notification requirements, setting up post data breach processes like help desks or credit monitoring, and reputational harm/lost business. IBM Security, Cost of a Data Breach Report (2019). Finally, data breaches may result in the theft of a business' own confidential information and intellectual property, with potentially crippling financial consequences.

Indeed, one Delaware court has already stuck cybersecurity's toe in Caremark's waters, although perhaps in a limited sense. In In re Facebook Section 220 Litig., the FTC found that Facebook had used inadequate data security measures to protect users' data and entered a consent decree that required Facebook to develop and maintain a sufficient privacy program. No. CV 2018-0661-JRS, 2019 WL 2320842, at *3 (Del. Ch. May 30, 2019). Thereafter, a shareholder brought suit to compel Facebook to provide access to its internal records, which required the shareholder to show a "credible basis" to infer mismanagement or wrongdoing by the board.  Id. at *12. The court found that there was "some evidence" that the board had breached its Caremark duties because the board, among other things, "knew of the Company's obligations [to] implement data security measures, knew the Company had not implemented or maintained those measures as required by the Consent Decree and, nevertheless, condoned the Company's monetization of its users' private data in violation of the Consent Decree." Id.

Although Facebook may provide a glimpse into the future, it does not suggest that every failure to monitor and appropriately respond to every aspect of a business' cyber and data privacy compliance leaves directors open to liability for breach of their fiduciary duties. Some cyber-related operations are more important to a company's business than others, with different legal and business-related consequences depending upon circumstances. Moreover, some cyber and privacy laws are specific and require particularized actions. Many others are more general and nebulous.

Although security is relative, a legal standard for "reasonable" security is emerging. That standard rejects requirements for specific security measures (such as firewalls, passwords or the like) and instead adopts a fact-specific approach to business security obligations that requires a "process" to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.

Rhoads and Litt, ABA Cybersecurity Handbook, Second Edition 73 (American Bar Association, 2018).

Given these variables, no bright-line rule emerges defining a board's fiduciary duties to oversee cybersecurity and data privacy compliance. Moreover, while Caremark, Facebook and Marchand collectively impose a duty to implement a reasonable reporting system concerning intrinsically critical compliance issues, no specific system of monitoring is required, and courts have been reluctant to permit shareholders to second-guess the adequacy of such a system or the sufficiency of a board's response to information that comes to its attention. For example, in Rojas on behalf of J.C. Penney Co. v. Ellison, the court found that the directors had adequately established a reporting system regarding their company's compliance with advertising regulations because it had an audit committee tasked with overseeing legal and regulatory compliance, and required, at a minimum, yearly meetings with the company's general counsel as well as discussions with management about "material issues regarding the Company's financial statements or accounting policies or its compliance with law or regulation." No. CV 2018-0755-AGB, 2019 WL 3408812, at *9 (Del. Ch. July 29, 2019).

Similarly, in In re The Home Depot Shareholder Derivative Litigation, Home Depot suffered a breach of its credit card reading system starting in April of 2014 that cost the company nearly $10 billion. 223 F. Supp. 3d 1317, 1322 (N.D. Ga. 2016). Two shareholders argued that the board had been informed on multiple occasions that Home Depot was not compliant with Payment Card Industry Data Security Standards, but it did not take adequate action to quickly remedy the situation. The court, applying Delaware law, found that the board acted appropriately by approving a plan that would have achieved compliance by February 2015, and thus, even if "the implementation of the plan was probably too slow, and … would not have fixed all of the problems Home Depot had with its security," the board's response must simply be reasonable, not perfect, and therefore the shareholders had failed to adequately plead that the directors breached their fiduciary obligations. Id. at 1327.

These cases suggest a dichotomy between boards that do nothing to monitor companies' compliance with critical requirements, and those that try in good faith but perhaps fail to catch or resolve issues before they cause problems. Although one can envision potential liability under circumstances where a monitoring program is so ineffective on its face as to amount to no program at all, or where the board's response to information concerning a compliance issue is so woefully inadequate that it could not reasonably fix the problem, the key takeaway can be found in the oft-repeated movie line, "Don't just stand there! Do something!" If at least some aspects of cybersecurity and data privacy are intrinsically critical to the company's operations, then the board must actively seek information to monitor the company's compliance, and, if information concerning a cybersecurity issue comes to the board's attention, it must act in good faith to address it, even if that means merely approving management's existing plan. To do otherwise would fly in the face of a growing risk of liability.

Robert Egan is a partner with Archer Law in Haddonfield. He is the chairperson of the firm's Commercial and Business Litigation Group. Nicholas Franchetti is an associate at the firm, focusing his practice in the area of commercial litigation.