Chancellor Allen’s famous and prescient 1996 opinion in Caremark will soon be twenty-five years of age. It has more than stood the test of time. Indeed, it has become gospel as an enduring corporate governance doctrine and a dynamic driver of modern-day oversight and compliance requirements. Although it did not become enshrined as a major Delaware Supreme Court precedent until the Stone v. Ritter Delaware Supreme Court decision in 2006, Chancellor Allen’s 1996 Caremark dictum enjoyed from the outset the international respect of a precedent that had the imprimatur of a Delaware Supreme Court holding.
In this article we analyze the Caremark opinion itself, including the key and lasting importance of Chancellor Allen’s sua sponte invocation of the United States’ Organizational Sentencing Guidelines. He correctly concluded that the Sentencing Guidelines provide “powerful incentives for corporations to have in place compliance programs . . . and to take voluntary remedial efforts.” He parlayed those “powerful incentives” into the conclusion that the proper exercise of good faith requires that “a director’s obligation includes a duty to assure that a corporate information and reporting system . . . exists, and that the failure to do so under some circumstances may . . . render a director liable for losses caused by non-compliance with applicable legal standards. [But] . . . only a sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability.”
While Caremark/Stone state that there is theoretical exposure of directors to liability for violation of their duty of loyalty if they “utterly” fail in good faith to implement and monitor an internal information system (i.e., oversight protocols), such Delaware litigation liability is rare and hard to plead/prove. But recent Delaware cases at the pleading stages have framed parameters where this theoretical exposure might or might not become a real concern of the boards of directors, particularly where there is little or no board involvement and/or where “red flags” are ignored.
Moreover, there are developments at the federal and scholarly levels that flesh out the oversight obligations of corporations, alternate entities, and their governing bodies. These developments, coupled with Delaware fiduciary duty principles, tend to inform boards of directors that they need to ensure their management has a robust oversight protocol. In short, the directors need to carry out effective oversight/monitoring, including awareness of and effective addressing of red flags. The tension is that board oversight must occur without directors micromanaging the operations of the firm, which traditionally is a management responsibility.
In September 2021, the decision of the late Delaware Chancellor, William T. Allen, in the case of In re Caremark International, Inc. Derivative Litigation (“Caremark”)1 will have reached the quarter-century mark. Although the Chancellor’s opinion did not have the imprimatur of a Delaware Supreme Court holding until Stone v. Ritter2was decided in 2006, it nevertheless has been respected in Delaware and throughout the United States as a key and firm precedent since 1996.
That precedent is that directors not only must adhere to the fiduciary duties of care and loyalty in decision making but also that they must exercise in good faith the responsibility of overseeing the behavior of management. We use the term “behavior” advisedly, without undertaking a detailed specification at this juncture of how granularly the oversight responsibility of directors should be articulated. That analysis is what this article is about.
Caremark was decided in the context of the Chancellor’s decision whether the settlement of certain stockholder derivative actions should be approved as fair and reasonable to the defendants and to Caremark International, Inc. (“Caremark” or the “Company”), on whose behalf the suits were brought. The gravamen of the derivative suits was alleged by the stockholder-plaintiffs to be a fiduciary-duty failure of the defendant directors to oversee, supervise, and monitor the corporate management, and that failure allegedly resulted in significant loss to the company.
The Company, a Delaware corporation with headquarters in Illinois, was engaged in the healthcare business, with revenues derived from third-party payments (such as insurers, Medicare, and Medicaid reimbursement programs). The latter sources of payments were regulated by a federal criminal statutory framework that prohibited healthcare providers, like Caremark, from paying any form of remuneration or kickback to induce the referral of Medicare or Medicaid patients.
The Company had a no-kickback policy that was designed to ensure that no payments would be made in exchange for or to induce patient referrals. In fact, Caremark implemented its no-kickback policy by issuing an internal Guide to Contractual Relationships. The relevant federal statute, the Anti-Referral Payments Law (“ARPL”), was rather stringent, but it was not always crystal clear. Under the statute, the United States Department of Health and Social Services (“HHS”) issued regulations that provided “safe harbors” for when service providers would not violate the APRL. But the Chancellor noted, “What one might deem a prohibited quid pro quo was not always clear.”3
A federal grand jury in Minneapolis indicted the Company and two officers, charging that a physician in Minneapolis, also indicted, violated the ARPL over a lengthy period, specifying that the physician was paid over $1 million to distribute a drug marketed by Caremark. Shortly thereafter, a federal grand jury in Columbus, Ohio, charged that an Ohio physician defrauded Medicare by receiving over $130,000 and other benefits in exchange for referrals of patients whose medical costs were in part reimbursed by Medicare.
There was a federal settlement of these criminal actions under which Caremark pleaded guilty to a single count, paid a criminal fine and substantial civil damages, and agreed to reform measures in order for the Company to continue participating in the Medicare and Medicaid programs. Also, some private insurers asserted damage claims against Caremark for allegedly improper business practices. Caremark settled those claims for $98.5 million.
Then a settlement at issue in the Delaware stockholder litigation was proposed in which Caremark was to agree to certain future reforms, such as the establishment of a board-level compliance and ethics committee consisting of four directors, of which two were to be non-management directors. The committee was to meet at least four times a year to effectuate the reforms, to monitor business-segment compliance with the ARPL, and to report semiannually to the full board.4
In determining whether the proposed settlement was fair and reasonable, the Chancellor was required under Delaware precedent to exercise his informed judgment in light of all relevant factors.5 The essence of plaintiffs’ claim was that the directors violated their fiduciary duties to be active monitors of corporate performance. The Chancellor noted that this theory “is possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” there being no conflict of interest or suspect motivation.6
The Chancellor noted that, although the theory here involved does not stem from a board decision, it arises from “an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”7 In addressing the board’s responsibility for monitoring the enterprise to ensure that the corporation functions in compliance with the law, he pivoted sua sponte8 to an overlay of federal law. Here is the language referencing the importance of the federal Sentencing Guidelines in the Caremark opinion:
The Guidelines set forth a uniform sentencing structure for organizations to be sentenced for violation of federal criminal statutes and provide for penalties that equal or often massively exceed those previously imposed on corporations. The Guidelines offer powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to take prompt, voluntary remedial efforts.9
The Chancellor then deftly and critically distinguished the 1963 Delaware Supreme Court decision in Graham v. Allis Chalmers Manufacturing Co.10 In Allis Chalmers, the court stated that the oversight duty of the board did not require “directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.”11 Then he concluded with these famous and often-quoted phrases that predominate in Caremark:
[I]t is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.
Thus, I am of the view that a director’s obligation includes a duty to attempt in good faith to assure that a corporation information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.12
* * *
[I]n my opinion only a sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability. Such a test of liability—lack of good faith as evidenced by sustained or systematic failure of a director to exercise reasonable oversight—is quite high. But, a demanding test of liability in the oversight context is probably beneficial to corporate shareholders as a class, as it is in the board decision context, since it makes board service by qualified persons more likely, while continuing to act as a stimulus to good faith performance of duty by such directors.13
Interestingly, the Chancellor added, “Obviously the level of detail that is appropriate for such information is a question of business judgment.”14 We note that the issue of whether or not to have and monitor in good faith an effective oversight protocol is a mandatory requirement. The business judgment rule would not protect the deliberate decision not to have and monitor the oversight requirement because the “utter failure to attempt to assure a reasonable information and reporting system exists will establish the lack of good faith that is a necessary condition to liability.”15 The Chancellor’s reference here to business judgment applies only to the board’s decision on the extent of the detail of the oversight protocol.
The full scope of the directors’ oversight duty is not only that they must conceive and design an adequate information system in good faith, but also they must also monitor the system that they have established to acquire the information and act on it. This element becomes crucial when we discuss “red flags” later in this article.
The role of the board of directors begins with the principal foundational statute on the books. In Delaware, that is section 141(a) of the Delaware General Corporation Law (“DGCL”), which states that “[t]he business and affairs of every corporation organized under this chapter shall be managed by or under the direction of a board of directors.”16 This formulation of the role of the board rests on the elementary concept that, in the real world, the board directs the management of the corporation’s business and affairs by delegating the actual operation of the management to its senior officers. In short, the board itself is not expected to, and should not, micromanage the operations:
When the board has delegated to management the corporation’s operations, it should oversee management’s conduct of the corporation’s activities without usurping management’s role.17
It is necessary to be mindful of the importance of the tension between effective oversight and micromanagement. The board hires the management team, makes strategic decisions on risk, and oversees management execution of that strategy, including compliance with legal and financial norms. But the board does not go down to the engine room to run the operations or crunch the numbers, at least in the first instance.
As a matter of business strategy, the board is expected to make informed judgments on risk tolerance and the management of risks, including financial, legal, reputational risks, and enterprise risks.
Risk management is a multifaceted process that includes identifying and assessing risks, considering mitigating factors, implementing risk controls and monitoring. The board’s responsibility with respect to risk management encompasses both direct decisions about matters such as strategy and risk tolerance and oversight and monitoring implementation of those decisions and the effectiveness of the corporation’s compliance programs.18
The lynchpin of the Caremark opinion is that it is predicated on concepts of good faith, not due care. Since 1986, this has been crucial because the fiduciary duty of care as a standard of conduct in Delaware has been relegated to a largely aspirational status, except in certain contexts, such as when injunctive relief is at issue. This is because section 102(b)(7) of the DGCL, enacted in 1986, exculpates directors from personal liability in damages where such exculpation is in the certificate of incorporation, except for certain acts, such as those that violate the duty of loyalty or are not taken in good faith.19
The criticality of the element of bad faith as the foundation of the Caremark doctrine has played a pivotal role in Delaware’s post-Caremark jurisprudence. As discussed in this article, more recent Delaware Supreme Court cases, particularly Disney20 and Stone,21 have made it clear that the good-faith concept rests in large part on an intentional, and thus disloyal, act or omission, such as the disregard of a known responsibility.
In the 1990s, the Delaware Supreme Court began referring to directors’ fiduciary duties as a triad: care, loyalty, and good faith.22 Those cases implied that good faith was an independent fiduciary duty. Stockholder-plaintiffs seeking monetary damages frequently allege that directors did not act in good faith because, like loyalty and certain other exceptions, such a failure was not protected by the exculpatory provisions of section 102(b)(7).
In Caremark, the oversight responsibility of directors was examined in the context of good faith. The criteria for assessing a director’s personal liability for failing to act in good faith in discharging her oversight responsibilities have evolved. It began with the Delaware Supreme Court’s Allis-Chalmers23 decision that was construed narrowly in Caremark.24 Ten years after Caremark, the Delaware Supreme Court squarely addressed the issue of good faith in the Disney case, noting that “the duty to act in good faith is, up to this point, relatively uncharted.”25
The Disney case involved derivative litigation related to “the hiring and firing of Michael Ovitz as Disney’s president.”26 Ovitz and Disney entered into an employment agreement in October 1995 that provided Ovitz would serve as Disney’s president for five years.27 Disney terminated Ovitz’s employment, however, in December 1996.28 The employment agreement provided for Ovitz to receive a severance package valued at approximately $130 million.29
Several stockholder-plaintiffs filed a complaint in the Delaware Court of Chancery alleging that the compensation committee of the Disney board, and the board itself, had failed adequately to consider the employment, compensation, and termination of Ovitz. The complaint asserted a lack of good faith to rebut the presumption of the business judgment rule and also the application of a section 102(b)(7) exculpatory provision in the Disney charter.30 The Court of Chancery denied a motion to dismiss the complaint, holding “that the plaintiff had alleged sufficient facts to raise a ‘reason to doubt whether the board’s actions were taken honestly and in good faith,’ as required for the application of the business judgment rule,” and if those allegations were true, the directors were not entitled to the protection of the exculpatory clause in Disney’s charter.31
The Disney plaintiffs contended that the duty of care (measured by a gross negligence standard) was on a continuum with the duty to act in good faith and that, at some point, a board’s lack of care could become so egregious that it constituted bad faith.32 The Delaware Supreme Court rejected that contention. It held that a failure to act in good faith requires conduct that is qualitatively different from, and more culpable than, the conduct giving rise to a violation of the fiduciary duty of care.33
Accordingly, the Delaware Supreme Court held that the directors’ duties of care and good faith are distinct. It characterized the “duty to act in good faith” as the “doctrinal vehicle” for imposing sanctions on directors for “intentional dereliction of duty, and a conscious disregard of one’s responsibilities,” citing Caremark.34 The court declined, however, to decide “whether the fiduciary duty to act in good faith is a duty that, like the duties of care and loyalty, can serve as an independent basis for imposing liability upon corporate officers and directors.”35
The Delaware Supreme Court’s decision in Disney provided important guidance for directors of Delaware corporations by identifying three examples of conduct that would establish a failure to act in good faith: first, where the fiduciary intentionally acts with a purpose other than that of advancing the best interests of the corporation; second, where the fiduciary acts with the intent to violate applicable positive law; and third, where the fiduciary intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for her duties.36
A few months after explaining the distinction between the duty of care and good faith in Disney, the Delaware Supreme Court addressed the relationship between the directors’ duty of loyalty and good faith when it decided Stone v. Ritter.37 That explanation came in the context of deciding directors’ oversight responsibilities and answered the question that had been deferred in Disney: “whether a violation of the duty to act in good faith is a basis for the direct imposition of liability?”38
Stone was a derivative action. In 2004, AmSouth and AmSouth Bank paid $40 million in fines and $10 million in civil penalties to resolve regulatory and government investigations relating to the failure by bank employees to file suspicious activity reports that were required by the federal Bank Secrecy Act and several anti-money-laundering regulations.39 The complaint in Stone alleged that the directors breached their fiduciary duties by not properly discharging their oversight responsibilities.40
In Stone, the Delaware Supreme Court held that Caremark articulates the two “necessary conditions for assessing director oversight liability”: (1) the directors utterly failed to implement any reporting or information system or controls or (2) having implemented such a system or controls, the directors consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.41 “In either case, the imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations.”42
The opinion in Stone also held that “[w]here directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.”43 That holding required the Delaware Supreme Court “to clarify a doctrinal issue that was critical to understanding fiduciary liability” under the Caremark standard.44 The court explained “that a failure to act in good faith is not conduct that results . . . in the direct imposition of fiduciary liability.”45 Rather, “[t]he failure to act in good faith may result in liability because the requirement to act in good faith ‘is a subsidiary element,’ i.e., a condition, ‘of the fundamental duty of loyalty.’”46 Because a showing of bad faith conduct, as described in Disney and Caremark, is essential to establish director oversight liability, it followed that the fiduciary duty violated by that conduct is the duty of loyalty.47
In Stone, the plaintiffs’ complaint equated a bad outcome with bad faith. The weakness with the plaintiffs’ argument in Stone was “a failure to recognize that the directors’ good faith exercise of oversight responsibility may not invariably prevent employees from violating criminal laws, or from causing the corporation to incur significant financial liability.”48 In fact, both of these unfortunate acts had also occurred in Graham and Caremark.49 The Stone opinion held that “in the absence of red flags, good faith in the context of oversight must be measured by the directors’ actions ‘to assure a reasonable information and reporting system exists’ and not by second-guessing after the occurrence of employee conduct that results in an unintended adverse outcome.”50
Delaware courts have consistently recognized that a majority of the decisions made by a corporation acting through its employees are not the subject of director attention.51 The Caremark standard, in contrast, is applied in cases where plaintiff-stockholders allege that the director-defendants are personally liable for damages that arise from a failure properly to monitor or oversee employee misconduct or violations of the law.52 The Caremark opinion held that “only a sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability.”53 As stated in Caremark and reaffirmed in Stone, a claim that directors are personally liable for employee actions is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”54 The implications of the holdings in Stone v. Ritter have been summarized as follows:
By making it clear that the duty to act in good faith was a subsidiary component of the duty of loyalty, it simultaneously made clear that the judiciary was charged with distinguishing between loyalty claims dependent on a showing that a director acted in bad faith, on the one hand, and due care claims, on the other. . . . Stone v. Ritter made plain that the judiciary could not hold a director liable for a failure in monitoring simply because her conduct was grossly negligent, even though gross negligence requires an extreme deficiency in performance. Rather to hold an independent director liable for a failure in monitoring, the plaintiff had to prove that the independent director acted in bad faith.55
The Caremark decision concluded that “[such] a test of liability—lack of good faith as evidenced by a sustained or systematic failure of a director to exercise reasonable oversight—is quite high. But, a demanding test of liability in the oversight context is probably beneficial to corporate stockholders as a class, as it is in the board context, since it makes board service by qualified persons more likely, while continuing to act as a stimulus to good faith performance of duty by such directors.”56
As the economy was emerging from the Great Recession of 2007–09, the stockholder-plaintiffs’ bar included those who were creatively testing the Caremark/Stone oversight jurisprudence. Some would seek to test the limits of the dictum of that jurisprudence to the effect that oversight claims are hard to plead/prove.
Along came the 2009 case of In re Citigroup, Inc. Shareholder Derivative Litigation.57 In this derivative suit the plaintiff-stockholders sought to recover losses from the director-defendants for Citigroup arising from the corporation’s exposure to the subprime lending market. The gravamen of the complaint was that the defendant directors did not properly monitor and manage the risks the company faced from problems that arose in the collapse of that market. In short, the claim was phrased as a Caremark claim that there were extensive “red flags,” ignored by the director-defendants in their pursuit of short-term profits at the expense of the company’s long-term viability. Specifically, Chancellor Chandler summed up plaintiffs’ Caremark claims and their shortcomings as follows:
Although these claims are framed by plaintiffs as Caremark claims, plaintiffs’ theory essentially amounts to a claim that the director defendants should be personally liable to the Company because they failed to fully recognize the risk posed by subprime securities. When one looks past the lofty allegations of duties of oversight and red flags used to dress up these claims, what is left appears to be plaintiff shareholders attempting to hold the director defendants personally liable for making (or allowing to be made) business decisions that, in hindsight, turned out poorly for the Company.58
The court then proceeded to articulate the critical distinction between a legitimate Caremark claim based on the directors’ bad-faith failure to oversee management’s proper execution of corporate strategy and a nonviable claim that would question that strategy as a proper exercise of business judgment. In dismissing plaintiffs’ purported Caremark claim, the court concluded:
Instead of alleging facts that could demonstrate bad faith on the part of the directors, by presenting the Court with the so-called “red flags,” plaintiffs are inviting the Court to engage in the exact kind of judicial second guessing that is proscribed by the business judgment rule. In any business decision that turns out poorly there will likely be signs that one could point to and argue are evidence that the decision was wrong.59
Citigroup articulates the principle that a purported Caremark claim cannot become a vehicle for a sneak attack on the business judgment rule.
The 2019 Delaware Supreme Court case of Marchand v. Barnhill allowed a Caremark claim to survive a motion to dismiss.60 This was a rare event in Delaware jurisprudence. But the facts alleged in the complaint in that case would seem to demonstrate that if there is any such thing as a viable Caremark claim, the Delaware Supreme Court’s holding that this complaint alleged such a claim seems reasonable.
The facts of Marchand are compelling. The essence of the complaint is that the defendant executives allegedly breached their duties of care and loyalty under Caremark by knowingly disregarding contamination risks and failing to oversee the safety of the corporation’s mission-critical food-making operations.
The Delaware corporation in the Marchand case is Blue Bell Creameries USA, Inc. (“Blue Bell” or the “Company”), which is a monoline company, the principal business of which is making and selling only one product, ice cream. Thus, manufacturing ice cream was mission-critical to its operations. It is a highly regulated entity, primarily by the federal Food and Drug Administration (“FDA”). Not only was Blue Bell regulated by the FDA, but it was also subject to various state regulations in the three states in which it did business: Alabama, Oklahoma, and Texas.
In early 2015, Blue Bell suffered a listeria (bacterial) outbreak that caused a massive recall of its product, production shutdowns, massive layoffs, financial losses, regulatory fines, restrictions, and reputation damage, arising from troubling compliance failures at its facilities. Injuries and deaths of consumers resulted.
The complaint alleged that although management had received reports about listeria’s growing presence in the Company’s plants, the board never received or sought any information about food safety issues, including the devastating prevalence of listeria. Specifically, the complaint alleged that there were failures at the board level: (1) there was no committee charged with monitoring food safety; (2) the board did not have a process for a board-level discussion devoted to food safety compliance; and (3) there was no board protocol requiring management to deliver reports on food safety compliance. The Court of Chancery granted the defendants’ motion to dismiss, and the plaintiff appealed.
In reversing the decision of the Court of Chancery to dismiss the complaint, the Delaware Supreme Court, en banc, held:
Under Caremark and Stone v. Ritter, a director must make a good faith effort to oversee the company’s operations. Failing to make that good faith effort breaches the duty of loyalty and can expose a director to liability. In other words, for a plaintiff to prevail on a Caremark claim, the plaintiff must show that a fiduciary acted in bad faith—“the state of mind traditionally used to define the mindset of a disloyal director.”
* * *
In sum, the complaint supports an inference that no system of board-level compliance monitoring and reporting existed at Blue Bell. Although Caremark is a tough standard for plaintiffs to meet, the plaintiff has met it here.61
* * *
If Caremark means anything, it is that a corporate board must make a good faith effort to exercise its duty of care. A failure to make that effort constitutes a breach of the duty of loyalty.62
A few months after the Delaware Supreme Court opinion in Marchand, the Delaware Court of Chancery decided another Caremark case, In re Clovis Oncology, Inc. Derivative Litigation.63 In that decision, Vice Chancellor Joseph Slights denied the motion to dismiss, thereby breathing life into the allegations.
The Clovis case was a Caremark derivative suit alleging that Clovis Oncology (the “Company”) had one drug, Roci, which, among others, was especially promising in fighting cancer. Roci was being developed through clinical trials in which it performed well. But data from later stages of the clinical trials revealed that it would not be approved by the FDA. The allegation in the derivative suit before the vice chancellor was that the defendant directors breached their fiduciary duties by failing to oversee the Roci clinical trial and allowed the Company to mislead the market regarding the drug’s efficacy, allegedly resulting in severe losses to the Company’s market capitalization.
The gravamen of the complaint was that although the Company purported to follow strict protocols and associated FDA regulations, the board ignored red flags that the Company was not adhering to the clinical trial protocols, thereby jeopardizing FDA approval of Roci.
Using Marchand as controlling precedent, the vice chancellor set forth the following legal analysis at the outset of his opinion:
As explained in Marchand, “to satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it.” This is especially so when a monoline company operates in a highly regulated industry. Here, Plaintiffs have well-pled Roci was “intrinsically critical to the [C]ompany’s business operation,” yet the Board ignored multiple warning signs that management was inaccurately reporting Roci’s efficacy before seeing confirmatory scans to corroborate Roci’s cancer-fighting potency—violating both internal clinical trial protocols and associated FDA regulations. In other words, Plaintiffs have well-pled a Caremark claim.64
The court’s legal analysis of the Caremark claim in Clovis was divided into two prongs: either that (i) the director-defendants completely failed to institute an oversight system for the crucial clinical trial or (ii) they consciously disregarded a series of red flags. As to the first prong, the vice chancellor held that the complaint did not support the inference of an “utter” or “complete” failure to implement any reporting or information system or controls.65
But the court’s analysis of the complaint in the context of Caremark’s second prong (failure to monitor) is a different story:
Caremark’s second prong is implicated when it is alleged the company implemented an oversight system but the board failed to “monitor it.” To state a claim under this prong, Plaintiffs must well-plead that a “red flag” of non-compliance [waved] before the Board Defendants but they chose to ignore it. In this regard, the court must remain mindful that “red flags are only useful when they are either [waved] in one’s face or displayed so that they are visible to the careful observer.”
* * *
As Marchand makes clear, when a company operates in an environment where externally imposed regulations govern its “mission critical” operations, the board’s oversight function must be more rigorously exercised.”
* * *
To impose liability on directors for making a “wrong” business decision would cripple their ability to earn returns for investors by taking business risks.” But, as fiduciaries, corporate managers must be informed of, and oversee compliance with, the regulatory environments in which their businesses operate. In this regard, as relates to Caremark liability, it is appropriate to distinguish the board’s oversight of the company’s management of business risk that is inherent in its business plan from the board’s oversight of the company’s compliance with positive law—including regulatory mandates.66
In the 2020 Inter-Marketing Group case, the Delaware Court of Chancery refused to dismiss a Caremark derivative claim at the pleading stage. In an opinion by Justice Tamika Montgomery-Reeves, sitting by designation as a vice chancellor, the court held that, after an oil spill resulting in a pipeline rupture, the complaint well pleaded the absence of board-level protocols to monitor pipeline integrity even though the board’s audit committee’s charter of the company (a master limited partnership operating pipelines in North America) gave it that responsibility.67
For a pleading-stage decision, this case arose in an unusual context. The complaint cited the testimony of the company’s CEO in connection with criminal proceedings in which the CEO testified under oath in California that there were no board-level protocols to monitor pipeline integrity.
In tracking the holding in Marchand, where the board was alleged to have violated its fiduciary duty of oversight in a mission-critical context, the Court of Chancery denied the motion to dismiss, holding as follows:
Contrary to the audit committee’s duty under its charter to “advise the Board with respect to policies and procedures,” Plaintiff points to [the CEO’s] testimony that the Board never “discuss[ed] [the] integrity management process” nor the “policy or needs that might need to be addressed relating to the integrity management program.” While the audit committee’s charter dictates what the audit committee was supposed to do, it says nothing about what it actually did. . . . [The CEO’s] testimony that the Board never discussed pipeline integrity supports the inference made by Plaintiff that the audit committee failed to perform its duties.68
* * *
As the [Delaware] Supreme Court stated in Marchand, “[a]though Caremark may not require as much as some commentators wish, it does require that a board make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks.”69
In a later 2020 case, Hughes v. Hu, Vice Chancellor Travis Laster denied a motion to dismiss a Caremark claim, citing a remarkable failure of the board to establish and monitor a reasonable information and compliance system,70 stating,
[t]he complaint alleges facts that support an inference that the Company’s Audit Committee met sporadically, devoted inadequate time to its work, had clear notice of irregularities, and consciously turned a blind eye to their continuation.
* * *
These chronic deficiencies support a reasonable inference that the Company’s board of directors, acting through its Audit Committee, failed to provide meaningful oversight over the Company’s financial statements and system of financial controls. . . . Instead, the Audit Committee deferred to management, which dictated the policies and procedures for reviewing related-party transactions and hired and fired the Company’s auditor, even though management’s actions suggested that it was either incapable of accurately reporting on related-party transactions or actively evading board-level oversight.
* * *
The allegations in this case support inferences that the board members did not make a good faith effort to do their jobs. The Audit Committee only met when spurred by the requirements of the federal securities laws. Their abbreviated meetings suggest that they devoted patently inadequate time to their work. Their pattern of behavior indicates that they followed management blindly, even after management had demonstrated an inability to report accurately about related-party transactions.71
The “new normal” of Caremark claims reflects the need for an awareness by directors of their oversight responsibilities. Most Caremark claims do not survive the pleading stage. Although we have discussed some of the few Caremark claims that were not dismissed, as Marchand explained, “in decisions dismissing Caremark claims, plaintiffs usually lose because they must concede the existence of board-level systems of monitoring and oversight such as a relevant committee, a regular protocol requiring board-level reports about the relevant risks, or the board’s use of third-party monitors, auditors or consultants.”72 For example, in the UPS case, Horman v. Abney, in granting a motion to dismiss Caremark claims, the court commented favorably on the action taken by the UPS board in reaction to red flags.73
Caremark is a case that has become synonymous with the need for good-faith monitoring and oversight of management functions by the board of directors. In turn, Caremark is likewise associated with concepts of compliance, an oversight system of policies and controls that organizations should adopt to deter violations of law and to assure external authorities that they are taking steps to deter violations of law. Publicly traded corporations are usually expected to develop general compliance programs at several levels to address the overall conduct of risk management, the operational business, and accounting controls in accordance with prescribed legal, ethical, and cultural norms. Compliance programs focus on all types of misconduct and can be found in a variety of industries, causing these programs to be within the reach of numerous federal and state agencies.
As we have noted, Chancellor Allen in 1996 decided sua sponte in Caremark that the U.S. Sentencing Guidelines were not only relevant to the matter before him, but also were particularly apt because they are “powerful incentives for corporations to have in place compliance programs . . . and to take voluntary remedial efforts.”74 That was not only true then, but also it is an overarching corporate governance principle that has become even stronger and more powerful in the intervening twenty-five years since the Caremark decision.
As we have explained, recent Delaware cases such as Marchand have breathed new jurisprudential life into Caremark. Of equal importance is federal law and stock exchange regulations that have provided more teeth to the requirement that a corporation have a robust compliance system in place and that management as well as directors must monitor the system and deal effectively with red flags.
The American Law Institute (“ALI”) has well underway a comprehensive and ambitious project devoted to the study and recommendations concerning compliance/oversight systems, including recommendations of best practices. This project, launched in 2015 but not yet completed, is named Principles of the Law: Compliance, Risk Management, and Enforcement.75 In the words of Richard L. Revesv, ALI director,
[i]n 2015, the ALI Council launched Principles of the Law: Compliance, Risk Management, and Enforcement. These topics have emerged as fundamental components of internal controls in complex organizations, both in the United States and around the world. Recent highly publicized settlements of government enforcement actions are visible markers of a significant growth in compliance activities.76
Insofar as it is relevant to the duties of board of directors, the black letter of section 3.08 of the current text states, in part, as follows:
§ 3.08. Board of Directors’ Oversight of Compliance, Risk Management, and Internal Audit.
(a) As part of its supervision of the organization’s business or affairs, the board of directors must oversee the organization’s compliance, risk-management, and internal-audit functions.
(b) The oversight in subsection (a) should include the following responsibilities. [Over a dozen detailed expectations of boards of directors are listed, including the responsibilities to be informed, to review, and to take certain actions.]77
* * *
(c) Subject to subsection (a) and if authorized under the law governing the organization, the board of directors, in its discretion, may delegate to a group or committee of its members, to a joint committee of directors and executives, or to executive management the power to perform one or more of the responsibilities set forth in subsection (b).78
Citing Caremark, Stone, and federal authorities (including the U.S. Sentencing Guidelines), the Reporter’s Note to section 3.08 states in part:
It is well established in the laws governing different kinds of business organizations that the board of directors of a particular organization has oversight responsibility over all the organization’s activities. This has been read to include oversight over compliance, risk management, and internal audit, and courts generally defer to the board’s business judgment with respect to this oversight [citing authorities]. . . .
A basic responsibility is that the board of directors should be informed of the major laws and regulations, as well as the major legal risks affecting an organization and organizational actors. This is the responsibility of each director. . . .
Similarly, law and regulation, as well as learned authorities, require or recommend that directors be informed of an organization’s risks and, as part of their oversight, review and approve its risk-management framework and program [citing authorities]. . . .
Board oversight of the internal-audit function, which generally occurs through the audit committee, has long been established. . . .
Authorities support the practice that the board of directors learns about any significant or material violations or failures of any of the internal-control programs and approves the remedial and disciplinary actions to be taken to remedy them, particularly those involving reporting to a regulator [citing authorities].79
To similar effect, the latest edition of the Corporate Director’s Guidebook of the Committee on Corporate Laws of the ABA Business Law Section, in the chapter on Risk Oversight and Compliance, advises directors as follows:
Risk management and legal compliance are critical components of the board’s responsibility for oversight of the corporation’s business and affairs. As businesses and the legal requirements under which they operate become ever more complex, the pace of business change continues to accelerate, and reliance on technology increases, the stakes involved in effectively managing risk and ensuring legal compliance only increase. Well-publicized financial, operational, legal, and security failures in recent years have led to a heightened focus on the role of the board in oversight of risk management and legal compliance.
* * *
In addition to strategic risks, corporations face many day-to-day risks affecting operations and financial results. Examples of specific business risks that corporations commonly face include those associated with inadequate internal controls, physical and data security, product quality and performance, management succession, intellectual property protection, natural disasters, and national and global political uncertainty.
The increasing prominence of technology in business and in the lives of employees, customers, suppliers, and others with whom the business interacts has exponentially increased cybersecurity risk for virtually all corporations.
* * *
Risk management is a multifaceted process that includes identifying and assessing risks, considering mitigating factors, implementing risk controls, and monitoring. The board’s responsibility with respect to risk management encompasses both direct decisions about matters such as strategy and risk tolerance and oversight and monitoring implementation of those decisions and the effectiveness of the corporation’s compliance programs.
* * *
Once strategy and risk tolerance have been established, the board should exercise its oversight role to ensure that management’s design and implementation of risk management policies are consistent with the strategy and risk tolerance.
Although it is not the board’s responsibility to be involved in day-to-day activities involving risk management, the board should satisfy itself that appropriate systems and processes are in place to identify, monitor, control, and—when appropriate—accept, or seek to avoid or mitigate, risk and to make necessary or desirable disclosures.80
On June 4, 2020, the firm Wachtell Lipton Rosen & Katz distributed an excellent, comprehensive analysis in a memo entitled Wachtell Lipton Memo: Risk Management and the Board of Directors. In the memo, the firm emphasizes that “[r]isk management is not simply a business and operational responsibility of a company’s management team—it is a governance issue that is squarely within the oversight responsibility of the board.”81 The firm’s memo refers to some of the new cases that we have cited above (e.g., Marchand) and lists nineteen specific recommendations for improving risk oversight.82
Professor Donald Langervort, an adviser to the ALI Compliance Project, attributes an acceleration in the “pressure to upgrade corporate compliance programs” to two occurrences in the 1990s.83 The first was the adoption of the federal Organizational Sentencing Guidelines, which base the amount of a firm’s criminal fine on a variety of factors, including the quality of its compliance programs. The second occurrence was the Caremark decision, which held that directors’ fiduciary duties included compliance oversight and monitoring.84
Professor Langervort summarized the common structural framework for compliance as follows:
(1) a commitment from senior leadership to the task, setting a right “tone at the top”; (2) delegation of authority to officials with distinct compliance responsibilities and the resources to do their task; (3) firm-wide education and training about both the substance and process of compliance; (4) informational mechanisms to alert as to suspicious activity (e.g., whistleblowing procedures); (5) audit and surveillance tactics to detect compliance failures or risks; and (6) internal investigations, response, discipline and remediation so as to learn and adjust when failure occurs. The right mix of these is firm-specific, a customization that recognizes the great range of motives, opportunities, and types of violations most likely to be a problem at a given firm.85
As compliance regulation has developed over the past few decades, the duties of corporations to exercise effective compliance have derived from six primary sources: (1) promulgation of the federal Guidelines for Sentencing Organizations by the United States Sentencing Commission; (2) the focus on corporate compliance by the United States Department of Justice when deciding whether or not to charge a business entity with a crime; (3) passage of the Sarbanes-Oxley Act and the Dodd-Frank Act; (4) court decisions holding that directors may be personally liable for failing to ensure that a business has an effective corporate compliance plan; (5) amendments to, and passage of, civil statutes such as federal and state false claims acts, which significantly reduce damages and penalties when a defendant exercises “good” corporate citizenship; and (6) market responses to the exercise of “good” and “bad” corporate compliance.86
The effectiveness of internal controls, independence of auditors and directors, and disclosures in financial reporting have all become daily challenges of corporate governance.87 With increased financial reporting regulation and the rise of internal control mechanisms, compliance programs have become an important element in developing and maintaining a corporate strategy.88 In today’s business environment, an effective compliance program is entrenched in good business practice and is a must for all corporations.
Because corporate compliance programs deter wrongdoing within the corporation and generate social norms that support law-abiding behavior,89 the emphasis on corporate compliance pervades every aspect of the business world. Thus, developing an effective corporate compliance plan is a complex endeavor, requiring a variety of legal expertise: employment law, corporate finance, corporate governance, and criminal law.90 Although the full board of directors is responsible to ensure that a robust compliance and oversight system is in place, is monitored effectively, and that red flags are heeded, many boards delegate the details of this responsibility to a board committee, which is often the audit committee.91
To ensure that an effective compliance program is in place, publicly traded corporations may have a compliance committee of the board and/or a senior officer who is appointed to be the chief compliance officer (“CCO”). In simple terms, the CCO is in charge of “a system which is designed to detect and prevent violations of law by the agents, employees, officers and directors of a business.”92 Determining the parameters of a CCO’s duties in a corporation is dependent on the culture and structure of the specific entity. The role, however, has several basic functions that generally apply.
First, the CCO is responsible for overseeing the assessment of an organization’s risk for misconduct and noncompliance.93 A thorough risk assessment will identify where the corporation is vulnerable to noncompliant behavior. The risk assessment results will help identify the priority areas for the compliance effort and monitor the progress of the programs put in place. After the risk is identified and the compliance objectives are established, the CCO is responsible for the implementation and management of the compliance program throughout the company.94
Second, the CCO is expected to communicate frequently with corporate executives and the board of directors or the designated board committee.95 To be effective, the CCO needs to have a direct reporting relationship to the board of directors. Directors should be regularly updated on reported incidents of potential misconduct, investigations underway, and actions being taken.96
The role of the CCO in a publicly held corporation would be, ideally, an independent officer assigned only to the development and monitoring functions of compliance. In many instances, however, compliance duties fall to the general counsel (“GC”) of a corporation. While both the CCO and GC serve the organization’s need to comply with the law, the roles have different functions. Although the GC is the “partner-guardian” in the C-Suite, it is primarily her ethical duty to provide legal advice on how to comply with the law and must represent the interests of her client, which is the corporation itself.97
The roles of GC and CCO should be separate and independent from each other, but they must regularly coordinate and communicate with each other to ensure the quality and effectiveness of risk assessment, investigations, and monitoring.98 The CCO, generally speaking, also needs to work diligently with administration, human resources, finance, investor relations, accounting, and other groups within the company to ensure there is a coordinated approach to compliance among the various business functions within the corporation.99 Company-wide coordination will ensure that the developed compliance programs can be easily integrated with the strategy of the corporation.
The existence of a robust and well-monitored compliance program is one of the factors that is considered by the DOJ when determining whether to bring criminal charges against a corporation. The DOJ defines a compliance program as a means to “prevent and detect misconduct and to ensure that corporate activities are conducted in accordance with applicable criminal and civil laws, regulations, and rules.”100 The federal Sentencing Guidelines require firms “to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”101 The DOJ encourages self-policing within the corporation but clearly states that the mere existence of a compliance program is not sufficient for a corporation to avoid criminal charges for the misconduct of its officers, directors, employees, or agents.
To avoid criminal prosecution, a corporate compliance program must be effective. The Sentencing Guidelines provide that any leniency in penalties is conditioned on whether the person charged with operational responsibility for compliance reports directly to the board.102 The Guidelines also suggest that the head of compliance provide an annual report to the board regarding the implementation and effectiveness of the compliance program and prompt updates in case of current or potential criminal violations.103 According to the DOJ, an effective compliance program must be adequately designed to prevent and detect wrongdoing and must be sufficiently enforced, in good faith, by corporate management.
We have mentioned above certain recent Delaware court decisions in stockholder derivative suits, including Marchand and its progeny. There are likely to be more derivative suits brought on behalf of corporations, particularly Delaware corporations, against directors and officers for failures of good faith oversight. For example, in June 2020, after obtaining certain documents under section 220 of the DGCL, certain public employee funds as stockholders commenced a derivative suit on behalf of the Boeing Company in the Delaware Court of Chancery against certain present and past directors and officers of Boeing for lack of good faith oversight in airplane manufacturing, especially the 737 MAX 8, which had suffered two massive fatal crashes.104
The updated DOJ guidelines emphasize the importance of active as distinct from passive board involvement in carrying out its oversight/compliance obligations. A prime example is the action of the board of the Boeing Company after the two 2019 fatal crashes of its then new jet aircraft, the Boeing 737 MAX 8. According to a series of New York Times articles in the fall of 2019, the full board of directors of Boeing created a special committee of directors after the crashes to examine the company’s organizational structure and to reform internal processes.105 Moreover, an independent CCO working with the board of directors and corporate executives to ensure compliance will help ensure that the fiduciary duties related to oversight and monitoring are discharged in an effective and ethical manner, consistent with Caremark. When evaluating Caremark claims after Stone and Marchand (and their progeny), the Delaware courts must determine whether a bad outcome is attributable to bad faith by the board in failing to discharge its oversight fiduciary responsibilities. The plaintiff bears the burden of persuasion by alleging and ultimately proving particularized evidence of a direct link between the bad outcome and red flags that were known to the board.
Internal legal and compliance reports that inform the board in writing about the results of a thorough examination into red flags are documents that can satisfy that high evidentiary burden of a direct link to the board.106 Stavros Gadinis and Amelia Miazad conducted a comprehensive examination of Caremark claims filed in the ten-year period after Stone was decided. They concluded that courts determined that the required direct link to the board was established when the plaintiff presented “an internal report, typically by a legal expert or compliance officer, informing the board about the underlying problem.”107 The continued focus by Delaware courts on a direct link between compliance failures and the board is reflected in the recent cases we have discussed where motions to dismiss Caremark claims were denied.
The Delaware Supreme Court and the Court of Chancery have frequently encouraged stockholders to use section 220 to investigate possible wrongdoing before filing derivative actions.108 Without the corporation’s books and records, plaintiffs usually do not have the facts that are necessary to plead a particularized claim that can survive a Rule 23.1 motion to dismiss in a derivative suit.109 In fact, myriad purported Caremark claims have been dismissed by the Court of Chancery for failing to plead successfully demand futility under Rule 23.1, and, in doing so, the Delaware Court of Chancery and Delaware Supreme Court have often suggested that the plaintiff should have used section 220 to obtain books and records that might have led to a different result.110
Recently, several stockholders began an investigation into whether AmerisourceBergen Corporation engaged in wrongdoing in connection with the distribution of opioids. AmerisourceBergen is one of the world’s largest wholesale distributors of opioid pain medication. It has been the target of many government investigations and civil lawsuits. As part of its own investigation, the stockholders sought to inspect AmerisourceBergen’s records pursuant to section 220. After AmerisourceBergen rejected that request in its entirety, the Court of Chancery issued a post-trial decision that ordered AmerisourceBergen to produce books and records falling within the category of Formal Board Materials and granted the plaintiffs leave to take a Rule 30(b)(6) deposition111 to determine what other types of books and records exist and who has them.112
AmerisourceBergen moved for certification of an interlocutory appeal to review three rulings by the Court of Chancery: the rejection of the purpose-plus-an-end test, the rejection of the actionable-wrongdoing requirement, and the grant of leave to the plaintiffs to conduct a Rule 30(b)(6) deposition and potentially obtain books and records beyond formal board materials.113
Section 220(b) authorizes a stockholder to conduct an inspection “for any proper purpose” and requires that the written demand “stat[e] the purpose” for the inspection.114 Whether a stockholder must satisfy the purpose-plus-and-end test affects the scope of the statutory proper purpose requirement, which the Delaware Supreme Court has described as “[t]he paramount factor in determining whether a stockholder is entitled to inspection of corporate books and records.”115
AmerisourceBergen argued that a plaintiff must state both a proper purpose for the inspection and identify a viable end for which the resulting materials could be used. The Court of Chancery rejected that argument and concluded that, under the language of the statute and governing Delaware Supreme Court precedent, a stockholder was not required to state in advance an end for which the books and records would be used, although it might be possible for a court to find in a particular case that a stockholder sought only to use materials for a specific end and to take that conclusion into account when determining the stockholder’s entitlement to inspection.
AmerisourceBergen also argued that the plaintiff needed to present evidence from which the court could infer the existence of an actionable claim against the board of directors. It contended that to establish a credible basis to suspect actionable wrongdoing, a plaintiff must present sufficient evidence to support a Caremark claim against the directors that could survive a pleading-stage motion to dismiss pursuant to Rule 23.1.
The Court of Chancery also rejected that argument, holding that a stockholder need only show, by a preponderance of the evidence, a credible basis from which the Court of Chancery can infer that there is possible mismanagement that would warrant further investigation into the corporation.116 It reasoned that this standard did not require tying the mismanagement or wrongdoing to the board because, if it were necessary to analyze the plaintiffs’ showing under an actionable wrongdoing by the board standard, it is possible that the plaintiffs would not be entitled to an inspection.117
In March 2020, the Delaware Supreme Court accepted AmerisourceBergen’s application for an interlocutory appeal because it raised substantial issues of material importance for purposes of actions to obtain books and records pursuant to section 220. The Court of Chancery granted a limited stay of its order pending the interlocutory appeal, except for a subset of the Formal Board Materials that had already been produced for another stockholder in a separate federal derivative action. The Delaware Supreme Court decided the interlocutory appeal on December 10, 2020 and affirmed the Court of Chancery’s judgment.
Caremark’s enduring legacy includes the establishment of the directors’ good-faith responsibility for oversight as a first principle of corporate governance. By doing so, Caremark has given rise to an oversight mindset and “tone at the top” culture within corporate boardrooms. Two important takeaways have resulted from these aspects of Caremark’s legacy and are reflected in Marchand and other cases that followed. The first is the mandate that directors be actively engaged in establishing both the initial oversight and subsequent monitoring procedures. The second is the necessity of carefully documenting (e.g., through proper minutes) the directors’ active engagement in oversight and monitoring.
Active engagement requires directors to develop and maintain an understanding of the corporation’s business.118 The board is ultimately responsible for overseeing corporate affairs, even though it delegates the day-to-day operation of the corporation to others.119 To oversee the corporation’s activities effectively, directors must ensure they have sufficient knowledge and information about the corporation’s business, especially its mission-critical operations, and compliance programs that are required by state and federal law. The board’s oversight responsibilities also require it to establish and monitor programs relating to matters such as cybersecurity, data-privacy, ESG,120 and, most recently, COVID-19. To engage in informed decision-making, directors should ask probing questions at meetings and challenge management as appropriate.121
In Marchand, the Delaware Supreme Court identified some specific salient features of active engagement by directors that would tend to address their duty of oversight.122 Two board-level actions noted by the Delaware Supreme Court in Marchand as being among six factors negatively impacting Bluebell’s board deficiencies are the appointment of a board committee to routinely monitor risks and to establish a regular schedule for the full board to examine and discuss known risk areas. Boards were also urged by the Marchand court to implement procedures requiring management to provide directors with up-to-date information regarding potential problems with substantial risks—red flags.123
When a board of directors tasks the audit committee or another board committee with the responsibility of monitoring and overseeing management’s adherence to proper compliance protocols, that committee does not supplant or lessen the oversight duties of the full board. The committee’s monitoring responsibilities for the assistance of the board should be spelled out explicitly in the committee’s charter, which will have been approved by the full board. The committee’s charter should include a specific directive to report regularly (preferably in writing) to the full board on its evaluation of the adequacy of the nature and extent of the company’s risk, regulatory, and legal compliance protocols and the report should expressly state the committee’s recommendations to the board on any action the board should take if the committee concludes that board action is necessary or desirable.124
Documentation relating to the directors’ active engagement in oversight and monitoring is now the central focus of Caremark claim litigation. Meetings of the board of directors and board committees should include active discussion of oversight and be memorialized in minutes prepared promptly and circulated to the directors for comment and approval.125 Just as there must be necessary documentation in minutes of the board’s decision-making process, the minutes of the board should show a thorough implementation of careful oversight.126
Although there are differing opinions about the level of detail to be included, minutes should reflect that the directors engaged in a deliberative process regarding issues of oversight, acted in what they reasonably believed to be the corporation’s best interests, demonstrating a range of possible alternatives.127 Directors should make certain that the corporation retains the information provided to them at meetings, such as board books and PowerPoint presentations.128
In some circumstances, minutes that do not reflect an adequate deliberative process may support an inference that directors failed to consider relevant information fully and in good faith. For example, in Hughes v. Hu, the Court of Chancery denied the motion to dismiss a Caremark claim, reasoning that the absence of documentation produced in response to a stockholder’s section 220 inspection demand demonstrated that the directors “face a substantial likelihood of liability” for “failing to act in good faith to maintain a board-level system for monitoring the Company’s financial reporting.”129 Conversely, in Lending Club, the motion to dismiss a Caremark claim was granted on the basis of the board’s well-documented, prompt, and decisive response to red flags.130
Caremark claims remain “possibly the most difficult theory in corporation law upon which a plaintiff may hope to win a judgment.”131 Nevertheless, as we have discussed, Delaware courts have recently denied motions to dismiss Caremark complaints in Marchand and its progeny. As noted in Marchand, most Caremark claims are dismissed. For example, Caremark claims were unsuccessful in Lending Club, Citigroup, Duke Energy, UPS, General Motors, DuPont, and Capital One.132
The recent Caremark claim decisions by the Delaware Supreme Court and the Court of Chancery reflect two of the takeaways we have identified from the venerable legacy of Caremark. In short, boards must be actively engaged and regularly spend adequate time and attention devoted to oversight and legal compliance issues. First, for this to be effective, the board must see that a proper oversight system is established, supplemented by a regular monitoring system that requires management to report promptly any red flags to the board or delegated board committee. Second, the board’s oversight, compliance, monitoring actions, and remedial responses must be properly documented in board agendas and minutes.
The ultimate takeaway from the enduring legacy of Caremark is that an independent director violates her fiduciary duties of oversight only if she breaches her duty of loyalty by failing to discharge those oversight responsibilities in good faith.
[t]he liability that eventuated in this instance was huge. But the fact that it resulted from a violation of criminal law alone does not create a breach of fiduciary duty by directors. The record at this stage does not support the conclusion that the defendants either lacked good faith in the exercise of their monitoring responsibilities or consciously permitted known violation of law by the corporation to occur. The claims asserted against them must be viewed at this stage as extremely weak.
Id. at 972.