Recent Delaware cases clarify Caremark oversight duties for directors and executive officers

A claim for breach of the duty of oversight is known as a Caremark claim, after the landmark Delaware Court of Chancery decision in In re Caremark International Inc. Derivative Litigation (1996). Since then, Delaware courts have further refined the analysis of oversight claims and adopted two possible paths to impose liability. A prong-one Caremark claim, known as an “Information Systems Claim”, concerns whether the directors “utterly failed” to implement relevant reporting or information systems or controls to monitor and address business and legal risks. In Marchand v. Barnhill (2019), the Delaware Supreme Court allowed an Information Systems Claim to proceed against the directors of a food manufacturer that sold listeria-contaminated ice cream that led to consumer deaths, after finding that the complaint supported the inference that the company’s directors had no specific reporting system in place to address “mission critical” food safety issues.

A prong-two Caremark claim, known as a “Red-Flags Claim”, concerns whether the directors, having implemented the necessary systems or controls, consciously failed to monitor or oversee operations, thus disabling themselves from being informed of risks or problems requiring their attention. Plaintiffs typically plead a prong-two Caremark claim by alleging that the board’s information system put the board on notice about the problem, but the directors consciously failed to take action in response to such red flags. Over the years, the Delaware courts issued several Red Flags Claim decisions, such as In re Clovis Oncology Derivative Litigation (2019) where the board of a biopharmaceutical company allegedly consciously ignored red flags indicating that the clinical trial for its “mission critical” drug was failing.

Recently, Vice Chancellor Travis Laster of Delaware’s Court of Chancery took the opportunity to address the recent line of cases as part of the Court’s decision to dismiss a derivative Red-Flags Claim against the directors of a restaurant chain relating to their alleged failure to address sexual harassment issues and misconduct at the company. In his decision, VC Laster highlighted some of the key points that companies and their directors should monitor.

First, in some cases, a single, striking red flag may be sufficient to support a Caremark claim. In his decision, VC Laster emphasized that the “pled facts must support an inference that the failure to take action was sufficiently sustained, systematic, or striking to constitute action in bad faith”. To illustrate the last of the three, VC Laster pointed to a 2021 decision by the Chancery Court involving a plane crash and highlighted that “a failure to take any action to investigate problems with airplane safety after a devastating airplane crash could support the inference of bad faith necessary for a Red-Flags Claim, even though there was only a single, particularly graphic and devastating red flag”.

Second, red flags don’t have to be related to “mission critical risks,” or even “central compliance risks”. While the concept of central compliance risks may be more relevant to Information-Systems Claims, VC Laster clarified that such concept, including the more intense variations of essential or mission critical risks, “does not play a similar role for a Red-Flags Claim”. The key is the response to red flags, regardless of the type of risk involved. As such, Caremark claims can rest on any red flags suggesting the corporation is suffering or will suffer harm. Nonetheless, the type of risk may play an important role in the Court’s bad faith analysis with respect to fiduciaries’ responses. VC Laster stated that “if a red flag concerns a central compliance risk, then it is easier to draw an inference that a failure to respond meaningfully resulted from bad faith.”

Third, the Court’s decision reinforces the high bar for Caremark claims. By emphasizing that whether the response fixed the problem is not the test, the Court highlights how difficult it is for plaintiffs to sustain liability claims. The action of the directors or officers could be arguably insufficient or not even prevent the wrongdoing from continuing to persist. VC Laster stressed that “[f]iduciaries cannot guarantee success, particularly in fixing a sadly recurring issue like sexual harassment. What they have to do is make a good faith effort”. As a practical matter, this means that good faith efforts, rather than perfect results, are required, and if directors and officers can show that they took action in good faith to address the red flags, they may receive the protection of the business judgment rule. In this specific case, the Court stated that the directors responded to the allegedly toxic culture that was developing at the company and worked with the company’s management on various responses to address the issues once they became aware of such red flags. Given that response, the Court found that it’s not possible to infer that the board acted in bad faith. “The plaintiffs must do more than plead that the directors responded in a weak, inadequate, or even grossly negligent manner,” the judge wrote.

In a recent distinct but related Caremark case against the former chief HR officer of the same restaurant chain, the Delaware Chancery Court made a significant ruling that had not been previously definitively articulated and determined that executive officers owe investors a duty of oversight comparable to that owed by a board of directors – they must make a good faith effort to establish appropriate information reporting systems and monitor and respond to red (or yellow) flags. Even though the state’s Supreme Court has yet to address the issue, the judge rejected the former officer’s argument that only board members—not corporate officers—can face oversight liability and clarified that the legal scrutiny doesn’t stop with the board of directors. The Court has set a high bar and made it clear that “oversight liability for officers requires a showing of bad faith”. First, an officer’s duties are limited to the areas for which he or she is responsible. Second, the officer must consciously fail to make a good faith effort to establish information systems, or the officer must consciously ignore red flags. This decision effectively requires an officer to have known they were not fulfilling their duties. 

Key Takeaways:

• Boards and committees should review their agendas and charters to ensure that responsibility for mission critical risks and reporting and monitoring functions are well documented in agendas, minutes and materials, with regular reviews of operations and developments.
• Allow for the board or committee to hear directly from compliance and risk officers, and review systems for reporting of concerns by employees, counterparties or customers.
• Management should review its internal controls and procedures, and ensure that officers receive regular reports about areas of risk and develop appropriate procedures to address any red flags
• Boards and management should review the duties and responsibilities of officers and ensure there is clarity around which officers have oversight responsibility for particular matters
• Companies should review their D&O policies to determine whether coverage for officer oversight claims may be available
• Consider adopting exculpatory language to charters, as now permitted under Delaware law, recognizing, however, that to the extent Caremark claims are based on “bad faith” or breaches of the duty of loyalty, they cannot be exculpated.