By Jacob Goldstein
What is a Caremark claim?
Originating from In re Caremark in 1996, Caremark claims are allegations against a board of directors for breaching their fiduciary duty of loyalty. Any Caremark claim is based on the principle that the board of directors failed to make a good faith effort in overseeing their company’s operations, thus breaching their duty of good faith to the company. These claims are generally brought by the company’s shareholders, making them derivative actions that must follow the appropriate Delaware Chancery Rules.
Most notably, Caremark claims are one of the most difficult corporate law claims that a plaintiff could hope to win. Many Caremark claims even struggle with getting past a motion to dismiss. This is due to the extremely high burden for breach of good faith, based on a two-prong test where plaintiffs must show: (1) the directors have utterly failed to implement any reporting, lacked information systems or controls; or (2) having implemented such systems or controls, the directors must have failed to monitor or oversee their operations and thus disabling them from being informed of risks and/or problems requiring their attention. Furthermore, as a derivative action, the plaintiff must show that “the lack of oversight pled must be so extreme that it represents a breach of the duty of loyalty.”
Such failures alleged by the plaintiff must go to the extent that the directors acted in bad faith. When considering what bad faith is, courts generally accept three types of circumstances: (1) where the fiduciary intentionally acted with a purpose other than advancing the best interests of the corporation; (2) where the fiduciary acts with the intent to violate applicable positive law; or (3) where the fiduciary intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for his duties.
In showing bad faith in a derivative action, the shareholder must first make a demand on the board of directors to act for the alleged wrongdoing. The failure to act then allows shareholders to bring a derivative action as plaintiffs. In circumstances where shareholders fail to show that there was a demand, the plaintiff must show specific facts that any demand they give would have been futile otherwise the action is dismissed. In summation, there are numerous challenges a plaintiff would need to overcome to bring a successful Caremark claim.
In Construction Industry Laborers Pension Fund v. Bingle, Russian hackers gained access to SolarWinds accounts by attacking their software—stealing information from over 18,000 accounts including the stockholders. Upon investigation, it was discovered the company had a bad monitoring system with the security password being “solarwinds123.” The company—though not the board themselves—had also been given new guidance from the government about cybersecurity risks and how to prevent them, which the company did not heed. The plaintiffs then argued that the board failed to properly oversee their monitoring system by overlooking “red flags,” thus breaching their fiduciary duty of loyalty. Although the plaintiff brought up general risks of cybersecurity and a serious weakness in the company’s monitoring system, the court ultimately ruled to dismiss the case. The court concluded that although there was a lack of control systems, such failure “must be the result of action or inaction taken in bad faith.” Additionally, any potential cybersecurity risk guidance the company might have received prior to the attack cannot be considered “positive law” that they must be bound. Since the board of directors was not made aware of any bad monitoring system and they were not briefed on any potential cybersecurity risk, they could not be found to have acted with any intent of bad faith. As put by the court: “[c]arelessness absent scienter is not bad faith.”
As previously explained, proving bad faith makes succeeding with a Caremark claim exceedingly difficult. Still, there have been plaintiffs who managed to prove their burden, such as when showing the directors purposefully ignore red flags. But the burden remains extraordinarily high, and as this most recent case shows, can still fail to be met even in the case where the company itself is acting carelessly. What sort of effect might this have in the corporate world in such an instance where the company was clearly at fault but the board is exempt from derivative action? Naturally, companies—and their board members—are still expected to have monitoring systems in place to avoid risks and ensure reasonable security. But if board directors can, and have, gotten away with ignorance as a reasonable defense for not breaching their duty of loyalty, then to what extent can corporations be excused from liability? Courts are understandably keeping an eye on companies to ensure boards are keeping their good faith effort, even in cases where they ultimately dismiss charges. Yet, if excusing board directors for their company’s negligence can exist in corporate law, a watchful eye should be on court decisions regarding Caremark claims in the future.
About the Author:
Jacob Goldstein is a second-year, regular division student expected to graduate in May 2024. He graduated from Franklin & Marshall College in 2021 with a bachelor’s degree in English. Jacob is a current staff editor in the Delaware Journal of Corporate Law. He is also a judicial intern with the Honorable Judge Dominic Pileggi in Delaware County’s Court of Common Pleas, criminal division. Jacob enjoys reading mystery novels, rock climbing, hiking, and watching movies during his free time. He has not settled on a legal field to pursue but has an active interest in real estate and estate planning work.
 In re Caremark Int’l Inc., 698 A.2d 959, 971 (Del. Ch. 1996).
 In re Caremark Int’l Inc., 698 A.2d at 967; Del. Ch. Ct. R. 23.1.
 In re Caremark Int’l Inc., 698 A.2d at 967; See also Stone v. Ritter, 911 A.2d 362, 372 (Del. 2006) (“[A] claim that directors are subject to personal liability for employee failures is possibly the most difficult theory in corporate law upon which a plaintiff might hope to win a judgment.”) (internal quotation marks omitted).
 Constr. Indus. Labs. Pension Fund v. Bingle, No. 2021-0940-SG, 2022 WL 4102492 at *1 (Del. Ch. Sept. 6, 2022).
 In re Caremark Int’l Inc., 698 A.2d at 971.
 Constr. Indus. Labs. Pension Fund, 2022 WL 4102492 at *1.
 Id. at *9.
 In re Walt Disney Co., 906 A.2d 27, 67 (Del. 2006).
 Del. Ch. Ct. R. 23.1.
 Del. Ch. Ct. R. 23.1.
 Constr. Indus. Labs. Pension Fund, 2022 WL 4102492 at *2.
 Id. at *4.
 Id. at *6.
 Constr. Indus. Labs. Pension Fund, 2022 WL 4102492 at *6.
 Id. at *14.
 Id. at *9.
 Constr. Indus. Labs. Pension Fund, 2022 WL 4102492 at *14.
 Id. at *9.
 See In re Clovis Oncology, Inc., No. 2017-0222-JRS, 2019 WL 4850188 at *15 (Del. Ch. 2019) (finding that the board consciously ignored red flags that revealed critical failures); See also Teamsters Loc. 443 Health Servs. & Ins. Plan, No. 2019-0816-SG, 2020 WL 5028065 at *26 (Del. Ch. 2020)(denying the motion to dismiss due to the board’s failure to correct critical compliance shortcomings).
 Supra note 18.
 See Gregory A. Markel, Daphne Morduchowitz, & Matthew C. Catalano, A Director’s Duty of Oversight after Marchand in “Caremark” Case, Harvard Law School Forum on Corporate Governance (Jan. 23, 2022) (detailing how board members should act in good faith and maintain proper security protocols).
 See Gail Weinstein, Warren S. de Wied, & Phillip Richter, Caremark Liability for Regulatory Compliance Oversight, Harvard Law School Forum on Corporate Governance (July 8, 2019) (stating how, even though cases like Marchand are dismissed, companies and their boards should emphasize board-level oversight and management of their security).