![Restoration of Li+ pathways in the [010] direction during direct regeneration for spent LiFePO4](http://pubs.rsc.org/services/images/RSCpubs.ePlatform.Service.FreeContent.ImageService.svc/ImageService/image/GA?id=D5EE00641D)
.jpg)
Caremark Liability for Materially Misleading Cybersecurity Disclosures: Solar Winds Reconsidered
Delaware’s Caremark doctrine requires directors to exert oversight over legal risks and imposes personal liability for corporate traumas caused by legal violations on directors who knowingly or utterly breach those duties. Duties and the threat of liability are heightened in the case of a Mission Critical Legal Risk (MCLR). Yet to date Delaware judges consistently […]
Jennifer Arlen is a Professor of Law at New York University School of Law. This post is based on her recent paper, and is part of the Delaware law series; links to other posts in the series are available here.
Delaware’s Caremark doctrine requires directors to exert oversight over legal risks and imposes personal liability for corporate traumas caused by legal violations on directors who knowingly or utterly breach those duties. Duties and the threat of liability are heightened in the case of a Mission Critical Legal Risk (MCLR). Yet to date Delaware judges consistently dismiss Caremark against directors for poor oversight of a mission critical risk: cybersecurity. The reason is simple. Caremark oversight duties and liability applies to legal risk. Poor corporate cybersecurity often is a mission critical risk, but generally does not violate the law.
In a forthcoming article, I show that directors nevertheless can be held liable under Caremark for corporate trauma triggered by inadequate cybersecurity in an important class of cases. Specifically, directors should face potential liability under Caremark when the company had inadequate cybersecurity that risked (and later caused) substantial harm to business and government agency customers, and violated the law prior to the malicious cyber-event by knowingly making materially misleading statements to its business or government customers designed to defraud them into believing that the company’s cybersecurity systems and practices were materially better than they were, provided that these lies constituted a MCLR for the company. Directors in such circumstances should be liable for all corporate trauma caused by directors’ breach of their oversight duties, including losses from customer flight and litigation and sanctions arising from securities fraud cases predicated on the materially misleading statements to consumers. I show that the derivate plaintiffs in the SolarWinds case likely would have avoided dismissal had they predicated their claims on the corporate trauma to SolarWinds from the confluence of its materially misleading statements about its cybersecurity, its apparent cybersecurity deficiencies, and the cyber-hack it suffered.
