On January 25, 2023, Vice Chancellor James Travis Laster of the Delaware Court of Chancery handed down an opinion in the case of In Re McDonald’s Corp. Stockholder Derivative Litigation[1] that declared that the oversight duties of corporate officers of Delaware corporations are comparable to the oversight obligations of corporate directors articulated in In re Caremark International Inc. Derivative Litigation.[2] The decision was not on the merits of the allegations, which revolved around an alleged toxic culture of sexual harassment, but was a denial of a motion to dismiss. Nevertheless, the legal reasoning for this holding will undoubtedly generate a great deal of discussion. Rather than flyspecking the legal reasoning, this article will focus on the implications for corporations and the people involved with their compliance programs.
The case
The genesis of the case was the allegations of sexual harassment at McDonald’s involving David Fairhurst, executive vice president and global chief people officer. Public attention to sexual harassment at McDonald’s became more prominent around 2016, and in 2018, workers in 10 cities went on strike to protest the company’s inadequate response to sexual harassment complaints. The board of directors became aware of harassment allegations against Fairhurst in 2018. Fairhurst was required to sign a “last chance” letter admitting his misconduct and promising not to engage in the prohibited conduct in the future.
In 2019, the board became involved with remediation efforts. The general counsel led an effort to investigate the situation, reported to the board, and recommended various actions. Because of his position as head of human resources for the company, Fairhurst was also involved in the anti-harassment program and reported progress to the board. While all of this was going on, the board learned that the CEO, Stephen Easterbrook, had engaged in a prohibited relationship with an employee. At its November 1, 2019, meeting, the board approved a separation agreement with Easterbrook, terminating him “without cause.” At the same meeting, the board terminated Fairhurst for cause.
Shareholders filed a derivative action against the company’s board, Easterbrook, and Fairhurst. Fairhurst was accused of breach of fiduciary duty, breaching his duty of oversight, as well as breaching his duty of loyalty by engaging in acts of sexual harassment. The complaint alleged that Fairhurst and Easterbrook promoted a “party atmosphere” at McDonald’s, which included serving alcohol at company events. Fairhurst responded with a motion to dismiss, asserting that the duty of oversight applied only to directors, not officers.
The duty of oversight
Do officers or directors have a fiduciary duty of oversight as to matters within their areas of responsibility? Going back to 1963, the Delaware Supreme Court, in Graham v. Allis-Chalmers Manufacturing Co.,[3] notably said that “absent cause for suspicion there is no duty upon the directors to install and operate a corporate systems of espionage to ferret our wrongdoing which they have no reason to suspect exists.”[4] Many people dismissed that case since it did not require directors to set up a system to monitor company activities; however, technically it did create a duty of oversight if they became aware of information (“red flags”). So if they did learn about something, they were supposed to investigate, but that aspect of their duties never seemed to gain much traction.
Fast forward 33 years to Caremark, where the court ruled that the fiduciary obligation of a director included a duty to ensure that “information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”[5] But the court held that liability for breach of this duty would only attach if there were a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability. Such a test of liability—lack of good faith as evidenced by sustained or systematic failure of a director to exercise reasonable oversight—is quite high.”[6] This decision attracted a lot of attention since it explicitly stated that, at least in theory, a director could be liable for failing to exercise oversight.
This approach was followed in Stone v. Ritter, which refined the Caremark liability theory by identifying two types of claims against directors: one for a failure to implement any reporting or information system, and one for consciously failing to monitor or oversee the information system after establishing it (i.e., failing to respond to red flags).[7]
Could any possibility of potential or actual corporate liability create a red flag that required board action? In In re Dow Chemical Co. Derivative Litigation, the plaintiffs’ theory of liability was a breach of the duty of oversight for failure to detect that bribery may have caused a proposed joint venture in Kuwait to come undone.[8] Although there were reports of possible bribery in the Kuwaiti press, the board had no actual knowledge of bribery. The plaintiffs alleged that because Dow had paid a fine to the U.S. Securities and Exchange Commission in 2007 for bribery in India, the accusations of possible bribery in the press was sufficient to constitute a red flag that the board should have investigated. This allegation was rejected by the court. The 2007 incident involved different members of management in another country and for an unrelated transaction. “With neither knowledge of bribery, nor any reason to suspect such conduct, the defendant directors could not “conscious[ly] disregard” their duty to supervise against bribery. Plaintiffs have also failed to allege facts suggesting that the Dow board “utterly fail[ed]” to supervise insiders, or that any director acted with anything other than good faith.[9] The court also noted that Dow had set up policies to prevent unethical payments to third parties (i.e., a compliance program). Since there was no failure of responsibility by the board, the Caremark claims were dismissed.
A few other cases fleshed out the director’s duty with regard to oversight. In Marchand v. Barnhill, the shareholder challenged the board’s inactivity concerning food safety when listeria was discovered in ice cream—the only product made by the company, Blue Bell Creameries USA Inc.[10] The contamination required a recall of all products, the layoff of a third of its workforce, and the shutdown of operations. Three people died. The court held that the board’s failure to implement any system to monitor food safety breached the duty of oversight to monitor the corporation’s operational viability, legal compliance, and financial performance. This was an “utter failure” to assure a reasonable information and reporting system exists and was an act of bad faith in breach of the duty of loyalty. The court emphasized that Blue Bell made only one product, and yet there was “no committee overseeing food safety, no full board-level process to address food safety issues, and no protocol by which the board was expected to be advised of food safety reports and developments. . . . [W]hen yellow and red flags about food safety were presented to management, there was no equivalent reporting to the board and the board was not presented with any material information about food safety.”[11] The complaint alleged both the failure to establish an information system and the failure to respond to red flags.
In re Clovis Oncology, Inc. Derivative Litigation dealt with allegations against the board of a company developing a cancer drug.[12] The allegation was that the board ignored red flags that Clovis was not adhering to clinical trial protocols, which placed U.S. Food and Drug Administration (FDA) approval of the drug in jeopardy. With misleading trial results, the board allowed Clovis to deceive regulators regarding the drug’s efficacy. As in Marchand, liability for breach of the duty of oversight is more likely to occur when there is a failure to oversee compliance with positive law, including FDA regulations, by failing to implement compliance systems or monitor existing compliance systems. The FDA regulations here were mission critical, and red flags of problems were ignored.
The oversight system must be real, or, to put it into compliance speak, it must not be a paper program. In Hughes v. Hu, the plaintiff alleged that the board failed to exercise its oversight obligations since it created an audit committee that met only sporadically, had clear notice of financial irregularities, and consciously turned a blind eye to problems. The “trappings of oversight,” such as the mere existence of audit committees and compliance departments, were insufficient to rebut a Caremark claim.[13] In Teamsters Local 443 Health Services & Insurance Plan v. Chou, the Chancery court sustained a breach of the duty of oversight claim against the board of AmerisourceBergen Company, based on allegations that the directors had ignored red flags of regulatory and operational noncompliance at a subsidiary, based, among other things, on the board’s failure to require updates and progress reports after the deficiencies were flagged.[14]