Rebecca Walker (firstname.lastname@example.org) is a partner in the law firm of Kaplan & Walker LLP, located in Santa Monica, California, and Princeton, New Jersey, USA.
Since the Delaware Chancery Court’s decision in the Caremark case in 1996, it has been understood that boards of directors owe a fiduciary duty to oversee an organization’s compliance monitoring and reporting systems. Or, to use the court’s language in that case, boards cannot “satisfy their obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning...the corporation’s compliance with law....”
Since Caremark, it has also been clear that holding directors personally liable for misconduct at an organization (for failure to exercise their duty to be reasonably informed) is quite difficult. Indeed, according to the Delaware courts, it is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”
This high bar for liability has resulted in a large number of dismissed cases over the intervening years. However, in 2019, in two different cases, Delaware courts refused to dismiss plaintiffs’ Caremark claims on summary judgment, allowing the cases to proceed. Although the courts gave no indication that their decisions were intended to modify existing law, the decisions do further expand on Caremark in a way that is important for compliance and ethics professionals to be aware of. Robust and engaged board oversight of compliance systems is necessary to afford a compliance program the level of independence and authority that is required for effectiveness, and these cases offer a rare (from the Delaware courts, at least) opportunity for organizations to revisit the topic of board oversight of compliance. In this article, we will review both of the recent cases with that in mind. But first, a little background on Delaware law in this area.
Caremark and Stone v. Ritter
In Caremark, the plaintiff shareholders had sought to hold the company’s directors liable for the damages resulting from violations of certain federal and state laws governing healthcare fraud. The complaint alleged that the directors had (through their failure of oversight) allowed misconduct to occur, which exposed the organization to liability, and thereby violated a duty to monitor the company’s compliance with legal requirements. The Caremark case established that directors have a duty to “be reasonably informed concerning the corporation,” including assuring themselves that there are systems in place to permit the board to oversee the company’s compliance with law. In other words, boards must make some effort to ensure that they are being kept appropriately apprised of a company’s compliance.
However, Caremark and subsequent cases also made clear that—while director liability is possible—it presents a high bar for success. The Caremark court described it thus: “Only a sustained or systematic failure of the board to exercise oversight such as an utter failure to attempt to assure a reasonable information and reporting system exists will establish the lack of good faith that is a necessary condition to liability.”
Ten years after Caremark, in the 2006 case of Stone v. Ritter, the Delaware Supreme Court affirmed the Chancery Court’s Caremark holding, stating that directors may be held liable for misconduct that occurs on their watch if they either completely failed to implement a reporting or information system or controls or, “having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.” The court further held that, in a case such as Stone, where information failed to reach the board because of ineffective internal controls, but information systems had been established and the directors neither knew nor should have known of the violations of law, there had been no violation of the duty of good faith.