ROFESSOR OAN AC EOD EMINWAY - americanbar.org · PROFESSOR JOAN MACLEOD HEMINWAY is the College of Law Distinguished Professor of ... School. Professor Karmel's area of expertise

��

�

��

��

�� !�"��#��$��%&�'��(�� )*�

�

�

��#+�!��,+� �

PROFESSOR JOAN MACLEOD HEMINWAY is the College of Law Distinguished Professor of Law at The University of Tennessee College of Law and a Fellow of The University of Tennessee Corporate Governance Center, The University of Tennessee Center for Business and Economic Research, and The University of Tennessee Center for the Study of Social Justice. Professor Heminway’s scholarship focuses on securities disclosure law and policy and related matters (especially under Rule 10b-5) and corporate governance issues under federal and state law. She regularly teaches business law courses in The University of Tennessee College of Law’s James L. Clayton Center for Entrepreneurial Law. Before starting her teaching career in 2000, Professor Heminway spent fifteen years practicing mergers and acquisitions and securities law in the Boston office of Skadden, Arps, Slate, Meagher & Flom LLP. She has served as an expert witness and consultant on corporate finance and securities law matters and is a frequent continuing legal education presenter on business law issues. She serves on the Executive Committee of the Business Law Section of the Tennessee Bar Association. Professor Heminway also is a member of the American Law Institute and the Hamilton Burnett Chapter of the American Inns of Court.

PROFESSOR ROBERTA S. KARMEL is Centennial Professor of Law at Brooklyn Law School. Professor Karmel's area of expertise is international and domestic securities regulation. She is widely called upon to teach and lecture all over the world on this subject. She is a former Commissioner of the Securities and Exchange Commission, a Public Director of the New York Stock Exchange, and was in private practice for 30 years. She was also a Fulbright Scholar studying the harmonization of the securities laws in the European Union. Professor Karmel is the author of Regulation by Prosecution: The Securities and Exchange Commission Versus Corporate America, and has widely published articles on securities regulation and international securities law in dozens of law reviews and journals. She also authors a monthly column, "Securities Regulation," that appears in the New York Law Journal. Professor Karmel is a trustee of the Practising Law Institute, a member of the American Law Institute, and a Fellow of the American Bar Foundation. She also serves on the ABA's Presidential Task Force on Financial Markets Regulatory Reform. She previously served as a director of the New York Chapter of the National Association of Corporate Directors and was the Vice-Chair of the International Coordinating Committee of the American Bar Association Business Law Section. �

“Wake Up Calls or Snooze Alarms” Speaker Biographies Page 2 of 2

�

�

VINCENT I. POLLEY is President of KnowConnect PLLC (www.knowconnect.com), providing consulting services on information policy and knowledge management processes. Earlier, Polley was a partner at Dickinson Wright PLLC chairing the Information Technology & Security Law practice group, and the Deputy General Counsel of Schlumberger Limited. Polley is Chair of the ABA’s Standing Committee on Technology & Information Systems. He was co-chair of the ABA Commission on Second Season of Service, and served on the Advisory Commission for the ABA World Justice Project, the Council of the ABA’s Section of Business Law, and the Standing Committee on Law & National Security. He is the past chair of the ABA’s Cyberspace Law Committee, and the co-author of the book “Employee Use of the Internet and E-Mail” (ABA Press, 2002). Since 1997 Polley has published MIRLN, a monthly e-newsletter on IT related legal news. Mr. Polley was a founding member of the Internet Law & Policy Forum, and is a Life Fellow of the American Bar Foundation, an arbitrator on the AAA’s Commercial Panel, and a member of the American Law Institute. A graduate of Harvard College (mathematics), Mr. Polley received his law degree from the University of Michigan. �

HARVEY RISHIKOF is chair of the ABA Standing Committee on Law and National Security, www.abnet.org/natsecurity. Rishikof is a professor of law and national security, and former chair of the department of National Security Strategy at the National War College in Washington, DC. He was a tutor in Social Studies at Harvard University, a federal law clerk in the Third Circuit, an associate at Hale and Dorr, a Supreme Court Judicial Fellow, AA to the Chief Justice of the United States, legal counsel to the Deputy Director of the FBI, and Dean of a law school. He has been a consultant for the World Bank, USAID, and national intelligence. Rishikof has written numerous law review articles, chapters and monographs. His latest forthcoming co-edited book with Georgetown press is, Navigating the Labyrinth - the National Security Enterprise. Rishikof is a member of the Council on Foreign Relations, the American Law Institute and is on the Advisory Board for Harvard�s National Security Law Journal. �

ROLAND L. TROPE is a partner in the New York offices of Trope and Schramm LLP and an Adjunct Professor in the Department of Law, United States Military Academy at West Point. Mr. Trope�s expertise is in cross-border legal transactions representing governments and multi-national corporate clients. He advises on government procurements, regulatory compliance in cross-border transactions, licensing of technology and intellectual property, cyberspace law, and ethical issues in the use of digital technologies. He is the co-author of two books published by the American Bar Association – a treatise, CHECKPOINTS IN CYBERSPACE: BEST PRACTICES FOR AVERTING

LIABILITY IN CROSS-BORDER TRANSACTIONS; and SAILING IN DANGEROUS WATERS: A

DIRECTOR�S GUIDE TO DATA GOVERNANCE – and numerous articles in professional journals and magazines. He serves on the Supervisory Board of IEEE Security & Privacy magazine. He earned a J.D. from the Yale Law School, a B.A. and M.A. from Oxford University (where he was a Marshall Scholar and Danforth Fellow), and a B.A. from the University of Southern California. He is currently co-authoring a book on the professional ethical challenges of Web 2.0 and cloud computing.

1�

�

OUTLINE FOR PANEL ON WAKE UP CALLS OR SNOOZE ALARMS: Are Recent

CyberSecurity Regulations Giving Birth to Cyber-Fiduciary Duties?

BY ROBERTA S. KARMEL, CENTENNIAL PROFESSOR, BROOKLYN LAW SCHOOL

AND IRENE TAN, RESEARCH ASSISTANT TO PROF. KARMEL

This Outline analyzes the developing duties of the board of directors of public companies and

financial institutions with regard to cyber security. In particular, this outline focuses on federal laws

and regulations applicable to financial institutions and public corporations, specifically, the Gramm-

Leach-Bliley Act and Sarbanes-Oxley Act, which require the board of directors or senior executives to

certify to or approve of security programs, as well as state law where courts have held that the board of

directors has a fiduciary duty to ensure the corporation has adequate security programs. Lastly, this

outline briefly discusses industry support from high-level groups like the Business Roundtable and the

Corporate Governance Task Force for top-level review of information security programs.

I. Relevant Statutes

A. Gramm-Leach-Bliley Act (15 U.S.C. § 6801-6809 (1999))

The Gramm-Leach-Bliley Act (“GLBA”) is the federal statute that governs a financial

institution’s1 retention, use, and disclosure of customers’ personal financial information.2 Section 6801

imposes a financial institution’s privacy obligations to its customers, and requires financial institutions

��1 Financial institution is broadly defined, and includes banks, securities firms, insurance companies, and companies that provide other financial services to consumers. 15 U.S.C. § 6801 2 See 15 U.S.C. § 6801-6809.

2�

�

to establish appropriate standards to safeguard such information.3 Section 6802 imposes obligations

concerning the disclosures of customers’ personal financial information.4 Section 6803 relates to the

disclosure of institutional privacy policy.5 Section 6804 delegates rulemaking authority to the Federal

banking agencies, the National Credit Union Administration, the Secretary of the Treasury, the

Securities and Exchange Commission, and the Federal Trade Commission.6 Section 6805 entrusts

enforcement of GLBA privacy rules to the Federal Trade Commission.7

While the GBLA requires financial institutions to safeguard customer information, it does not

specify guidelines for securing customers’ personal financial information. Therefore, pursuant to

Section 501 of the GBLA, member agencies of the Federal Financial Institutions Examination Council

(“FFIEC”)8 published the Interagency Guidelines Establishing Information Security Standards

(“Guidelines”).9 The Guidelines establish standards for safeguarding customer information for

financial institutions “subject to their respective jurisdictions relating to administrative, technical, and

physical safeguards for customer records and information.”10

The Guidelines require that all institutions covered under the GLB establish an information

security program that: “(1) identif[ies] and assess[es] the risks that may threaten customer information;

(2) develop[s] a written plan containing policies and procedures to manage and control these risks; (3)

implement[s] and test[s] the plan; and (4) adjust[s] the plan on a continuing basis to account for

��3 15 U.S.C. § 6801. 4 15 U.S.C. § 6802. 5 15 U.S.C. § 6803. 6 15 U.S.C. § 6804. 7 15 U.S.C. § 6805. 8 The FFIEC agencies consist of the following: Board of Governors of the Federal Reserve System (Federal Reserve Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS). Federal Financial Institutions Examination Council (FFIEC), Information Security: IT Examination Handbook, (July 2006). 9 Federal Financial Institutions Examination Council (FFIEC), Information Security: IT Examination Handbook, (July 2006). 10 12 C.F.R. § 30 (2005).

3�

�

changes in technology, the sensitivity of customer information, and internal or external threats to

information security.”11 Significantly, pursuant to the Guidelines, the board of directors of a financial

institution is required to be involved in the governance of information security by: “(1) approv[ing] the

[institution’s] written information security program; and (2) oversee[ing] the development,

implementation, and maintenance of the bank’s information security program, including assigning

specific responsibility for its implementation and reviewing reports from management.”12 Although

financial institutions must obtain board approval of its security program,13 the Guidelines permit the

board to delegate specific implementation responsibilities to a committee or an individual.14

Accordingly, the term “oversee” is meant to convey a board’s supervisory responsibilities, and not

day-to-day monitoring of any aspect of an information security program.15

In assessing risks that may threaten customer information, a financial institution must (1)

identify reasonably foreseeable internal and external threats that could result in unauthorized

disclosure, misuse, alteration, or destruction of customer information or customer information systems;

(2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity

of customer information; and (3) assess the sufficiency of policies procedures, customer information

systems, and other arrangements in place to control risks.16 After the institution has assessed the risks

posed to customer information, it must take steps to manage and control risks by: (1) designing its

information security program to control the identified risks; (2) training staff to implement the

institution’s information security program; (3) regularly test the key controls, systems and procedures

of the information security program; and (4) developing, implementing, and maintaining as part of its

��11 Id. 12 Id. 13 Id. 14 12 C.F.R. § 30 (2005). 15 Id. 16 Id.

4�

�

program appropriate measures to properly dispose of customer information.17 In addition, the

institution must continually adjust the program when circumstances change.18 Lastly, the financial

institution must annually report to its board the status of the institution’s information security program

and its compliance with the Guidelines.19

B. Sarbanes-Oxley Act (Pub. L. No. 107-204, 116 Stat. 745 (2002))

The Sarbanes-Oxley Act (“SOX”) requires that management have certain controls in place for

proper financial reporting.20 In particular, section 404 of SOX requires that entities establish adequate

internal controls and auditing procedures that are certified by management regarding the financial

statements of an entity. While SOX does not address information security directly, the requirement that

management have certain controls requires an adequate information security system.21 In 2007, the

Securities and Exchange Commission (“SEC”) published a report, Commission Guidance Regarding

Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of

the Securities Exchange Act of 1934, which explained how section 404 should be interpreted.22

According to the report, SOX addresses information security in two ways: (1) by requiring the

establishment of information security processes and audit procedures to protect corporate information;

and (2) through accurately reflecting the diminished value of intangible assets because of a security

failure or breach, which would include breaches involving private information.23 While the focus of the

��17 Id. 18 Id. 19 Id. 20 The Sarbanes-Oxley Act, Pub. L. No. 107-204, 116 Stat. 745 (2002). 21 John B. Kennedy, A Primer on Key Information Security Laws in the United States, 934 PLI/Pat 117, 172, Practising Law Institute (June-July 2008). 22 Securities and Exchange Commission, Commission Guidance Regarding Management’s Report on Internal Control Over

Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06 (June 20, 2007). 23 Jeffrey Taft, Privacy and Data Security in Service Provider Arrangements: Recent Developments, 935 PLI/Pat 485, 498,

5�

�

SOX requirements is on data security as it affects financial statements, it is possible that a security

breach involving private information could lead to a conclusion that adequate security and internal

controls have not been established.24

C. FTC Enforcement Actions

Under section 5(a) of the FTC Act, a “fail[ure] to employ reasonable and appropriate security

measures to protect [consumer] information” is an unfair practice.”25 “The FTC has repeatedly cited

four to five specific types of lax information security in their filed complaints,” which are: (1) “[e]asy

network access – failing to limit wireless access to their networks, and/or failing to limit their

networked computers’ access to each other and the Internet”; (2) “[n]o breach detection – failing to

employ sufficient measures to detect unauthorized access to personal information or to conduct

security investigations”; (3) [u]nnecessary storage – creating unnecessary risks to the information by

storing it, often when they no longer had a business need to keep the information”; (4) [w]eak

encryption/passwords – storing and/or transmitting information in an unencrypted format, or using

weak/commonly known user IDs and passwords, to protect information stored on their networks”; and

(5) [i]nadequate defense to known attacks – failing to adequately assess the vulnerability of [their]

computer network to commonly known or reasonably foreseeable attacks, including ‘Structured Query

Language,’ injection attacks, and not implement[ing] low-cost, and readily available defenses to such

attacks.”26 In security breach cases, the FTC’s consent agreements require alleged violators to take

��

Practising Law Institute (June-July 2008); see also Securities and Exchange Commission, Commission Guidance

Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the

Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06 (June 20, 2007). 24 Id. 25 Jeffrey Taft, Privacy and Data Security in Service Provider Arrangements: Recent Developments, 935 PLI/Pat 485, 498, Practising Law Institute (June-July 2008) (citing Analysis of Proposed Consent Order to Aid Public Comment, DSW Inc., 70 Fed. Reg. 73474 (2005)). 26 Jeffrey Taft, Privacy and Data Security in Service Provider Arrangements: Recent Developments, 935 PLI/Pat 485, 499, Practising Law Institute (June-July 2008) (internal citations removed).

6�

�

three types of action: (1) security program; (2) auditing and assessment; and (3) compliance and

reporting.27

II. Relevant Case Law

A. General fiduciary duty

1. Caremark International – This case involved the approval of a settlement of a

derivative action by shareholders alleging that members of the corporation’s board

of directors breached their fiduciary duty of care to the corporation when Caremark

employees allegedly violated federal and state laws and regulations applicable to

health care providers.28 The Delaware Supreme Court held that the board of

directors had a fiduciary duty to ensure that the corporation has an adequate

information system.29 Boards must assure themselves that information and reporting

systems exist in the organization that are reasonably designed to provide to senior

management and to the board itself timely, accurate information sufficient to allow

management and the board to reach informed judgments concerning both the

corporation’s compliance with the law and its business performance.

2. Stone v. Ritter – This case was an appeal from the dismissal of a derivative action

by shareholders of AmSouth Bancorporation for failure to make demand. When

AmSouth disclosed that it had paid $50 million in fines and civil penalties for

��27 Id. (internal citations removed). 28 In re Caremark Int'l Deriv. Litig., 698 A.2d 959, 960 (Del. Ch. 1996). “It is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may

satisfy its responsibility.” Id. at 970. 29 “[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” In re Caremark Int'l Deriv. Litig., 698 A.2d 959, 978 (Del. Ch. 1996).

7�

�

violating the federal Bank Secrecy Act.30 AmSouth shareholders alleged that the

directors breached their fiduciary duty by failing to implement any statutorily

required monitoring, reporting, or information controls that would have enabled

them to learn of the problems beforehand.31 AmSouth had a provision in its

certificate of incorporation exculpating directors for breach of the duty of care. But

according to the Delaware Supreme Court this provision could not exculpate

directors from conduct not in good faith or a breach of the duty of loyalty. The court

interpreted Caremark as establishing liability for lack of director oversight if: (a) the

directors utterly failed to implement any reporting or information system or

controls; or (b) having implemented such a system or controls, they consciously

failed to monitor or oversee it s operations.32 The court affirmed the dismissal of the

complaint because AmSouth had a compliance program designed to permit the

directors to periodically monitor compliance and the board did so.

3. Guin v. Brazos Higher Education Service – Plaintiff Guin alleged that defendant

Brazos High Education Service breached its fiduciary duty imposed by the GBLA

by (1) “providing Wright with [personal information] that he did not need for the

task at hand,” (2) “permitting Wright to continue keeping [personal information] in

an unattended, insecure personal residence,” and (3) “allowing Wright to keep

[personal information] on his laptop unencrypted.”33 The court held that the duty to

provide reasonable security had been satisfied where the defendant had

implemented the proper safeguards as required by GLBA, including “written

��30 Stone v. Ritter, 911 A.2d 362, 362 (Del. Ch. 2006). 31 Id. at 364. 32 Id. at 365. 33 Guin v. Brazos Higher Education Service, 2006 U.S. Dist. Lexis 4846, at 10 (D. Minn. 2006) (citing Mem. in Opp’n at 10.)

8�

�

security policies, current risk assessment reports, and proper safeguards for its

customers” personal information as required by the GLB Act.”34

B. Other cases of possible interest

1. Kahle v. Litton Loan Servicing L.P. – Plaintiff Kahle alleged that defendant Litton

Loan Servicing L.P. was negligent in its duty in protection of personal information.35

While it was clear that the defendant breached its duty of care to the plaintiff,36 the

court held that the cost of enrolling in a credit protection program due to a fear of

identity theft did not constitute a sufficient damage to support a negligence claim

arising from a data breach incident.37

2. Pisciotta v. Old Nat’l Bancorp – Plaintiffs Pisciotta and Mills alleged that defendant

Old Nat’l Bancorp failed to adequately protect customers’ personal financial

information.38 While Indiana legislature passed a statute, I.C. § 24-4.9 et seq., which

“creates certain duties when a database in which personal data, electronically stored by

private entities or state agencies, potentially has been accessed by unauthorized third

parties,” this was not in effect at the time plaintiffs brought their claim.39 The court

affirmed the lower court’s decision, which granted defendant’s motion for judgment on

the pleadings, reasoning that costs for credit monitoring, to guard against some future,

anticipated harm, are not compensable injuries under Indiana law.40

3. Bell v. Mich. Council 25 – Plaintiffs were employees of the City of Detroit, and

��34 Guin v. Brazos Higher Education Service, 2006 U.S. Dist. Lexis 4846, at 10-11 (D. Minn. 2006). 35 Kahle v. Litton Loan Servicing L.P., 486 F.Supp.2d 705, 706 (S.D. Ohio 2007). 36 Id. at 708. 37 Id. at 713. 38 Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 631 (7th Cir. 2007). 39 Id. at 636. 40 Id. at 639-640.

9�

�

they all suffered from identity theft.41 The plaintiffs filed suit against defendants

Michigan Council 25, alleging that the Union was liable for not safeguarding their

personnel information and that this negligence facilitated the identity theft

perpetrated by a third party.42 The Michigan appeals court found that a fiduciary

duty exists in a union-union member relationship.43 In addition, the court held that

the Union had a duty to protect an information system from reasonably foreseeable

breaches, and that the union was negligent in not doing so.44

III. Industry Support

High-level groups such as Business Roundtable and the Corporate Governance Task Force of

the National Cyber Security Partnership advocate CEO attention and board review on the issue of

cyber security.45 Business Roundtable is an association of 160 CEOs of the nation’s leading

companies.46 In 2005, Business Roundtable published a guide,47 Committed to Protecting America:

CEO Guide to Security Challenges, which specifically addressed the topic of cyber security, and

“focuse[d] on assisting the CEO in managing the strategic risks that arise from dependency on IT

systems and networks.”48 In its guide, the Business Roundtable recommended the following seven

principles for securing cyberspace:

(1) Information security requires CEO attention in their individual companies and as business leaders seeking collectively to promote the

��41 Bell v. Mich. Council 25, 2005 Mich. App. Lexis 353, at 1 (Dec. 28, 2005). This is an unpublished opinion. In accordance with Michigan Court of Appeals rules, unpublished opinions are not precedentially binding under the rules of stare decisis. 42 Id. 43 Id. at 16. 44 Id. at 11. 45 Business Roundtable, Committed to Protecting America: CEO Guide to Security Challenges (Feb. 2005). “To better secure its information systems and strengthen America’s homeland security, the private sector should incorporate information security into its corporate governance efforts.” The Corporate Governance Task Force, Information Security

Governance: A Call to Action (April 2004). 46 Business Roundtable, Press Releases, http://www.businessroundtable.org/node/2803 (last visited June 22, 2010). 47 The guide is a “compilation of best management practices and key security lessons learned by CEOs who are facing new and evolving security threats.” 48 Business Roundtable, Committed to Protecting America: CEO Guide to Security Challenges (Feb. 2005)..

10�

�

development of standards for secure technology; (2) Boards of directors should consider information security an essential element of corporate governance and a top priority for board review; (3) IT suppliers and end-users of these products and services have a shared responsibility for improving cyberspace security; (4) The federal government plays an important collaborative role in information security and can assist the private sector response by sharing information about threats and vulnerabilities, helping companies overcome legal barriers, and encouraging appropriate corporate actions; (5) Public policy initiatives on cyber security should take a balanced and comprehensive approach that reflects the shared responsibility of end-users and IT suppliers; (6) Market solutions to cyber security are to be preferred over statutory and regulatory mandates; and (7) Public disclosure of corporate information security practices should be voluntary, not mandatory.49

The Corporate Governance Task Force of the National Cyber Security Partnership50 was

“formed in December 2003 to develop and promote a coherent governance framework to drive

implementation of effective information security programs.” 51 In 2004, the Corporate Governance

Task Force Report published a report recommending a “comprehensive governance framework to

guide implementation of effective information security programs,” and a “call to action to industry,

non-profits and educational institutions, challenging them to integrate effective information security

governance (ISG) programs into their corporate governance processes.”52 The report recommends to

CEOs and the board of directors, and the government the following: (1) “[o]rganizations should adopt

the [Corporate Governance Task Force Report] information security governance framework . . . to

embed cyber security into their corporate governance process”; (2) “[o]rganizations should signal their

commitment to information security governance by stating on their Web site that they intend to use the

tools developed by the Corporate Governance Task Force to assess their performance and report the

��49 Business Roundtable, Committed to Protecting America: CEO Guide to Security Challenges (Feb. 2005) (citing Business Roundtable, Securing Cyberspace: Business Roundtable’s Framework for the Future (May 2005)). 50 “The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts.” National Cyber Security Partnership (NCSP), Overview, http://www.cyberpartnership.org/about-overview.html. 51 The Corporate Governance Task Force, Information Security Governance: A Call to Action (April 2004). 52 The National Cyber Security Partnership, Press Releases, Corporate Governance Task Force of the National Cyber

Security Partnership Releases Industry Framework (April 12, 2004).

11�

�

results to their board of directors”; (3) “[a]ll organizations represented on the Corporate Governance

Task Force should signal their commitment to information security governance by voluntarily posting

a statement on their website . . . .”; (4) [t]he Department of Homeland Security should endorse the

information security governance framework and core set of principles outlined in this report, and

encourage the private sector to make cyber security part of its corporate governance efforts”; (5) “[t]he

Committee of Sponsoring Organizations of the Treadway Commission (COSO)53 should revise the

Internal Controls-Integrated Framework so that it explicitly addresses information security

governance”.54

��53 “COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative which studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.” Commission of Sponsoring Organizations of the Treadway Commission, About Us, http://www.coso.org/aboutus.htm (last visited June 22, 2010). The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Id. 54 The Corporate Governance Task Force, Information Security Governance: A Call to Action (April 2004).

Outline for Panel on

Wake Up Call or Snooze Alarms: Are the Emerging Regulations for Cyber Security Giving Birth to a Cyber Fiduciary Duty? †

By Roland L. Trope1

This outline will describe two developments that are relevant to a board of director’s

evolving duty with respect to their company’s cyber security. First, we consider the emerging

threats to the cyber security of companies whose major assets are increasingly concentrated in

sensitive information that is created, processed, stored and transmitted in digital form. By being

stored on computers such data becomes increasingly vulnerable to unauthorized access,

contamination, corruption, and misuse as the nature of cyber threats continues to evolve and

exceeds the abilities of companies to avert such risks. With the advent of cloud computing, the

companies that make the transition from data processed and stored on their own premises to

data outsourced to a cloud for processing and storage will likely face additional threats to the

cyber security of their sensitive data.

Second, we will review examples of federal laws and regulations that set standards for a

subject company’s cyber security. The regulations apply to financial institutions, health care

companies, defense and aerospace firms, and nuclear power plants. Our interest will be in the

varying extents that such regulations require companies to develop enhanced cyber security

and the extent to which compliance with such regulations expressly requires involvement by the

regulated company’s Board of Directors.

I. Emerging Threats to Corporate Cyber Security. A decade ago, most cyber threats

took the form of viruses that hackers developed and released into the “wild” and that infected

��† © Copyright 2010 Roland L. Trope. All rights reserved.

Disclaimer: The views expressed in this outline are solely those of the author and have not been approved by, and should not be attributed to, the United States Military Academy at West Point, the U.S. Department of Defense, or the U.S. Government. 1 Partner in the New York offices of Trope and Schramm LLP and Adjunct Professor, Department of Law, United

States Military Academy at West Point. He can be contacted at �� .

Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 2 of 9

and damaged computers when a user opened an email attachment containing the malware.

The risk was random. Hackers were predominantly operating independently. Since then, cyber

risks have evolved:

“Over the past 10 years, the cyber threat has grown increasingly serious… A decade ago, a cyber attack typically meant that Web pages were defaced. Today, botnet attacks can disrupt the operation of government ministries and shut down financial institutions.”2

The risk is now much more focused. Governments and companies tend to be high

profile targets. Political and corporate espionage rely increasingly on cyber-attacks to obtain

targeted information. Instead of independent hackers releasing viruses for random effect, the

attacks are organized and controlled by highly trained teams of government personnel,

government-sponsored “patriotic hackers”, and corporate cyber teams. The attacks are often,

and they take place continuously. In a recent issue, The Economist described of the emerging

cyber risks as follows:

“[T]he spread of digital technology comes at a cost: it exposes armies and societies to digital attack. The threat is complex, multifaceted and potentially very dangerous. Modern societies are ever more reliant on computer systems linked to the internet, giving enemies more avenues of attacks. If power stations, refineries, banks and air-traffic-control systems were brought down, people would lose their lives. … [M]ost [experts] agree that infiltrating networks is pretty easy for those who have the will, means and the time to spare. Governments know this because they are such enthusiastic hackers themselves. Spies frequently break into computer systems to steal information by the warehouse load, whether it s from Google or defence contractors. Penetrating networks to damage them is not much harder.”3 Financial losses to cyber crime in the United States now reportedly exceed $1 trillion

annually.4 Nonetheless, the United States and U.S. companies increasingly rely on the Internet

and on storing and processing data that can be accessed wirelessly via the Internet in third

party operated cloud-computing servers. As a result, as the cyber threats become more potent,

��2 William Matthews, “General: Cybersecurity Equals U.S. National Security,” DEFENSENEWS, June 28, 2010, p. 40.

3 “Cyberwar: The threat from the Internet,” THE ECONOMIST, July 1, 2010, accessed at

�� . 4 William Matthews, “Cyber Conflict Embroils U.S. Industry, Government,” DEFENSENEWS, May 31, 2010, p. 11.


U.S. companies may be at risk of becoming more vulnerable through their increased reliance on

Internet and cloud based communications.

In addition, the most cyber-sophisticated companies repeatedly experience data

breaches that would seem to suggest that cyber-security remains a challenge for companies.

Recent examples include the following:

• In June 2009, Research In Motion (“RIM”), the manufacturer of the BlackBerry,

sent out a warning to subscribers in the United Arab Emirates to remove a software

“upgrade” that many had downloaded and installed on the instructions of the UAE’s

largest telecommunications operator, Etisalat. Etisalat had instructed its 145,000

BlackBerry customers to upgrade their BlackBerry software by downloading a “patch”

that the company represented would improve the device’s performance. However, the

“patch” included a spyware file that had been designed to enable Etisalat to capture,

read and store a customer’s e-mails, despite the encryption of such e-mails by the

BlackBerry. As one investigator explained:

“This spyware was specially designed to intercept e-mails sent by BlackBerries … BlackBerry e-mails are encrypted and sent via its own servers, but this spyware gets ahead of this encryption and sends the e-mails to a server.”

RIM found it necessary to warn its customers and to provide them instructions on how to

remove the spyware.5

• In late 2009, attackers breached the computer network of Google. The attackers

gained access to Google’s computer code for the software that authenticates users of

Google’s email, calendar and some of Google’s other cloud-based programs. Google

disclosed that the exploit resulted in a theft of some of Google’s intellectual property and

expressed the belief that the attack originated in China.6 Among other security

��5 Robin Wigglesworth, Paul Taylor, and Joseph Menn, “BlackBerry rogue software leaves sour taste in UAE,”

FINANCIAL TIMES, July 25/26, 2009, p 3. 6 Ben Worthen and Jessica E. Vascellaro, “Google Attackers Got Access to Code,” THE WALL STREET JOURNAL, April

20, 2010, p. B-1.


measures implemented in response to the attack, Google decided to phase out use of

Microsoft’s Windows operating system due to its vulnerability to attacks. Reportedly, if

an employee thereafter wants a new Windows machine the employee must obtain

approval from Google’s Chief Information Officer.7

• In April 2010, a group at the University of Toronto published a study that

documented a “complex ecosystem of cyber espionage that systematically compromised

government, business, academic, and other computer network systems in India, the

Offices of the Dalai Lama, the United Nations, and several other countries.”8

• In early June 2010, a group of computer experts (who refer to themselves as

Goatse Security) exploited a security hole in AT&T’s website and gained access to

numbers that identify iPads connected to AT&T’s mobile network. Using those numbers,

the group was able to learn 114,000 email addresses for iPad customers. The

customers included prominent corporate officers, government officials (such as White

House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg) and

military officers.9

The widespread reportage of these and other incidents has probably increased the urgency with

which company Boards of Directors are considering ways in which to improve the cyber security

of their companies.

II. Recent Regulations that Require Enhanced Cyber Security. While attempting to

avert the risks from increased cyber threats, companies in several industries are also attempting

to ensure that they comply with laws, rules, and regulations that require that such companies

��7 David Gelles and Richard Waters, “Google phases out Windows for employees over security concerns,” FINANCIAL

TIMES, June 1, 2010, p. 1. 8 Ron Deibert and Rafal Rohozinski, “Shadows in the Cloud: Investigating Cyber Espionage 2.0,” April 2010, p. i,

accessed at �� . 9 Spencer E. Ante, “AT&T Says IPad Owners’ Email Data Was Breached,” THE WALL STREET JOURNAL, June 10, 2010,

p. B-1.


achieve enhanced cyber security with respect to certain kinds of sensitive data. Earlier

examples of such requirements included:

• The Interagency Guidelines Establishing Information Security Standards

(“Guidelines”) issued by member agencies of the Federal Financial Institutions

Examination Council (“FFIEC”) pursuant to Section 39 of the Federal Deposit Insurance

Act, 12 U.S.C. 1831 and Sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b) of the

Gramm-Leach-Bliley Act of 1999 (“GLBA”). The Guidelines address standards for

developing and implementing administrative, technical, and physical safeguards to

protect the security, confidentiality, and integrity of customer information for financial

institutions.10 The Guidelines require a financial institution’s Board to approve the

institution’s written information security program and to oversee the development,

implementation, and maintenance of the institution’s information security program. To

supplement the agencies’ GLBA 501(b) expectations, the FFIEC issued Information

Security IT Examination Handbook, dated July 2006, which observes:

“Information security is a significant business risk that demand engagement of the Board of Directors and senior business management. … Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for

� Central oversight and coordination,

� Assignment of responsibility,

� Risk assessment and measurement,

� Monitoring and testing,

� Reporting, and

� Acceptable residual risk.

The board should approve written information security policies and the written report on the effectiveness of the information security program at least annually. A written report to the board should describe the overall status of the information

��10

See discussion of the Guidelines in Outline for Panel on Wake Up Calls or Snooze Alarms by Professor Roberta S. Karmel.


security program. At a minimum, the report should address the results of the risk assessment process; risk management and control decisions; service provider arrangements; results of security monitoring and testing; security breaches or violations and management’s responses; and recommendations for changes to the information security program. The annual approval should audit activity related to information security, third-0party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls.”11

• The Safeguards Rule, issued by the Federal Trade Commission, as required by

section 501(b) of the GLBA, to establish standards relating to

“administrative, technical and physical information safeguards for financial institutions subject to the Commission’s jurisdiction. As required by section 501(b), the standards are intended to: Ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.”12

• The Security Rule, issued by the Department of Health and Human Services,

pursuant to and to implement some of the requirements of the Administrative

Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996

(“HIPAA”). The Security Rule requires that each covered entity engaged in the

electronic maintenance or transmission of health information pertaining to individuals

“assess potential risks and vulnerabilities to such information in its possession in electronic form, and develop, implement, and maintain appropriate security measures to protect that information.”13 Unlike the Privacy Rule that applies to protected health information in any form,

the Security Rule is narrower in that it applies only to health information in

electronic form. The Security Rule sets forth general rules for security as well as

administrative, physical and technical safeguards.

��11

FFIEC, INFORMATION SECURITY IT EXAMINATION HANDBOOK, July 2006, pp. 5 – 6. 12

Federal Trade Commission, “Standards for Safeguarding Customer Information,” FEDERAL REGISTER, Vol. 67, No. 100, May 23, 2002, at p. 36484. 13

Department of Health and Human Services, “Health Insurance Reform: Security Standards,” FEDERAL REGISTER, Vol. 68, No. 34, February 20, 2003, at pp. 8334 – 9010.


Since January 1, 2009, additional examples of such laws, regulations and rules have been

issued or proposed that include the following:

• The Health Information Technology for Economic and Clinical Health (“HITECH”)

Act, enacted as part of the American Recovery and Reinvestment Act of 2009, signed

into law on February 17, 2009, to promote the adoption and meaningful use of health

information technology. Subtitle D of the HITECH Act addresses the privacy and

security concerns associated with the electronic transmission of health information, in

part, through several provisions that strengthen the civil and criminal enforcement of the

HIPAA rules.

• Changes to the Defense Federal Acquisition Regulation Supplement (“DFARS”)

proposed by the Department of Defense in March 2010 that would take the form of the

addition of a new subpart and associated contract clauses for the safeguard, proper

handling, and cyber intrusion reporting of unclassified DoD information within industry.

The proposed changes would establish basic safeguarding requirements that would

apply to any unclassified DoD information that has not been cleared for public release

and that would require that the Government and its contractors and subcontractors

provide adequate security to safeguard such information on their unclassified information

systems from unauthorized access and disclosure. Contractors would be required to

report to the Government certain cyber intrusion events that affect DoD information

resident or transiting on contractor unclassified information system. The proposed

contract clauses would require contractors to protect DoD information from unauthrozied

disclosure, loss, or exfiltration by employing basic information technology security

measures and would require enhanced information technology security measures

applicable to encryption of data for storage and transmission, network protection and


intrusion detection, and cyber intrusion reporting.14 Contractors would also be required

to establish an information security program that complied with the NIST security

controls.15 Indicative of the enhanced protections that would need to be implemented,

contractors would be required to report to the Government “reportable events” that

include, among others, “a cyber intrusion event appearing to be an advanced persistent

threat.” The proposed changes define an “advanced persistent threat” as “an extremely

proficient, patient, determined, and capable adversary, including such adversaries

working together.” The proposed changes, however, provide no guidance on how a

contractor would identify such an adversary or what would constitute the criteria that

contractors could consistently apply to identify such an adversary in order to know that a

reportable event had occurred. At least one comment received on the proposed rule

expressed the concern that “the government should strongly consider the direct and

indirect liability issues that a contractor would be exposed to by this mandatory reporting

requirement …”16

• The Power Reactor Security Requirements that constitute amendments by the

Nuclear Regulatory Commission (“NRC”) to its security regulations and that add new

security requirements pertaining to nuclear power reactors. The rule, issued effective

May 26, 2010 and requiring compliance by March 31, 2010, established and updated

generically applicable security requirements similar to those previously imposed by the

NRC orders after the terrorist attacks of September 11, 2001. Most interestingly, the

new rule implements cyber security requirements that are codified as a new, separate

section 73.54 to the NRC’s regulations and that are designed to “provide high assurance

that digital computer and communications systems and networks are adequately

��14

Department of Defense, “Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified Information (DFARS Case 2008-D028),” FEDERAL REGISTER, Vol. 75, No. 41, March 3, 2010, at pp. 9563 – 9568. 15

NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations. 16

Alan Chvotkin, Executive Vice President and Counsel, Professional Services Council, comments on the advanced notice of proposed rule making, May 3, 2010.


protected against cyber attacks up to and including the design basis threat …”17 which

includes a “cyber attack.”18 The NRC explained that the new rule’s requirements are set

forth in a separate stand-alone section “to enable the cyber security requirements to be

made applicable to other types of facilities and applications through future

rulemakings.”19 The new rule requires currently operating licensees to submit a cyber

security plan to the NRTC for review and approval by way of license amendment and

requires applicants for a new license to similarly amend their application to include a

cyber security plan. In contrast to many earlier regulations issued by other agencies, the

NRC’s cyber security rules provide much more detained and rigorous requirements that

suggest a standard intended to do more than require reasonable precautions, and

instead, to require safeguards that will substantially reduce the likelihood of unauthorized

access that could compromise safety of a nuclear power plant. As the NRC stated in its

explanation of the cyber security requirements,

“The cyber security program must be designed to implement security controls for protected digital assets; apply and maintain defense-in-depth protetive strategies to ensure the capability to detect, respond, and recover from cyber attacks; and ensure the functions of protected digital assets are not adversely impacted due to cyber attacks. … Defense-in-depth is achieved when (1) a layered defensive model exists that allows for detection and containment of non-authorized activities occurring within each layer, (2) each defensive layer is protected from adjacent layers, (3) protection mechanisms used for isolation between layers employ diverse technologies to mitigate common cause failures, (4) the design and configuration of the security architecture and associated countermeasures creates the capability to sufficiently delay the advance of an adversary in order for preplanned response actions to occur, (5) no single points of failure exist within the security strategy or design that would render the entire security solution invalid or ineffective, and (6) effective disaster recovery capabilities exist for protected systems.”20

��17

Nuclear Regulatory Commission, “Power Reactor Security Requirements; Final Rule,” Federal Register, March 27, 2009, at pp. 13926 – 13993. 18

See § 73.1(a)(1)(E)(v). 19

Ibid, at p. 13928. 20

Ibid, at p. 13959.

Digital Protection Editors: Michael Lesk, [email protected] R. Stytz, [email protected] L. Trope, [email protected]

information assets, including theemerging trend toward imposing lia-bility where digital protections areseverely deficient or digital securityhas been breached. We also willfocus on obstacles created by dispari-ties in the knowledge and expertiseof professionals who are responsiblefor corporate assets and who risklegal liability if their efforts are insuf-ficient or ineffective. We addressthese disparities to bridge the gap be-tween executive personnel responsi-ble for corporate governance andtechnical personnel responsible forcorporate digital security.

Entrusted datamust be safeguardedCorporate directors must rely ontechnical personnel to guarantee theintegrity of sensitive data on com-pany computers. However, evolvingcase law suggests that persons en-trusted with fiduciary duties mustmeet high standards regarding an or-ganization’s digital protection sys-tems and the extent to which thosesystems can reliably protect the in-tegrity of sensitive information as-sets. The logic of this case law sug-gests that corporate officers’ anddirectors’ supervisory responsibili-ties will extend from safeguardingcorporate financial data accuracy tosafeguarding the integrity of all

stored data. To protect entrusted as-sets now requires the protection ofthe computer systems that storerecords of those assets and provideinternal controls for their reporting.The recent cases involved govern-ment officials as fiduciaries whofailed to remediate discernible defi-ciencies in digital protection andsecurity of computer systems. Cor-porate directors, being fiduciaries,should expect to be held to thesame standard for their companies’digital security.

Accounts the USgovernment cannotbalance or reconcileDuring the second half of the 19thcentury, the US government seizedland from Native American tribesand allotted it to individual tribalmembers (to extinguish tribal sov-ereignty). The Dawes Act of 1887vested beneficial title of the re-maining allotted lands in the federalgovernment as trustee for individ-ual Native Americans.1 Between1887 and 1934, the government re-moved approximately 90 millionacres from Native American own-ership. Subsequent legislation ter-minated allotment of tribal lands,extended indefinitely the federalgovernment’s trusteeship of suchlands, and authorized the US De-

partment of the Interior (hereafterInterior) to manage the lands andrelated revenues, which would beheld and invested for Native Amer-ican beneficiaries in Individual In-dian Money (IIM) accounts.2 Theentrusted funds reportedly exceedUS$3 billion, and the governmentpays the beneficiaries over US$500million annually.3

On 10 June 1996, IIM accountsbeneficiaries filed a class action suitagainst Interior Secretary GaleNorton and other federal officialsserving as IIM trustees, allegingmultiple breaches of fiduciaryduty.1 In 1999, the US DistrictCourt found the federal govern-ment and its officials derelict intheir duties, observing that Interiordid not know the precise number ofIIM accounts and their proper bal-ances and lacked sufficient recordsto determine such values.1

The court held that the govern-ment owed statutory trust obliga-tions to the IIM beneficiaries (in-cluding a duty to account), thatInterior had failed to “ retrieve andretain all information concerningthe IIM trust … necessary to renderan accurate accounting”1 and thatgovernment performance of its fidu-ciary duties had been unlawfullywithheld and unreasonably delayed.

On appeal, the US Circuit Courtof Appeals affirmed, noting: “Therecords upon which the governmentmust rely to fulfill its trust duties arewoefully deficient. … Interior …does not have complete or accurateinformation on the identities orwhereabouts of all trust beneficia-ries, nor … complete land titlerecords,”2 and “Interior … does nothave computer systems in place ca-

ROLAND L.TROPE

Trope andSchramm LLP

In this inaugural article of the Digital Protection depart-

ment, we will explore the potential legal and technical

risks inherent in attempts to implement digital protec-

tion. Specifically, we will consider how liability might

arise for those who have fiduciary responsibility for sensitive

Directors’ Digital Fiduciary Duties

78 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY

© 2005 IEEE. Reprinted, with permission.

Digital Protection

pable of tracking trust resources andrelevant data.”2

The US District Court of Ap-peals interpreted Interior’s fiduciaryduty to require a fair and accurate ac-counting of all funds held in trust bythe US for the benefit of a tribe or anindividual Native American and aduty to “maintain and complete ex-isting records … and … to ensurethat all aspects of the accountingprocess are carried out. … [T]hismay well include an obligation todevelop or obtain computer softwarecapable of tracking and reconcilingfund data.”2 The government’s fail-ure to implement a computer systemdid not breach its fiduciary duty, butevidenced the government’s failureto discharge its fiduciary obligationsin a reasonably prompt manner,which did constitute such a breach.

Two months later, in April2001, the Chief Information Offi-cer of Interior’s Bureau of IndianAffairs (BIA) admitted: “For allpractical purposes, we have no se-curity, we have no infrastructure.… Our entire network has no fire-walls on it. I don’t like running anetwork that can be breached by ahigh school kid.”4

Judicial scrutiny of digital securityOn 14 November 2001, a SpecialMaster (whom the court had ap-pointed in 1999) submitted a reportto the court regarding his investiga-tion of the integrity of Interior’s sys-tems, and which chronicled Interior’s

failure to safeguard and secure IIMtrust data. (A Special Master is an of-ficial of the US District Court ap-pointed for assigned duties and whohas authority to regulate proceedingsand take appropriate measures to per-form those duties fairly and effi-ciently.)5 The Special Master found“no firewalls, … no … solution formonitoring network activity includ-ing … hacking, virus and worm no-tification …,”6 and recommended“the Court intervene and assume di-rect oversight of those systems hous-ing Indian trust data … [otherwise]the threat to records crucial to thewelfare of hundreds of thousands ofIIM beneficiaries will continueunchecked.”6

On 5 December 2001, the courtentered a temporary restraining ordermandating that Interior “immedi-ately disconnect from the Internet allinformation technology systems thathouse or provide access to individualIndian trust data.”7 In response, thegovernment agreed to enter into aconsent decree that included a man-date that “Interior shall not recon-nect any information technology sys-tem to the Internet without theconcurrence of the Special Master asherein provided.”8 The draconiannature of this court-ordered remedymakes abundantly plain the gravity ofjudicial concern for digital protec-tion (as a process) and digital security(as an objective) where assets cannotbe adequately safeguarded withoutsafeguarding data.

The Special Master ultimately

allowed Interior to reconnect 95percent of its computers. However,his continuing concern for dataprotection led him, between March2002 and July 2003, to direct a secu-rity assistance group (SAG) to testInterior’s reconnected computers.SAG’s investigations “identified nu-merous vulnerabilities exposing in-dividual Indian trust data to unin-vited review and manipulation.”9

When SAG conducted penetrationtests, Interior’s system administra-tors made no effort to “restrict,block, or deny access from thesource of the attacks,”10 implyingthat SAG’s penetration activitieswent undetected. When SAG con-ducted a Nessus security scanningtest (www.nessus.org) on an Inte-rior server, it identified a vulnera-bility that would “allow remoteunauthorized users to grab copiesof files from … the server.”11 In re-sponse to such disclosures, the gov-ernment effectively hampered theSpecial Master’s further efforts toverify the security status of Inte-rior’s computers. In May 2003, thegovernment asked the court to dis-qualify the Special Master after helearned that an Interior official had“appraised oil and gas easementsrunning across Indian lands foramounts considerably less than theappraised value of identical interestsheld by non-Indians” and then “de-stroyed the evidence of his 20-yearpractice of doing so.”12 Govern-ment pressure eventually caused theSpecial Master to resign, thereby re-

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 79

This issue of IEEE Security & Privacy inaugurates a new

department: Digital Protection. Its mission is to provide an

open and responsive forum for discussing the technological,

commercial, and legal aspects of protecting valuable digitized

property.

In the 21st century, we’ll increasingly measure wealth in bits,

not bullion. As a result, topics such as digital rights man-

agement, software piracy, reverse engineering, intellectual

property law, liability management, and trusted computing

platforms are increasingly becoming relevant to the general

computing profession. This department’s goal is to keep readers

abreast of the latest technical developments and informed

about the corresponding legal, policy, social, and commercial

issues.

We welcome reader involvement through contributions and

critical feedback.

New department’s mission

Digital Protection

moving from the litigation the per-son who probably had the besttechnical (and objective) under-standing of Interior’s digital security

deficiencies and its efforts to trivial-ize those it could not disguise.

The plaintiffs seekdigital protectionsIn response to such developments,plaintiffs filed a motion seeking apreliminary injunction to compelprotection of individual NativeAmerican trust data. After a hearing,the court issued an opinion, observ-ing that Interior had adopted a “re-strictive interpretation of the Con-sent Decree, namely, that once theInterior Department computer sys-tems have been reconnected to theInternet, no further testing of thosesystems is either necessary or permis-sible.”11 This was not the under-standing of the Special Master or ofthe court, which noted that, “Itwould certainly seem to be irrationalto interpret the Consent Order to …mean that, once the computer sys-tems had been reconnected, no pro-cedure would be in place to verify …that the reconnected systems …continue to be secure from unautho-rized Internet access.”11

The court placed the highest pri-ority on safeguarding data and ensur-ing accurate and reliable accounting.(Directors seeking to comply withthe Sarbanes–Oxley Act will find thecourt’s concern instructive, becausethey and their companies’ officershave legal obligations—under Sec-tion 404 of that act—to assess theircompanies’ internal controls for fi-nancial reporting and, therefore, the

digital protection that is now an inte-gral part such controls.) The courtmade clear the increasing inseparabil-ity of assets and the data that repre-

sents those assets, and found itessential, in protecting the former:“[to prevent] undetectable unautho-rized persons to access, alter, or de-stroy individual Indian trust data viaan Internet connection. The alter-ation or destruction of any of thetrust data would further prevent thebeneficiaries of the individual Indianmoney … from receiving the pay-ments to which they are entitled, inthe correct amount. … [and] would… render any accounting of the indi-vidual Indian trust inaccurate andimprecise, and therefore inade-quate.”11

Plaintiffs proved irreparableharm that justified issuance of a pre-liminary injunction to prevent thecontinued operation of Interior’scomputer systems that “… have notbeen demonstrated to be securefrom Internet access by unautho-rized persons. … Without any evi-dence that the systems are secure, itwould be an act of folly for thisCourt simply to permit” [suchcomputers] to remain connected”to the Internet.11 The court con-cluded that Interior’s system couldnot guarantee the security of thedata in question, and made clear thatsuch integrity must be guaranteed.But such a guarantee might be in-feasible, particularly with any com-puter connected to the Internet. Weknow of no digital protection thatcan guarantee invulnerability insoftware that is inherently vulnera-ble to hacking or malicious code.

On reviewing evidence of Inte-rior’s digital protection system, inMarch 2004, the court concludedthat it could not “conceive of anymeans by which Interior could beallowed to monitor itself and besolely responsible, without externalmonitoring, for the security of in-dividual Indian trust data.”5 With-out a hearing, the court issued apreliminary injunction that againrequired disconnection.

Judicialmisconceptions of digital security Interior appealed, asserting the in-junction lacked “any legal founda-tion or factual predicate.”13 On 3December 2004, the US CircuitCourt of Appeals found both con-tentions “unpersuasive,” recalled“Interior’s past gross computer se-curity failures,” insisted its actionsmust be judged by “the most exact-ing fiduciary standards,” and foundits officials as trustees had “egre-giously breached their fiduciary du-ties.” However, the court vacatedthe injunction for procedural rea-sons, including failure “to hold anevidentiary hearing prior to enter-ing the injunction” and that the USDistrict Court had erroneously re-lieved the plaintiffs of their burdento demonstrate the “necessity of theIT injunction to safeguard againstimminent and irreparable harm.”13

Such a holding clearly misun-derstands the Internet and itsthreats. “Imminent” injury shouldbe provable by showing a severevulnerability to the Internet, asevidenced by daily security inci-dents or deficient defenses againstInternet threats. The US CircuitCourt of Appeals apparently re-quired plaintiffs to demonstratethat a specified malicious codeposed an imminent threat to Inte-rior’s computers. Because anysuch threat could inflict its damagein a matter of minutes, it is unreal-istic to require plaintiffs to post-pone seeking injunctive relief until

80 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2005

‘Without any evidence that the systems aresecure, it would be an act of folly for thisCourt simply to permit’ [such computers]‘to remain connected’ to the Internet.

Digital Protection


such threat materializes. The US Circuit Court of Ap-

peals based its holding on the factthat “there was no evidence thatanyone other than the Special Mas-ter’s contractor had ‘hacked’ intoany Interior computer system hous-ing or accessing IITD [individualIndian trust data].”13 Its logic over-looks the obvious: by the time ahacker made such an attack, itwould be too late to protect anydata. Moreover, because its intru-sion detection systems had failed todetect any of the SAG penetrationtests, Interior could not confirm ordisconfirm any hacker attack. Onremand, the US District Court willbe hard pressed to address the mis-conceptions in the technologicalexpertise reflected in the US CircuitCourt of Appeals’ opinion.

Emerging duty for digital securitySignificantly, the US Circuit Courtof Appeals also held that the US Dis-trict Court’s “jurisdiction properlyextends to security of Interior’s infor-mation technology systems … hous-ing or accessing [trust data], because[Interior] … as a fiduciary, is requiredto maintain and preserve”13 suchdata. The court further acknowl-edged that Interior “has current andprospective trust management dutiesthat necessitate maintaining secureIT systems in order to render accu-rate accountings now and in the fu-ture,”13 implying a fiduciary duty fordigital protection and security.

The US District Court of Ap-peals thereby suggested a judicialwillingness to hold executive per-sonnel responsible for highly tech-nical knowledge where those withfiduciary duties also oversee the im-plementation and maintenance ofdigital security. By relying on a defi-cient digital protection system, suchpersonnel could be at increasing riskof incurring legal liability forbreaching a fiduciary duty of care insafeguarding information assetswhose digital integrity is essential to

safeguarding financial assets. In the case of Interior’s fiduciary

duties, safeguarding funds entrustedto its care was impossible withoutadequate safeguards on the integrityof the account data on which distri-bution of such funds depended.Thus, the digital asset has becomeinseparable from the physical asset.And fiduciary law has always im-posed a high duty of care on thoseresponsible for safeguarding third-party assets.

F or the foreseeable future, mali-cious code releases will be suffi-

ciently frequent and far-reachingthat courts must consider recalibrat-ing requirements for injunctive re-lief: an imminent security breachshould be a rebuttable presumptionwhen digital protections are insuffi-cient or ineffective. As US FederalTrade Commission CommissionerOrson Swindle recently cautioned,“There can be law violations with-out a known breach of security. …Particularly when explicit promisesare made, companies have a legalobligation to take reasonable steps toguard against threats before a com-promise occurs.”14

Directors are arguably obligatedto take such steps as part of theirfiduciary duty to their company,particularly where failure to remedi-ate could cause irreparable damageto financial or other sensitive recordsthat are integral to the protection ofthe assets they represent. Deficient

digital protection requires immedi-ate remediation (arguably the re-sponsibility of those who have afiduciary duty for protection of the

underlying assets).You do not have to see rabbit

tracks in your garden to know thatyou should find and fix the holes inthe fence. If a company’s intrusiondetection system fails to detect hos-tile probes, there will not even be anyrabbit tracks to find.

AcknowledgmentThe views expressed here are solely the au-thor’s and do not reflect official policy or posi-tion of the US Department of the Army, USDepartment of Defense, or US government.)

References1. Cobell v. Babbitt, Fed. Supp. 2d, vol.

91, p. 1, Wash. DC, District Ct.,1999; www.indiantrust.com/_pdfs/99.12.21-memorandum_opinion.pdf.

2. Cobell v. Norton, Fed. Supp. 3d, vol.240, p. 1081, (Wash. DC, CircuitCt., 2001); http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=dc&navby=case&no=005081A.

3. J. Files, “No. 2 at Interior Dept.Resigns,” New York Times, 8 Dec.2004, Sec. A, p. 28.

4. K.M. Peters, “Trail of Troubles,”GovExec.com, 1 Apr. 2001, p. 100;www.govexec.com/fpp/fpp01/bureau_of_indian_affairs.htm.

5. US Code, Title 28, Federal Rules ofCivil Procedure, Rule 53 (Masters).

6. Report and Recommendation of theSpecial Master Regarding the Securityof Trust Data at the Department of theInterior, 14 Nov. 2001, p. 141,quoted in Cobell v. Norton, Fed.

Supp. 2d, vol. 310, p. 77, Wash.DC District Ct., 2004; www.indiant r u s t . com/_pdf s/20040315DisconnectITSystems.pdf.

In relying on a deficient digital protectionsystem, such personnel could be atincreasing risk of incurring legal liabilityfor breaching a fiduciary duty of care … .

Digital Protection

7. Order of US District Court JudgeRoyce C. Lamberth, Cobell v. Nor-ton, Civil Action Case No.1:96CV01285, 5 Dec. 2001; www.indiantrust.com/_pdfs/2001.12.05_TRO.pdf.

8. Consent Order Regarding InformationTechnology Security, 17 Dec. 2001,quoted in in Cobell v. Norton, Fed.Supp. 2d, vol. 310, p. 77, Wash.DC, District Ct., 2004; www.indiantrust.com/_pdfs/20040315DisconnectITSystems.pdf.

9. Cobell v. Norton, Fed. Supp. 2d, vol.310, p. 77, Wash. DC, District, Ct.,2004; www.indiantrust.com/_pdfs/20040315DisconnectITSystems.pdf.

10. Security Assistance Group, InternetAssessment of Department of Interior,Bureau of Land Management, 27 Mar.2003, p. 1, quoted in Cobell v. Nor-

ton, Fed. Supp. 2d, vol. 310, p. 77,Wash. DC, District Ct., 2004;www.indiantrust.com/_pdfs/20040315DisconnectITSystems.pdf.

11. Cobell v. Norton, Civil Action CaseNo. 1:96CV01285, Wash. DC,District Ct., 2003; www.indiant r u s t . com/_pdf s/20030728MemorandumOpinion.pdf.

12. A.L. Balaran, Special Master’s Letterof Resignation to Judge Royce C. Lam-berth, 5 Apr. 2004, p. 2.

13. Cobell v. Norton, Slip Opinion,Wash. DC, Circuit Ct., 2004;www.indiantrust.com/_pdfs/20041203ITSecPIDenied.pdf.

14. O. Swindle, “Cybersecurity andConsumer Data: What’s at Risk forthe Consumer?,” prepared state-ment, US Federal Trade Commis-sion before Commerce, Trade, &Consumer Protection Subcommit-

tee, Committee on Energy andCommerce, US House of Repre-sentatives; www.ftc.gov/os/2003/11/031119swindletest.htm.

Roland L. Trope is a partner in the lawfirm of Trope and Schramm LLP, and anadjunct professor in the Department ofLaw, US Military Academy. His researchinterests are cyberlaw, cross-border trans-actions, defense procurements, exportcontrols, intellectual property, privacy,and management of information secu-rity. Trope has a JD from Yale Law School,a BA and an MA in English language andliterature from Oxford University and aBA in political science from the Universityof Southern California. He is a member ofthe American Bar Association’s Cyber-space Law Committee, the Association ofthe Bar of the City of New York’s Infor-mation Technology Committee, andcoauthor of the treatise Checkpoints inCyberspace (to be published by the ABAin 2005). Contact him at [email protected].

82 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2005

Mid Atlantic (product/recruitment)Dawn BeckerPhone: +1 732 772 0160Fax: +1 732 772 0161Email: [email protected]

New England (product)Jody EstabrookPhone: +1 978 244 0192Fax: +1 978 244 0103Email: [email protected]

New England (recruitment)Robert ZwickPhone: +1 212 419 7765Fax: +1 212 419 7570Email: [email protected]

Connecticut (product)Stan GreenfieldPhone: +1 203 938 2418Fax: +1 203 938 3211Email: [email protected]

Midwest (product)Dave JonesPhone: +1 708 442 5633Fax: +1 708 442 7620Email: [email protected]

Will HamiltonPhone: +1 269 381 2156Fax: +1 269 381 2556Email: [email protected]

Joe DiNardoPhone: +1 440 248 2456Fax: +1 440 248 2594Email: [email protected]

Southeast (recruitment)Thomas M. FlynnPhone: +1 770 645 2944Fax: +1 770 993 4423Email: [email protected]

Southeast (product)Bob DoranPhone: +1 770 587 9421Fax: +1 770 587 9501Email: [email protected]

Midwest/Southwest (recruitment)Darcy GiovingoPhone: +1 847 498-4520Fax: +1 847 498-5911Email: [email protected]

Southwest (product)Josh MayerPhone: +1 972 423 5507Fax: +1 972 423 6858Email: [email protected]

Northwest (product)Peter D. ScottPhone: +1 415 421-7950Fax: +1 415 398-4156Email: [email protected]

Southern CA (product)Marshall RubinPhone: +1 818 888 2407Fax: +1 818 888 4907Email: [email protected]

Northwest/Southern CA (recruitment)Tim MattesonPhone: +1 310 836 4064Fax: +1 310 836 4067Email: [email protected]

JapanTim MattesonPhone: +1 310 836 4064Fax: +1 310 836 4067Email: [email protected]

Europe (product/recruitment) Hilary TurnbullPhone: +44 1875 825700Fax: +44 1875 825701Email: [email protected]

A D V E R T I S E R / P R O D U C T I N D E X J A N / F E B 2 0 0 5

Enterprise Security Expo 2005 Cover 2

InfoSec World 2005 Cover 3

RSA Conference 2005 Cover 4

Advertising PersonnelAdvertiser Page Number

Marion DelaneyIEEE Media, Advertising DirectorPhone: +1 212 419 7766Fax: +1 212 419 7589Email: [email protected] AndersonAdvertising CoordinatorPhone: +1 714 821 8380Fax: +1 714 821 4010Email: [email protected]

Sandy BrownIEEE Computer Society,Business Development ManagerPhone: +1 714 821 8380Fax: +1 714 821 4010Email: [email protected]

Advertising Sales Representatives

Digital ProtectionEditors: Michael Lesk, [email protected] R. Stytz, [email protected] L. Trope, [email protected]

72 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/08/$25.00 © 2008 IEEE ■ IEEE SECURITY & PRIVACY

Hardening the Target

ROLAND L. TROPE

Trope and Schramm, LLP

MONIQUE WITT

WILLIAM J. ADAMS

US Military Academy, West Point

As enterprises have become increasingly de-

pendent on digitized data and have sought

commercial opportunities from accelerated

digital access and transmission, senior man-

agement and boards of directors have not sufficiently updated

their enterprises’ security protec-

tions on digitally stored infor-

mation. Consequently, new and

increasingly frequent attacks have

occurred against their digital in-

formation assets. As CERT cau-

tioned in November 2007,

“Physical break-ins and other

unauthorized entries into criti-

cal infrastructure locations,

such as electrical power sub-

stations, have historically been

viewed as traditional property

crimes where trespass, theft,

and vandalism were the mo-

tives. However, the current

trend of using computer net-

works to remotely monitor and

control unmanned facilities has

… increased the possibility that

these physical property crimes

could be used to conceal less

discernible cyber crimes. …

Those investigating a physi-

cal security breach should be

aware that a cyber related inci-

dent may also have occurred.”1

To the extent that an enter-

prise’s commercial health depends

on its digitized data and its abil-

ity rapidly to access, process, and

transmit such data, that enterprise

will increasingly be targeted for

cyberattacks, digital theft, mis-

appropriation, depredation, and

commercial espionage. Such at-

tacks have been growing recently:

“The number of attacks on

credit- and debit-card pro-

cessing systems has more than

doubled from 2006 to 2007,

and that trend appears to be

continuing into 2008. These

costs are likely to escalate as, in

an increasing trend, corpora-

tions are also being pummeled

with civil litigation related to

data breaches.”2

Consequently, digital security

has become a boardroom issue and

an implicit fiduciary obligation.

Here, we look at the risks man-

agement and directors take when

they fail adequately to protect

their enterprises’ digital property.

Evaluating risks to iconic targetsTo be shielded from liability in the

event of an attack, an enterprise’s

managers or board of directors

must demonstrate that they have

taken adequate precautions against

known or reasonably foreseeable

risks to the enterprise’s digital as-

sets. One recent court decision

strongly suggests that liability for

cyberattacks will increasingly apply

to a company’s senior management.

Although this case did not expressly

involve digital security, we believe

its language is sufficiently broad to

include data protection issues, par-

ticularly when senior executives

or directors knew or should have

known that their enterprise’s digital

security was deficient. We believe

this case indicates the broad param-

eters of the duty of care that offi-

cers and directors will ultimately

be assigned in the context of digital

security. The trend is clear: “Data

security is no longer a ‘second-tier

risk assessment’ but a task for direc-

tors themselves to address. ‘It’s now

at boardroom level.’”3

Management, officers, and

board members must therefore

evaluate the risk of the enterprise

of being targeted in a political

as well as an economic context.

Many major economic enter-

prises are identified (through their

branding) with national entities.

These include banks ( JP Mor-

gan and Deutsche Bank), defense

contractors (Boeing, BAE, and

Thales), entertainment enterprises

(Disney and Pixar), retailers (Wal-

Mart), software makers (Microsoft

or Google) and real property hold-

ings (London’s Canary Wharf and

The Gherkin or New York’s Em-

pire State Building). Such entities

present attractive (and vulnerable)

targets for crimes that have politi-

cal or economic objectives.

These enterprises become tar-

gets owing to their iconic status.

They act as proxies for political

“hot-button” issues, and their size

guarantees publicity for an attacker’s

political or social agenda. Targeting

such an enterprise both damages

Digital Protection


the balance sheet “good will”—that

is, the established reputation of the

enterprise and that has a quantifi-

able value—and increases the pub-

lic profile of the protesting group.

Managers, officers, and board

members have legally enforceable

fiduciary duties to protect their

enterprise’s assets, both its physi-

cal premises and personnel and its

intellectual property and digitized

information. Duties with respect

to the latter arguably “extend from

safeguarding corporate financial

data accuracy to safeguarding the

integrity of all stored data.”4

To fulfill these duties, en-

terprises often commission and

oversee assessments of their vul-

nerabilities and probable risks. A

board that does not ensure that the

enterprise conducts such assess-

ments will be poorly positioned,

in the event of attack, to defend

itself against allegations that it ne-

glected its fiduciary duty. With a

national brand, iconic enterprise,

or critical infrastructure provider,

the risk and the potential for col-

lateral harm will be commensu-

rately greater and will increase the

enterprise’s duty to be vigilant.

Senior management should

thus take particular care when

considering what safeguards to

implement in response to any risk

assessments, particularly those that

identify or quantify specific risks

and vulnerabilities. We will look

at what happens when manage-

ment or directors fail to protect

their enterprises, despite warnings

of highly probable risks.

1993 World Trade Center bombingNash v. the Port Authority5 offers

guidance on management’s duty to

protect an enterprise from foreseen

(and foreseeable) risks. That case,

decided in April 2008 by New

York’s Appellate Division, involved

the 1993 bombing of the World

Trade Center (WTC) and focused

on the Port Authority’s proprietary

duty (as the landlord) to secure the

premises, its occupants, and invit-

ed guests from harm. The Appel-

late Division’s reasoning is directly

relevant to executives’ fiduciary

duties in protecting an enterprise’s

digitized data.

We believe, moreover, that the

court’s reasoning is relevant re-

gardless of whether an enterprise’s

senior personnel have been neg-

ligent. The decision articulates

relevant criteria for when such per-

sonnel have a duty to adopt “target-

hardening” measures, namely those

which would avert or substantially

reduce the targeted enterprise’s

vulnerability to risks known—or

that should have been known—by

its management, officers, or board

members. Although no rule so

far automatically finds negligence

where executive personnel have

failed to adequately safeguard the

enterprise’s data, the law is clearly

moving rapidly toward a “should

have known” standard (that is, that

such personnel will be liable if they

should have known that a risk ex-

isted), particularly where risks to

comparable enterprises have re-

ceived public attention.

Case factsIn 1984, the Port Authority’s then

executive director decided, in view

of the WTC’s “iconic nature” and

“its consequent attraction as a tar-

get for terrorists,” to seek Scotland

Yard’s advice on the building’s se-

curity. Scotland Yard was “appalled

to hear we had transient [public]

parking directly underneath the

towers.”5 The Port Authority sub-

sequently received several warnings

from internal security officers and

outside consultants stating that,5

the WTC’s “parking lots … are

highly susceptible to car bomb-

ings”;

an attempt to bomb the WTC

was “probable”;

terrorists could “create havoc

without being seriously deterred

by the current security mea-

sures”; and

“The car bomb is fast becoming

the weapon of choice for Euro-

pean terrorists” and “the fact that

parking an explosives laden ve-

hicle provides substantial escape

time for the driver is ample jus-

tification to take decisive target

hardening measures in this area.”

These reports recommended that

the Port Authority

eliminate the WTC’s subgrade

public parking,

install barriers to the access

ramps, and

conduct vehicle searches.5

Between 1984 and 1993, other

iconic buildings “hardened their

defenses against car bombs.”

However, the Port Authority

failed to adopt any of the recom-

mended safeguards.5

The plaintiffs alleged that the

Port Authority had breached its

proprietary obligation by failing to

safeguard the WTC and its business

tenants against foreseeable criminal

intrusion. The jury returned a ver-

dict for the plaintiffs, found Port

Authority negligent, and allocated

to it 68 percent of the fault for the

bombing. The Port Authority’s

petition to set aside the verdict was

denied, and it appealed.

Appellate Division decisionThe Appellate Division affirmed

the jury’s verdict, noting that a

landlord has a proprietary duty

to “act as a reasonable [person] in

maintaining … [its] property in

reasonably safe condition in view

of all the circumstances, including

the likelihood of injury to others,

the seriousness of the injury, and

the burden of avoiding the risk.”5

Given the post-9/11 security cli-

mate, the “likelihood of injury”

standard is broad enough to create

a proactive duty on management’s

part without a specific finding

that it failed to address potential

risks that were actually brought

Digital Protection

74 IEEE SECURITY & PRIVACY ■ SEPTEMBER/OCTOBER 2008

to its attention. The Appellate

Division went further, however.

It reasoned that the Port Author-

ity had a heightened duty to take

steps to secure the property due

to the following factors: it had re-

ceived express warnings; the fore-

seen risks were characterized as

not merely possible but probable;

the enterprise had “iconic” status;

and it had few defenses against the

emerging weapon of choice—the

car bomb. In words that reach be-

yond a landlord’s proprietary ob-

ligation, the Appellate Division

emphasized that

“there are circumstances in

which the nature and likeli-

hood of a foreseeable security

breach and its consequences

will require heightened pre-

cautions.”5

This language—the likelihood

of foreseeable risk—suggests the

direction in which the emerging

fiduciary obligation is developing.

The Port Authority’s duty was

further heightened because the

potential risk was so grave:

“As this case so vividly illus-

trates, the blameworthiness of

[defendant’s] negligence … may

actually be increased by the

heinousness of the wrongdoing

it directly and forseeably facili-

tates. … [Here] the intentional

act was forseeably responsive

to and exploitative of the neg-

ligence and, causally, did little

more than bring the incipient

catastrophic potential of the

negligence to terrible fruition.”5

The Port Authority’s duty was

particularly compelling in light

of the inconsequential cost of

implementing the target-harden-

ing measures.5

The clear implication of this

decision is that the Port Author-

ity had a duty to adopt the target-

hardening recommendations and

to secure the premises given the

magnitude of the risk, the clear

vulnerability, and the attractive-

ness of the enterprise as a target.

Lessons learnedThe current security climate sug-

gests strongly that other juris-

dictions will adopt this line of

reasoning when analyzing manage-

ment and board members’ fiduciary

duties to secure an enterprise’s ma-

terial and immaterial assets. This

reasoning should prompt such per-

sonnel to reevaluate any risk assess-

ment recommendations they have

received and any identified risks

to comparable enterprises. Where

the risk is high and probable, and

where the costs of safeguards are

not prohibitive, enterprises must

seriously consider adopting target-

hardening measures. Failure to do

so could increasingly be viewed as

actionable negligence or failure to

fulfill a duty of care.

Recommendations for managementWhen an enterprise’s executives

or directors deliberate on whether

and to what extent to adopt recom-

mended digital security safeguards,

they can improve the quality of

their decisions and the record of

such deliberations by familiariz-

ing themselves with the case law

regarding their emerging duty of

care. This will better position them

to argue that the measures they

have taken are protected within the

scope of their business judgment

and are reasonable, should a serious

security breach occur. The board

will also have evidentiary support

that it “acted independently, with

due care, in good faith, and in the

honest belief that its actions were

in the shareholders’ best interests,”6

the standard customarily applied to

decisions within the business judg-

ment rule.

Basic recommendationsWe suggest the following guide-

lines when reviewing recom-

mended digital safeguards:

Deliberations on recommended

safeguards that include the rea-

sons for rejecting or adopting

each recommendation should be

recorded and retained.

Internal security rules should

reflect and track known, iden-

tified, or anticipated security

vulnerabilities. As a Federal Dis-

trict Court recently explained,

“When a danger exists and the

company knows or should know

of it, the company must reckon

with the possibility that the very

failure to make rules may be

used against it.”7

Security must be updated as risks

surface, and management should

oversee and review maintenance

of security measures regularly.

These measures should ensure

that, if an intrusion occurs, the

enterprise will have evidence of

network activity that can help

identify the intruders and their

objectives—that is, computer logs

that document times and identi-

ties of users accessing or chang-

ing data, patch applications, and

other network activities. (See the

sidebar for a good illustration of

why this is important.)

Management and board mem-

bers should weigh the costs of

implementing digital security

safeguards against the potential

for long-term economic harm

and personal liability for breach

of fiduciary duty.

Management and board members

should be mindful of how courts

evaluate an enterprise’s decisions

on whether and the extent to

which it adopts safeguards. They

should anticipate being held neg-

ligent and liable for catastrophic

loss from a digital security breach

if a court, on reviewing their fail-

ure to adopt safeguards, finds that

the burden of taking adequate

precautions was less than the

gravity of injury or damage mul-

tiplied by the probability of the

breach occurring. (This formula

has been applied in various cases

and provides a useful analogy in

Digital Protection


the context of an enterprise’s dig-

ital security.8)

The duty to implement such

safeguards rises sharply, however,

when an enterprise’s management

knows or should know that their

company, its buildings, or its net-

works of computers have become a

probable target for terrorists or its

country’s military adversaries. As

the Appellate Division cautioned,

“A risk of such extraordinary

magnitude must, if it is to be

dealt with prudently, be man-

aged differently from the sig-

nificantly less dire risks …No

reasonably prudent … [owner],

aware of the value of his or her

structure as a terrorist target …

would await a terrorist attack

… directed at basic structural

elements, before undertaking,

to the extent reasonably pos-

sible, to minimize the risk.”

As such enterprises become in-

creasingly dependent on off-prem-

ises computing such as “cloud”

technologies, management will

need to consider safeguards against

the accompanying additional tech-

nical risks.

Recommended safeguards against additional technical risksAs cloud computing has caused

enterprises to depend more on

wireless access to software applica-

tions and offsite data storage, new

security issues have arisen and will

continue to surface as enterprises

increasingly rely on the security

regimes of third-party offsite op-

erators (regimes they cannot ef-

fectively police). A significant risk

occurs not merely to the integrity

of the data stored offsite but to un-

interrupted access to it. Because

numerous and varied enterprises’

commercial viability depends on

immediate and uninterrupted ac-

cess to sensitive digital informa-

tion, any breakdown in digital

communication with offsite pro-

viders will have immediate and

long-term commercial conse-

quences. Losing Internet access is

the simplest example, as 9/11 and

its repercussions suggested, given

that during the attack and the days

afterwards, with cell phone com-

munications down, enterprises

used their fax machine’s handsets

to place calls to emergency ser-

vices and to keep their businesses

running. (Note that VoIP users

do not have this option, and in-

stead lose everything when their

Internet connection is severed.)

To address the risk of losing access

due to an Internet crash, an onsite

legacy system or other redundant

computing capability deserves se-

rious consideration, and senior

management should also allow

for contingency communications

through other means.

On 10 June 2008, the US De-

partment of Homeland Security

(DHS) issued a warning to certain

government and private-sector

officials concerning the cybertar-

geting of US corporate and gov-

ernment personnel when traveling

abroad.9 The DHS warning em-

phasized the following risks:10

“Foreign governments routinely

target the computers and other

electronic devices and media

carried by U.S. corporate and

government personnel travel-

ing abroad ... Theft of sensi-

tive information can occur in a

foreign country at any point …

and can continue after return-

ing home without the victim

being aware ...”

“Travelers should assume that

they cannot protect electroni-

cally stored data and should not

transmit sensitive … information

on the Internet or through tele-

communications equipment.”

“Devices carried overseas should

be screened thoroughly upon

return for the presence of mali-

cious software.”

“The best strategy to protect

electronic devices when travel-

ing is to leave them at home. If

this is impossible, alternatives

include … using a designated

‘travel’ laptop that contains

minimal sensitive information

… however, travelers should as-

sume that all communications

are monitored.”

Recent consent decrees from

the US Federal Trade Commis-

sion (some involving several mil-

lion in civil penalties11) suggest the

extent of commercial enterprises’

obligations to secure their valuable

assets. In these, defendant compa-

nies were charged with failing to

provide reasonable and appropriate

security for digitized personal or

financial information. In response,

defendants agreed to implement

comprehensive information secu-

rity programs, including:

“identification of material inter-

nal and external risks to the secu-

rity, confidentiality, and integrity

of personal information … and

assessment of any safeguards in

place to control these risks”;

“design and implementation of

reasonable safeguards to control

the risks identified through risk

assessment”;

“regular testing or monitoring

of the effectiveness of the safe-

guards’ key controls, systems,

and procedures”; and

“evaluation and adjustments of

respondent’s information securi-

ty program in light of the results

of the testing and monitoring.”12

A ll enterprises that rely on

digital data run the risk that

their data will be misappropriated

or corrupted. Enterprises with

a higher iconic or critical infra-

structure profile incur a height-

ened duty to harden the enterprise

and its digitized assets. We believe

best practices for such high-pro-

file enterprises will become the

Digital Protection

76 IEEE SECURITY & PRIVACY ■ SEPTEMBER/OCTOBER 2008

standard for the security measures

that must be implemented by all

major enterprises and their man-

agement, officers and directors.

Enterprises should understand

that their commercial viability de-

pends increasingly on protecting

the integrity of their stored digi-

tal data and on ensuring uninter-

rupted access to it. In the event of

a multi-enterprise security breach,

moreover, the enterprise that

maintains uninterrupted opera-

tions (or that is restored the most

quickly to effective functioning)

will gain a significant commercial

advantage. Securing an enterprise’s

digital data, proactive prevention

of security breaches, and rapid

mitigation of and recovery from

any such breach must be part of

a comprehensive digital security

regime for any enterprise whose

commercial viability depends on

the integrity of its digital informa-

tion assets.

AcknowledgmentsThe authors gratefully acknowledge

the research and editorial contribu-

tions of David Rosenblum, Michael

Lesk, and Charles P. Pfleeger. The

views expressed here are solely the au-

thors’ and have not been approved by,

and should not be attributed to, the US

Military Academy, the Department of

Defense, or the US government.

ReferencesUS Computer Emergency Re-1.

sponse Team (CERT), “Cyber

Security Response to Physical Se-

curity Breaches,” 28 Nov. 2007;

www.us-cert.gov/reading_room/

cssp_cyberresponse0712.pdf.

J. Walden, A.H. Southwell, and 2.

A. Goodman, “Data Breaches:

Expect A Rise in Litigation,” New

York Law J., 12 May 2008, p. S4.

M. Peel and K. Allison, “Devil in 3.

the Details: Why Personal Data

are Ever More Open to Loss and

Abuse,” Financial Times, 25–26

Dec. 2008, p. 5.

E.M. Power and R.L. Trope, 4. Sail-

ing in Dangerous Waters: A Director’s

Guide to Data Governance, Ameri-

can Bar Association, 2005.

Nash v. The Port Authority of New 5.

York and New Jersey, New York Law

J., 2 May 2008, pp. 26, 34–35

(New York Appellate Division,

First Department).

C.M. Godfrey, “In re The Walt 6.

Disney Company Derivative Liti-

gation,” Business Law Today, July/

Aug. 2008, p. 47.

“In the Matter of the Complaint of 7.

The City of New York as Owner

and Operator of the M/V Andrew

J. Barberi,” memorandum and or-

der 03-CV-6049, 26 Feb. 2007;

http://63.72.236.16/pub/rulings/

cv/2003/03cv6049mo22607.pdf.

United States v. Carroll Towing Co.8. ,

Federal Reporter, 2nd Series, vol.

159, 1947, p. 173 (US Court of

Appeals for the Second Circuit).

S. Gorman, “US Fears Threat 9.

of Cyberspying at Olympics,”

Wall Street J., 17 July 2008, p. 16;

http://online.wsj.com/article/SB

121625646058760485.html.

Department of Homeland Secu-10.

rity, Office of Intelligence and

Analysis, (U) Foreign Travel Threat

Assessment: Electronic Communica-

tions Vulnerabilities, Homeland Se-

curity Assessment, 10 June 2008;

http://online.wsj.com/public/

resources/documents/cyber-threat

assessment-07172008.pdf.

United States v. Valueclick, Inc.11. , case

no. CV08-01711, 27 Mar. 2008,

p. 8 (consent decree for defendant

to pay civil penalty of US$2.9

million); www.ftc.gov/os/caselist/

0723111/index.shtm.

In the Matter of The TJX Compa-12.

nies, Inc., file no. 072 3055, agree-

ment containing consent order, 27

March 2008, p. 3; www.ftc.gov/

os/caselist/0723055/index.shtm.

Roland L. Trope is a partner in the New

York City office of Trope and Schramm,

LLP, and an adjunct professor in the

Department of Law at the US Military

Academy. Trope has a Juris Doctor from

Yale Law School. He co-authored the

treatise Checkpoints in Cyberspace:

Best Practices for Averting Liability in

Cross-Border Transactions (American

Bar Association, 2005). Contact him at

[email protected].

Monique Witt is a lawyer in New York

City. She has a Juris Doctor and Doctor

of Philosophy degrees from Yale Universi-

ty. Contact her at [email protected].

William J. Adams is an assistant profes-

sor of computer science and a senior re-

search scientist in information assurance

at the US Military Academy, West Point

as well as a lieutenant colonel in the US

Army. Adams has a PhD in computer

engineering from the Virginia Polytech-

nic Institute and State University. He is a

senior member of the IEEE. Contact him

at [email protected].

T he importance of logging access to and

intrusions into an enterprise’s comput-

ers was illustrated when illegally implanted

software in four of Vodafone’s Greek

switches created a parallel path for digitized

voices and thus enabled such intruders to

tap into roughly 100 cell phones belonging

to senior officials in the Greek government

(such as the prime minister and ministers

of defense, foreign affairs, and justice). Its

discovery did not enable Vodafone or Greek

law enforcement authorities to identify the

intruders or their motives because Vodafone

allowed its IT staff to perform maintenance

and upgrades that destroyed the relevant

digital data. When Vodafone upgraded

servers used for accessing the exchange

management system, for example, it “wiped

out the access logs, and, contrary to com-

pany policy, no backups were retained.”1

By depriving itself of data on who carried

out the intrusion, Vodafone left itself at

increased risk of suffering a similar intrusion

in the future.

Reference

V. Prevelakis and D. Spinellis, “The Athens Af-1.

fair,” IEEE Spectrum, July 2007, p. 32.

Maintaining security logs

6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959

Page 1 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm

COURT OF CHANCERY OF DELAWARE, NEW CASTLE

IN RE CAREMARK INTERNATIONAL INC. DERIVATIVE LITIGATION

CONSOLIDATED CIVIL ACTION NO. 13670

698 A.2d 959

August 16, 1996, DATE SUBMITTED

September 25, 1996, DATE DECIDED

COUNSEL: Joseph A. Rosenthal, Esquire, of ROSENTHAL, MONHAIT, GROSS & GODDESS, P.A.,

Wilmington, Delaware; OF COUNSEL: LOWEY DANNENBERG BEMPORAD & SELINGER, P.C., White

Plains, New York; GOODKIND LABATON RUDOFF & SUCHAROW, L.L.P., New York, New York;

Attorneys for Plaintiffs.

Kevin G. Abrams, Esquire, Thomas A. Beck, Esquire and Richard I.G. Jones, Jr., Esquire, of

RICHARDS, LAYTON & FINGER, Wilmington, Delaware; OF COUNSEL: Howard M. Pearl, Esquire,

Timothy J. Rivelli, Esquire and Julie A. Bauer, Esquire, of WINSTON & STRAWN, Chicago, Illinois;

Attorneys for Caremark International, Inc.

Kenneth J. Nachbar, Esquire, of MORRIS, NICHOLS, ARSHT & TUNNELL, Wilmington, Delaware; OF

COUNSEL: William J. Linklater, Esquire, of BAKER & McKENZIE, Chicago, Illinois; Attorneys for

Individual Defendants.

JUDGES: ALLEN, CHANCELLOR

OPINIONBY: ALLEN

OPINION: MEMORANDUM OPINION

ALLEN, CHANCELLOR

Pending is a motion pursuant to Chancery Rule 23.1 to approve as fair and reasonable a proposed

settlement of a consolidated derivative action on behalf of Caremark International, Inc.

("Caremark"). The suit involves claims that the members of Caremark's board of directors (the

"Board") breached their fiduciary duty of care to Caremark in connection with alleged violations by

Caremark employees of federal and state laws and regulations applicable to health care providers. As

a result of the alleged violations, Caremark was subject to an extensive four year investigation by

the United States Department of Health and Human Services and the Department of Justice. In 1994

Caremark was charged in an indictment with multiple felonies. It thereafter entered into a number of

agreements with the Department of Justice and others. Those agreements included a plea

agreement in which Caremark pleaded guilty to a single felony of mail fraud and agreed to pay civil

and criminal fines. Subsequently, Caremark agreed to make reimbursements to various private and

public parties. In all, the payments that Caremark has been required to make total approximately $

250 million.

This suit was filed in 1994, purporting to seek on behalf of the company recovery of these losses

from the individual defendants who constitute the board of directors of Caremark. n1 The parties

now propose that it be settled and, after notice to Caremark shareholders, a hearing on the fairness

of the proposal was held on August 16, 1996.



- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n1 Thirteen of the Directors have been members of the Board since November 30, 1992. Nancy

Brinker joined the Board in October 1993.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - -

A motion of this type requires the court to assess the strengths and weaknesses of the claims

asserted in light of the discovery record and to evaluate the fairness and adequacy of the

consideration offered to the corporation in exchange for the release of all claims made or arising

from the facts alleged. The ultimate issue then is whether the proposed settlement appears to be

fair to the corporation and its absent shareholders. In this effort the court does not determine

contested facts, but evaluates the claims and defenses on the discovery record to achieve a sense of

the relative strengths of the parties' positions. Polk v. Good, Del.Supr., 507 A.2d 531, 536 (1986). In

doing this, in most instances, the court is constrained by the absence of a truly adversarial process,

since inevitably both sides support the settlement and legally assisted objectors are rare. Thus, the

facts stated hereafter represent the court's effort to understand the context of the motion from the

discovery record, but do not deserve the respect that judicial findings after trial are customarily

accorded.

Legally, evaluation of the central claim made entails consideration of the legal standard governing a

board of directors' obligation to supervise or monitor corporate performance. For the reasons set

forth below I conclude, in light of the discovery record, that there is a very low probability that it

would be determined that the directors of Caremark breached any duty to appropriately monitor and

supervise the enterprise. Indeed the record tends to show an active consideration by Caremark

management and its Board of the Caremark structures and programs that ultimately led to the

company's indictment and to the large financial losses incurred in the settlement of those claims. It

does not tend to show knowing or intentional violation of law. Neither the fact that the Board,

although advised by lawyers and accountants, did not accurately predict the severe consequences to

the company that would ultimately follow from the deployment by the company of the strategies

and practices that ultimately led to this liability, nor the scale of the liability, gives rise to an

inference of breach of any duty imposed by corporation law upon the directors of Caremark.

I. BACKGROUND

For these purposes I regard the following facts, suggested by the discovery record, as material.

Caremark, a Delaware corporation with its headquarters in Northbrook, Illinois, was created in

November 1992 when it was spun-off from Baxter International, Inc. ("Baxter") and became a

publicly held company listed on the New York Stock Exchange. The business practices that created

the problem pre-dated the spin-off. During the relevant period Caremark was involved in two main

health care business segments, providing patient care and managed care services. As part of its

patient care business, which accounted for the majority of Caremark's revenues, Caremark provided

alternative site health care services, including infusion therapy, growth hormone therapy, HIV/AIDS-

related treatments and hemophilia therapy. Caremark's managed care services included prescription

drug programs and the operation of multi-specialty group practices.

A. Events Prior to the Government Investigation

A substantial part of the revenues generated by Caremark's businesses is derived from third party

payments, insurers, and Medicare and Medicaid reimbursement programs. The latter source of

payments are subject to the terms of the Anti-Referral Payments Law ("ARPL") which prohibits

health care providers from paying any form of remuneration to induce the referral of Medicare or



Medicaid patients. From its inception, Caremark entered into a variety of agreements with hospitals,

physicians, and health care providers for advice and services, as well as distribution agreements with

drug manufacturers, as had its predecessor prior to 1992. Specifically, Caremark did have a practice

of entering into contracts for services (e.g., consultation agreements and research grants) with

physicians at least some of whom prescribed or recommended services or products that Caremark

provided to Medicare recipients and other patients. Such contracts were not prohibited by the ARPL

but they obviously raised a possibility of unlawful "kickbacks."

As early as 1989, Caremark's predecessor issued an internal "Guide to Contractual Relationships"

("Guide") to govern its employees in entering into contracts with physicians and hospitals. The Guide

tended to be reviewed annually by lawyers and updated. Each version of the Guide stated as

Caremark's and its predecessor's policy that no payments would be made in exchange for or to

induce patient referrals. But what one might deem a prohibited quid pro quo was not always clear.

Due to a scarcity of court decisions interpreting the ARPL, however, Caremark repeatedly publicly

stated that there was uncertainty concerning Caremark's interpretation of the law.

To clarify the scope of the ARPL, the United States Department of Health and Human Services

("HHS") issued "safe harbor" regulations in July 1991 stating conditions under which financial

relationships between health care service providers and patient referral sources, such as physicians,

would not violate the ARPL. Caremark contends that the narrowly drawn regulations gave limited

guidance as to the legality of many of the agreements used by Caremark that did not fall within the

safe-harbor. Caremark's predecessor, however, amended many of its standard forms of agreement

with health care providers and revised the Guide in an apparent attempt to comply with the new

regulations.

B. Government Investigation and Related Litigation

In August 1991, the HHS Office of the Inspector General ("OIG") initiated an investigation of

Caremark's predecessor. Caremark's predecessor was served with a subpoena requiring the

production of documents, including contracts between Caremark's predecessor and physicians

(Quality Service Agreements ("QSAs")). Under the QSAs, Caremark's predecessor appears to have

paid physicians fees for monitoring patients under Caremark's predecessor's care, including Medicare

and Medicaid recipients. Sometimes apparently those monitoring patients were referring physicians,

which raised ARPL concerns.

In March 1992, the Department of Justice ("DOJ") joined the OIG investigation and separate

investigations were commenced by several additional federal and state agencies. n2

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n2 In addition to investigating whether Caremark's financial relationships with health care providers

were intended to induce patient referrals, inquiries were made concerning Caremark's billing

practices, activities which might lead to excessive and medically unnecessary treatments for patients,

potentially improper waivers of patient co-payment obligations, and the adequacy of records kept at

Caremark pharmacies.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

C. Caremark's Response to the Investigation

During the relevant period, Caremark had approximately 7,000 employees and ninety branch

operations. It had a decentralized management structure. By May 1991, however, Caremark asserts

that it had begun making attempts to centralize its management structure in order to increase



supervision over its branch operations.

The first action taken by management, as a result of the initiation of the OIG investigation, was an

announcement that as of October 1, 1991, Caremark's predecessor would no longer pay

management fees to physicians for services to Medicare and Medicaid patients. Despite this decision,

Caremark asserts that its management, pursuant to advice, did not believe that such payments were

illegal under the existing laws and regulations.

During this period, Caremark's Board took several additional steps consistent with an effort to assure

compliance with company policies concerning the ARPL and the contractual forms in the Guide. In

April 1992, Caremark published a fourth revised version of its Guide apparently designed to assure

that its agreements either complied with the ARPL and regulations or excluded Medicare and

Medicaid patients altogether. In addition, in September 1992, Caremark instituted a policy requiring

its regional officers, Zone Presidents, to approve each contractual relationship entered into by

Caremark with a physician.

Although there is evidence that inside and outside counsel had advised Caremark's directors that

their contracts were in accord with the law, Caremark recognized that some uncertainty respecting

the correct interpretation of the law existed. In its 1992 annual report, Caremark disclosed the

ongoing government investigations, acknowledged that if penalties were imposed on the company

they could have a material adverse effect on Caremark's business, and stated that no assurance

could be given that its interpretation of the ARPL would prevail if challenged.

Throughout the period of the government investigations, Caremark had an internal audit plan

designed to assure compliance with business and ethics policies. In addition, Caremark employed

Price Waterhouse as its outside auditor. On February 8, 1993, the Ethics Committee of Caremark's

Board received and reviewed an outside auditors report by Price Waterhouse which concluded that

there were no material weaknesses in Caremark's control structure. n3 Despite the positive findings

of Price Waterhouse, however, on April 20, 1993, the Audit & Ethics Committee adopted a new

internal audit charter requiring a comprehensive review of compliance policies and the compilation of

an employee ethics handbook concerning such policies. n4

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n3 At that time, Price Waterhouse viewed the outcome of the OIG Investigation as uncertain. After

further audits, however, on February 7, 1995, Price Waterhouse informed the Audit & Ethics

Committee that it had not become aware of any irregularities or illegal acts in relation to the OIG

investigation.

n4 Price Waterhouse worked in conjunction with the Internal Audit Department.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

The Board appears to have been informed about this project and other efforts to assure compliance

with the law. For example, Caremark's management reported to the Board that Caremark's sales

force was receiving an ongoing education regarding the ARPL and the proper use of Caremark's form

contracts which had been approved by in-house counsel. On July 27, 1993, the new ethics manual,

expressly prohibiting payments in exchange for referrals and requiring employees to report all illegal

conduct to a toll free confidential ethics hotline, was approved and allegedly disseminated. n5 The

record suggests that Caremark continued these policies in subsequent years, causing employees to

be given revised versions of the ethics manual and requiring them to participate in training sessions

concerning compliance with the law.



- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n5 Prior to the distribution of the new ethics manual, on March 12, 1993, Caremark's president had

sent a letter to all senior, district, and branch managers restating Caremark's policies that no

physician be paid for referrals, that the standard contract forms in the Guide were not to be

modified, and that deviation from such policies would result in the immediate termination of

employment.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

During 1993, Caremark took several additional steps which appear to have been aimed at increasing

management supervision. These steps included new policies requiring local branch managers to

secure home office approval for all disbursements under agreements with health care providers and

to certify compliance with the ethics program. In addition, the chief financial officer was appointed

to serve as Caremark's compliance officer. In 1994, a fifth revised Guide was published.

D. Federal Indictments Against Caremark and Officers

On August 4, 1994, a federal grand jury in Minnesota issued a 47 page indictment charging

Caremark, two of its officers (not the firm's chief officer), an individual who had been a sales

employee of Genentech, Inc., and David R. Brown, a physician practicing in Minneapolis, with

violating the ARPL over a lengthy period. According to the indictment, over $ 1.1 million had been

paid to Brown to induce him to distribute Protropin, a human growth hormone drug marketed by

Caremark. n6 The substantial payments involved started, according to the allegations of the

indictment, in 1986 and continued through 1993. Some payments were "in the guise of research

grants", Ind. P20, and others were "consulting agreements", Ind. P19. The indictment charged, for

example, that Dr. Brown performed virtually none of the consulting functions described in his 1991

agreement with Caremark, but was nevertheless neither required to return the money he had

received nor precluded from receiving future funding from Caremark. In addition the indictment

charged that Brown received from Caremark payments of staff and office expenses, including

telephone answering services and fax rental expenses.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n6 In addition to prescribing Protropin, Dr. Brown had been receiving research grants from Caremark

as well as payments for services under a consulting agreement for several years before and after the

investigation. According to an undated document from an unknown source, Dr. Brown and six other

researchers had been providing patient referrals to Caremark valued at $ 6.55 for each $ 1 of

research money they received.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

In reaction to the Minnesota Indictment and the subsequent filing of this and other derivative actions

in 1994, the Board met and was informed by management that the investigation had resulted in an

indictment; Caremark denied any wrongdoing relating to the indictment and believed that the OIG

investigation would have a favorable outcome. Management reiterated the grounds for its view that

the contracts were in compliance with law.

Subsequently, five stockholder derivative actions were filed in this court and consolidated into this

action. The original complaint, dated August 5, 1994, alleged, in relevant part, that Caremark's

directors breached their duty of care by failing adequately to supervise the conduct of Caremark

employees, or institute corrective measures, thereby exposing Caremark to fines and liability. n7



- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n7 Caremark moved to dismiss this complaint on September 14, 1994. Prior to that motion, another

stockholder derivative action had been filed in the United States District Court for the Northern

District of Illinois, complaining of similar misconduct on the part of Caremark, its Directors, and

three employees, as well as several other claims including RICO violations. Brumberg v. Mieszala,

No. 94 C 4798 (N.D. Ill.). The federal court entered a stay of all proceedings pending resolution of

this case.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

On September 21, 1994, a federal grand jury in Columbus, Ohio issued another indictment alleging

that an Ohio physician had defrauded the Medicare program by requesting and receiving $ 134,600

in exchange for referrals of patients whose medical costs were in part reimbursed by Medicare in

violation of the ARPL. Although unidentified at that time, Caremark was the health care provider who

allegedly made such payments. The indictment also charged that the physician, Elliot Neufeld, D.O.,

was provided with the services of a registered nurse to work in his office at the expense of the

infusion company, in addition to free office equipment.

An October 28, 1994 amended complaint in this action added allegations concerning the Ohio

indictment as well as new allegations of over billing and inappropriate referral payments in

connection with an action brought in Atlanta, Booth v. Rankin. Following a newspaper article report

that federal investigators were expanding their inquiry to look at Caremark's referral practices in

Michigan as well as allegations of fraudulent billing of insurers, a second amended complaint was

filed in this action. The third, and final, amended complaint was filed on April 11, 1995, adding

allegations that the federal indictments had caused Caremark to incur significant legal fees and

forced it to sell its home infusion business at a loss. n8

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n8 On January 29, 1995, Caremark entered into a definitive agreement to sell its home infusion

business to Coram Health Care Company for approximately $ 310 million. Baxter purchased the

home infusion business in 1987 for $ 586 million.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

After each complaint was filed, defendants filed a motion to dismiss. According to defendants, if a

settlement had not been reached in this action, the case would have been dismissed on two

grounds. First, they contend that the complaints fail to allege particularized facts sufficient to excuse

the demand requirement under Delaware Chancery Court Rule 23.1. Second, defendants assert that

plaintiffs had failed to state a cause of action due to the fact that Caremark's charter eliminates

directors' personal liability for money damages, to the extent permitted by law.

Settlement Negotiations

In September, following the announcement of the Ohio indictment, Caremark publicly announced

that as of January 1, 1995, it would terminate all remaining financial relationships with physicians in

its home infusion, hemophilia, and growth hormone lines of business. n9 In addition, Caremark

asserts that it extended its restrictive policies to all of its contractual relationships with physicians,

rather than just those involving Medicare and Medicaid patients, and terminated its research grant

program which had always involved some recipients who referred patients to Caremark.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -



n9 On June 1, 1993, Caremark had stopped entering into new contractual agreements in those

business segments.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

Caremark began settlement negotiations with federal and state government entities in May 1995. In

return for a guilty plea to a single count of mail fraud by the corporation, the payment of a criminal

fine, the payment of substantial civil damages, and cooperation with further federal investigations on

matters relating to the OIG investigation, the government entities agreed to negotiate a settlement

that would permit Caremark to continue participating in Medicare and Medicaid programs. On June

15, 1995, the Board approved a settlement ("Government Settlement Agreement") with the DOJ,

OIG, U.S. Veterans Administration, U.S. Federal Employee Health Benefits Program, federal Civilian

Health and Medical Program of the Uniformed Services, and related state agencies in all fifty states

and the District of Columbia. n10 No senior officers or directors were charged with wrongdoing in the

Government Settlement Agreement or in any of the prior indictments. In fact, as part of the

sentencing in the Ohio action on June 19, 1995, the United States stipulated that no senior

executive of Caremark participated in, condoned, or was willfully ignorant of wrongdoing in

connection with the home infusion business practices. n11

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n10 The agreement, covering allegations since 1986, required a Caremark subsidiary to enter a

guilty plea to two counts of mail fraud, and required Caremark to pay $ 29 million in criminal fines,

$ 129.9 million relating to civil claims concerning payment practices, $ 3.5 million for alleged

violations of the Controlled Substances Act, and $ 2 million, in the form of a donation, to a grant

program set up by the Ryan White Comprehensive AIDS Resources Emergency Act. Caremark also

agreed to enter into a compliance agreement with the HHS.

n11 On July 25, 1995, another shareholder derivative complaint was filed against Caremark and

seven of its Directors, asserting allegations related to the Minnesota indictment and the terms of the

Government Settlement Agreement. Lenzen v. Piccolo, No. 95 CH 7118 (Circuit Court of Cook

County, Illinois).

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

The federal settlement included certain provisions in a "Corporate Integrity Agreement" designed to

enhance future compliance with law. The parties have not discussed this agreement, except to say

that the negotiated provisions of the settlement of this claim are not redundant of those in that

agreement.

Settlement negotiations between the parties in this action commenced in May 1995 as well, based

upon a letter proposal of the plaintiffs, dated May 16, 1995. n12 These negotiations resulted in a

memorandum of understanding ("MOU"), dated June 7, 1995, and the execution of the Stipulation

and Agreement of Compromise and Settlement on June 28, 1995, which is the subject of this action.

n13 The MOU, approved by the Board on June 15, 1995, required the Board to adopt several

resolutions, discussed below, and to create a new compliance committee. The Compliance and Ethics

Committee has been reporting to the Board in accord with its newly specified duties.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n12 No government entities were involved in these separate, but concurrent negotiations.



n13 Plaintiff's initial proposal had both a monetary component, requiring Caremark's director-officers

to relinquish stock options, and a remedial component, requiring management to adopt and

implement several compliance related measures. The monetary component was subsequently

eliminated.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

After negotiating these settlements, Caremark learned in December 1995 that several private

insurance company payors ("Private Payors") believed that Caremark was liable for damages to them

for allegedly improper business practices related to those at issue in the OIG investigation. As a

result of intensive negotiations with the Private Payors and the Board's extensive consideration of

the alternatives for dealing with such claims, the Board approved a $ 98.5 million settlement

agreement with the Private Payors on March 18, 1996. In its public disclosure statement, Caremark

asserted that the settlement did not involve current business practices and contained an express

denial of any wrongdoing by Caremark. After further discovery in this action, the plaintiffs decided to

continue seeking approval of the proposed settlement agreement.

F. The Proposed Settlement of this Litigation

In relevant part the terms upon which these claims asserted are proposed to be settled are as

follows:

1. That Caremark, undertakes that it and its employees, and agents not pay any form of

compensation to a third party in exchange for the referral of a patient to a Caremark

facility or service or the prescription of drugs marketed or distributed by Caremark for

which reimbursement may be sought from Medicare, Medicaid, or a similar state

reimbursement program;

2. That Caremark, undertakes for itself and its employees, and agents not to pay to or

split fees with physicians, joint ventures, any business combination in which Caremark

maintains a direct financial interest, or other health care providers with whom Caremark

has a financial relationship or interest, in exchange for the referral of a patient to a

Caremark facility or service or the prescription of drugs marketed or distributed by

Caremark for which reimbursement may be sought from Medicare, Medicaid, or a similar

state reimbursement program;

3. That the full Board shall discuss all relevant material changes in government health

care regulations and their effect on relationships with health care providers on a semi-

annual basis;

4. That Caremark's officers will remove all personnel from health care facilities or

hospitals who have been placed in such facility for the purpose of providing remuneration

in exchange for a patient referral for which reimbursement may be sought from

Medicare, Medicaid, or a similar state reimbursement program;

5. That every patient will receive written disclosure of any financial relationship between

Caremark and the health care professional or provider who made the referral;

6. That the Board will establish a Compliance and Ethics Committee of four directors, two

of which will be non-management directors, to meet at least four times a year to

effectuate these policies and monitor business segment compliance with the ARPL, and

to report to the Board semi-annually concerning compliance by each business segment;

and



7. That corporate officers responsible for business segments shall serve as compliance

officers who must report semi-annually to the Compliance and Ethics Committee and,

with the assistance of outside counsel, review existing contracts and get advanced

approval of any new contract forms.

II. LEGAL PRINCIPLES

A. Principles Governing Settlements of Derivative Claims

As noted at the outset of this opinion, this Court is now required to exercise an informed judgment

whether the proposed settlement is fair and reasonable in the light of all relevant factors. Polk v.

Good, Del.Supr., 507 A.2d 531 (1986). On an application of this kind, this Court attempts to protect

the best interests of the corporation and its absent shareholders all of whom will be barred from

future litigation on these claims if the settlement is approved. The parties proposing the settlement

bear the burden of persuading the court that it is in fact fair and reasonable. Fins v. Pearlman,

Del.Supr., 424 A.2d 305 (1980).

B. Directors' Duties To Monitor Corporate Operations

The complaint charges the director defendants with breach of their duty of attention or care in

connection with the on-going operation of the corporation's business. The claim is that the directors

allowed a situation to develop and continue which exposed the corporation to enormous legal liability

and that in so doing they violated a duty to be active monitors of corporate performance. The

complaint thus does not charge either director self-dealing or the more difficult loyalty-type

problems arising from cases of suspect director motivation, such as entrenchment or sale of control

contexts. n14 The theory here advanced is possibly the most difficult theory in corporation law upon

which a plaintiff might hope to win a judgment. The good policy reasons why it is so difficult to

charge directors with responsibility for corporate losses for an alleged breach of care, where there is

no conflict of interest or no facts suggesting suspect motivation involved, were recently described in

Gagliardi v. TriFoods Int'l Inc., Del.Ch., 683 A.2d 1049 (1996) (1996 Del.Ch. LEXIS 87 at p.20).

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n14 See Weinberger v. UOP, Inc., Del.Supr., 457 A.2d 701, 711 (1983) (entire fairness test when

financial conflict of interest involved); Unitrin, Inc. v. American General Corp., Del.Supr., 651 A.2d

1361, 1372 (1995) (intermediate standard of review when "defensive" acts taken); QVC Network,

Inc. v. Paramount Communications, Inc., Del.Supr., 637 A.2d 34, 45 (1994) (intermediate test when

corporate control transferred).

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

1. Potential liability for directoral decisions: Director liability for a breach of the duty to exercise

appropriate attention may, in theory, arise in two distinct contexts. First, such liability may be said

to follow from a board decision that results in a loss because that decision was ill advised or

"negligent". Second, liability to the corporation for a loss may be said to arise from an unconsidered

failure of the board to act in circumstances in which due attention would, arguably, have prevented

the loss. See generally Veasey & Seitz, The Business Judgment Rule in the Revised Model Act...63

TEXAS L. REV. 1483 (1985). The first class of cases will typically be subject to review under the

director-protective business judgment rule, assuming the decision made was the product of a

process that was either deliberately considered in good faith or was otherwise rational. See Aronson

v. Lewis, Del.Supr., 473 A.2d 805 (1984); Gagliardi v. TriFoods Int'l Inc., Del.Ch. 683 A.2d 1049



(1996). What should be understood, but may not widely be understood by courts or commentators

who are not often required to face such questions, n15 is that compliance with a director's duty of

care can never appropriately be judicially determined by reference to the content of the board

decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the

process employed. That is, whether a judge or jury considering the matter after the fact, believes a

decision substantively wrong, or degrees of wrong extending through "stupid" to "egregious" or

"irrational", provides no ground for director liability, so long as the court determines that the process

employed was either rational or employed in a good faith effort to advance corporate interests. To

employ a different rule -- one that permitted an "objective" evaluation of the decision -- would

expose directors to substantive second guessing by ill-equipped judges or juries, which would, in the

long-run, be injurious to investor interests. n16 Thus, the business judgment rule is process oriented

and informed by a deep respect for all good faith board decisions.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n15 See American Law Institute, Principles of Corporate Governance § 4.01(c) (to qualify for

business judgment treatment a director must "rationally" believe that the decision is in the best

interests of the corporation).

n16 The vocabulary of negligence while often employed, e.g., Aronson v. Lewis, Del. Supr., 473 A.2d

805 (1984) is not well-suited to judicial review of board attentiveness, see, e.g., Joy v. North, 692

F.2d 880, 885-6 (2d. Cir. 1982), especially if one attempts to look to the substance of the decision

as any evidence of possible "negligence." Where review of board functioning is involved, courts leave

behind as a relevant point of reference the decisions of the hypothetical "reasonable person", who

typically supplies the test for negligence liability. It is doubtful that we want business men and

women to be encouraged to make decisions as hypothetical persons of ordinary judgment and

prudence might. The corporate form gets its utility in large part from its ability to allow diversified

investors to accept greater investment risk. If those in charge of the corporation are to be adjudged

personally liable for losses on the basis of a substantive judgment based upon what an persons of

ordinary or average judgment and average risk assessment talent regard as "prudent" "sensible" or

even "rational", such persons will have a strong incentive at the margin to authorize less risky

investment projects.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

Indeed, one wonders on what moral basis might shareholders attack a good faith business decision

of a director as "unreasonable" or "irrational". Where a director in fact exercises a good faith effort

to be informed and to exercise appropriate judgment, he or she should be deemed to satisfy fully

the duty of attention. If the shareholders thought themselves entitled to some other quality of

judgment than such a director produces in the good faith exercise of the powers of office, then the

shareholders should have elected other directors. Judge Learned Hand made the point rather better

than can I. In speaking of the passive director defendant Mr. Andrews in Barnes v. Andrews, Judge

Hand said:

True, he was not very suited by experience for the job he had undertaken, but I cannot

hold him on that account. After all it is the same corporation that chose him that now

seeks to charge him....Directors are not specialists like lawyers or doctors....They are the

general advisors of the business and if they faithfully give such ability as they have to

their charge, it would not be lawful to hold them liable. Must a director guarantee that

his judgment is good? Can a shareholder call him to account for deficiencies that their

votes assured him did not disqualify him for his office? While he may not have been the

Cromwell for that Civil War, Andrews did not engage to play any such role. n17



In this formulation Learned Hand correctly identifies, in my opinion, the core element of any

corporate law duty of care inquiry: whether there was good faith effort to be informed and exercise

judgment.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n17 208 App. Div. 856 (S.D.N.Y. 1924).

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

2. Liability for failure to monitor: The second class of cases in which director liability for inattention

is theoretically possible entail circumstances in which a loss eventuates not from a decision but, from

unconsidered inaction. Most of the decisions that a corporation, acting through its human agents,

makes are, of course, not the subject of director attention. Legally, the board itself will be required

only to authorize the most significant corporate acts or transactions: mergers, changes in capital

structure, fundamental changes in business, appointment and compensation of the CEO, etc. As the

facts of this case graphically demonstrate, ordinary business decisions that are made by officers and

employees deeper in the interior of the organization can, however, vitally affect the welfare of the

corporation and its ability to achieve its various strategic and financial goals. If this case did not

prove the point itself, recent business history would. Recall for example the displacement of senior

management and much of the board of Salomon, Inc.; n18 the replacement of senior management

of Kidder, Peabody following the discovery of large trading losses resulting from phantom trades by a

highly compensated trader; n19 or the extensive financial loss and reputational injury suffered by

Prudential Insurance as a result its junior officers misrepresentations in connection with the

distribution of limited partnership interests. n20 Financial and organizational disasters such as these

raise the question, what is the board's responsibility with respect to the organization and monitoring

of the enterprise to assure that the corporation functions within the law to achieve its purposes?

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n18 See, e.g., Rotten at the Core, the Economist, August 17, 1991, at 69-70, The Judgment of

Salomon: An Anticlimax, Bus. Week, June 1, 1992, at 106.

n19 See Terence P. Pare, Jack Welch's Nightmare on Wall Street, Fortune, Sept. 5, 1994, at 40-48.

n20 Michael Schroeder and Leah Nathans Spiro, Is George Ball's Luck Running Out?, Bus. Week,

November 8, 1993, at 74-76; Joseph B. Treaster, Prudential To Pay Policyholders $ 410 Million, New

York Times, Sept 25, 1996, (at D-1).

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

Modernly this question has been given special importance by an increasing tendency, especially

under federal law, to employ the criminal law to assure corporate compliance with external legal

requirements, including environmental, financial, employee and product safety as well as assorted

other health and safety regulations. In 1991, pursuant to the Sentencing Reform Act of 1984, n21

the United States Sentencing Commission adopted Organizational Sentencing Guidelines which

impact importantly on the prospective effect these criminal sanctions might have on business

corporations. The Guidelines set forth a uniform sentencing structure for organizations to be

sentenced for violation of federal criminal statutes and provide for penalties that equal or often

massively exceed those previously imposed on corporations. n22 The Guidelines offer powerful

incentives for corporations today to have in place compliance programs to detect violations of law,

promptly to report violations to appropriate public officials when discovered, and to take prompt,



voluntary remedial efforts.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n21 See Sentencing Reform Act of 1984, Pub.L. 98-473, Title II, § 212 (a)(2) (1984); 18 USCA §§

3331-4120.

n22 See United States Sentencing Commission, Guidelines Manuel, Chapter 8 (U.S. Government

Printing Office November 1994).

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

In 1963, the Delaware Supreme Court in Graham v. Allis-Chalmers Mfg. Co., n23 addressed the

question of potential liability of board members for losses experienced by the corporation as a result

of the corporation having violated the anti-trust laws of the United States. There was no claim in

that case that the directors knew about the behavior of subordinate employees of the corporation

that had resulted in the liability. Rather, as in this case, the claim asserted was that the directors

ought to have known of it and if they had known they would have been under a duty to bring the

corporation into compliance with the law and thus save the corporation from the loss. The Delaware

Supreme Court concluded that, under the facts as they appeared, there was no basis to find that the

directors had breached a duty to be informed of the ongoing operations of the firm. In notably

colorful terms, the court stated that "absent cause for suspicion there is no duty upon the directors

to install and operate a corporate system of espionage to ferret out wrongdoing which they have no

reason to suspect exists." n24 The Court found that there were no grounds for suspicion in that case

and, thus, concluded that the directors were blamelessly unaware of the conduct leading to the

corporate liability. n25

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n23 41 Del. Ch. 78, 188 A.2d 125 (1963).

n24 Id. 188 A.2d at 130.

n25 Recently, the Graham standard was applied by the Delaware Chancery in a case involving

Baxter. In Re Baxter International, Inc. Shareholders Litig., Del.Ch., 654 A.2d 1268, 1270 (1995).

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

How does one generalize this holding today? Can it be said today that, absent some ground giving

rise to suspicion of violation of law, that corporate directors have no duty to assure that a corporate

information gathering and reporting systems exists which represents a good faith attempt to provide

senior management and the Board with information respecting material acts, events or conditions

within the corporation, including compliance with applicable statutes and regulations? I certainly do

not believe so. I doubt that such a broad generalization of the Graham holding would have been

accepted by the Supreme Court in 1963. The case can be more narrowly interpreted as standing for

the proposition that, absent grounds to suspect deception, neither corporate boards nor senior

officers can be charged with wrongdoing simply for assuming the integrity of employees and the

honesty of their dealings on the company's behalf. See 188 A.2d at 130-31.

A broader interpretation of Graham v. Allis Chalmers -- that it means that a corporate board has no

responsibility to assure that appropriate information and reporting systems are established by

management -- would not, in any event, be accepted by the Delaware Supreme Court in 1996, in my

opinion. In stating the basis for this view, I start with the recognition that in recent years the



Delaware Supreme Court has made it clear -- especially in its jurisprudence concerning takeovers,

from Smith v. Van Gorkom through QVC v. Paramount Communications n26 -- the seriousness with

which the corporation law views the role of the corporate board. Secondly, I note the elementary

fact that relevant and timely information is an essential predicate for satisfaction of the board's

supervisory and monitoring role under Section 141 of the Delaware General Corporation Law. Thirdly,

I note the potential impact of the federal organizational sentencing guidelines on any business

organization. Any rational person attempting in good faith to meet an organizational governance

responsibility would be bound to take into account this development and the enhanced penalties and

the opportunities for reduced sanctions that it offers.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n26 E.g., Smith v. Van Gorkom, Del.Supr., 488 A.2d 858 (1985); Paramount Communications v.

QVC Network, Del. Supr., 637 A.2d 34 (1993).

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

In light of these developments, it would, in my opinion, be a mistake to conclude that our Supreme

Court's statement in Graham concerning "espionage" means that corporate boards may satisfy their

obligation to be reasonably informed concerning the corporation, without assuring themselves that

information and reporting systems exist in the organization that are reasonably designed to provide

to senior management and to the board itself timely, accurate information sufficient to allow

management and the board, each within its scope, to reach informed judgments concerning both

the corporation's compliance with law and its business performance.

Obviously the level of detail that is appropriate for such an information system is a question of

business judgment. And obviously too, no rationally designed information and reporting system will

remove the possibility that the corporation will violate laws or regulations, or that senior officers or

directors may nevertheless sometimes be misled or otherwise fail reasonably to detect acts material

to the corporation's compliance with the law. But it is important that the board exercise a good faith

judgment that the corporation's information and reporting system is in concept and design adequate

to assure the board that appropriate information will come to its attention in a timely manner as a

matter of ordinary operations, so that it may satisfy its responsibility.

Thus, I am of the view that a director's obligation includes a duty to attempt in good faith to assure

that a corporate information and reporting system, which the board concludes is adequate, exists,

and that failure to do so under some circumstances may, in theory at least, render a director liable

for losses caused by non-compliance with applicable legal standards n27. I now turn to an analysis

of the claims asserted with this concept of the directors duty of care, as a duty satisfied in part by

assurance of adequate information flows to the board, in mind.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n27 Any action seeking recover for losses would logically entail a judicial determination of proximate

cause, since, for reasons that I take to be obvious, it could never be assumed that an adequate

information system would be a system that would prevent all losses. I need not touch upon the

burden allocation with resect to a proximate cause issue in such a suit. See Cede & Co. v.

Technicolor, Inc., Del.Supr., 636 A.2d 956 (1994); Cinerama, Inc. v. Technicolor, Inc., Del.Ch., 663

A.2d 1134 (1994), aff'd., Del.Supr., 663 A.2d 1156 (1995). Moreover, questions of waiver of liability

under certificate provisions authorized by 8 Del.C. § 102(b)(7) may also be faced.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -



III ANALYSIS OF THIRD AMENDED COMPLAINT AND SETTLEMENT

A. The Claims

On balance, after reviewing an extensive record in this case, including numerous documents and

three depositions, I conclude that this settlement is fair and reasonable. In light of the fact that the

Caremark Board already has a functioning committee charged with overseeing corporate compliance,

the changes in corporate practice that are presented as consideration for the settlement do not

impress one as very significant. Nonetheless, that consideration appears fully adequate to support

dismissal of the derivative claims of director fault asserted, because those claims find no substantial

evidentiary support in the record and quite likely were susceptible to a motion to dismiss in all

events. n28

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n28 See In Re Baxter International, Inc. Shareholders Litig., Del.Ch., 654 A.2d 1268, 1270 (1995). A

claim in some respects similar to that here made was dismissed. The court relied, in part, on the

fact that the Baxter certificate of incorporation contained a provision as authorized by Section

102(b)(7) of the Delaware General Corporation Law, waiving director liability for due care violations.

Id. at 1270. That fact was thought to require pre-suit demand on the board in that case.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - -

In order to Show that the Caremark directors breached their duty of care by failing adequately to

control Caremark's employees, plaintiffs would have to show either (1) that the directors knew or

(2) should have known that violations of law were occurring and, in either event, (3) that the

directors took no steps in a good faith effort to prevent or remedy that situation, and (4) that such

failure proximately resulted in the losses complained of, although under Cede & Co. v. Technicolor,

Inc., Del.Supr., 636 A.2d 956 (1994) this last element may be thought to constitute an affirmative

defense.

1. Knowing violation for statute: Concerning the possibility that the Caremark directors knew of

violations of law, none of the documents submitted for review, nor any of the deposition transcripts

appear to provide evidence of it. Certainly the Board understood that the company had entered into

a variety of contracts with physicians, researchers, and health care providers and it was understood

that some of these contracts were with persons who had prescribed treatments that Caremark

participated in providing. The board was informed that the company's reimbursement for patient care

was frequently from government funded sources and that such services were subject to the ARPL.

But the Board appears to have been informed by experts that the company's practices while

contestable, were lawful. There is no evidence that reliance on such reports was not reasonable.

Thus, this case presents no occasion to apply a principle to the effect that knowingly causing the

corporation to violate a criminal statute constitutes a breach of a director's fiduciary duty. See Roth

v. Robertson, N.Y.Sup.Ct., 64 Misc. 343, 118 N.Y.S. 351 (1909); Miller v. American Tel. & Tel Co.,

507 F.2d 759 (3rd Cir. 1974). It is not clear that the Board knew the detail found, for example, in

the indictments arising from the Company's payments. But, of course, the duty to act in good faith

to be informed cannot be thought to require directors to possess detailed information about all

aspects of the operation of the enterprise. Such a requirement would simple be inconsistent with the

scale and scope of efficient organization size in this technological age.

2. Failure to monitor: Since it does appears that the Board was to some extent unaware of the

activities that led to liability, I turn to a consideration of the other potential avenue to director

liability that the pleadings take: director inattention or "negligence". Generally where a claim of

directorial liability for corporate loss is predicated upon ignorance of liability creating activities within



the corporation, as in Graham or in this case, in my opinion only a sustained or systematic failure of

the board to exercise oversight -- such as an utter failure to attempt to assure a reasonable

information and reporting system exits -- will establish the lack of good faith that is a necessary

condition to liability. Such a test of liability -- lack of good faith as evidenced by sustained or

systematic failure of a director to exercise reasonable oversight -- is quite high. But, a demanding

test of liability in the oversight context is probably beneficial to corporate shareholders as a class, as

it is in the board decision context, since it makes board service by qualified persons more likely,

while continuing to act as a stimulus to good faith performance of duty by such directors.

Here the record supplies essentially no evidence that the director defendants were guilty of a

sustained failure to exercise their oversight function. To the contrary, insofar as I am able to tell on

this record, the corporation's information systems appear to have represented a good faith attempt

to be informed of relevant facts. If the directors did not know the specifics of the activities that lead

to the indictments, they cannot be faulted.

The liability that eventuated in this instance was huge. But the fact that it resulted from a violation

of criminal law alone does not create a breach of fiduciary duty by directors. The record at this stage

does not support the conclusion that the defendants either lacked good faith in the exercise of their

monitoring responsibilities or conscientiously permitted a known violation of law by the corporation to

occur. The claims asserted against them must be viewed at this stage as extremely weak.

B. The Consideration For Release of Claim

The proposed settlement provides very modest benefits. Under the settlement agreement, plaintiffs

have been given express assurances that Caremark will have a more centralized, active supervisory

system in the future. Specifically, the settlement mandates duties to be performed by the newly

named Compliance and Ethics Committee on an ongoing basis and increases the responsibility for

monitoring compliance with the law at the lower levels of management. In adopting the resolutions

required under the settlement, Care mark has further clarified its policies concerning the prohibition

of providing remuneration for referrals. These appear to be positive consequences of the settlement

of the claims brought by the plaintiffs, even if they are not highly significant. Nonetheless, given the

weakness of the plaintiffs' claims the proposed settlement appears to be an adequate, reasonable,

and beneficial outcome for all of the parties. Thus, the proposed settlement will be approved.

IV, ATTORNEYS' FEES

The various firms of lawyers involved for plaintiffs seek an award of $ 1,025,000 in attorneys' fees

and reimbursable expenses. n29 In awarding attorneys' fees, this Court considers an array of

relevant factors. E.g., In Re Beatrice Companies, Inc. Litigation, 1986 Del. Ch. LEXIS 414, C.A. No.

8248, Allen, C. (Apr. 16, 1986). Such factors include, most importantly, the financial value of the

benefit that the lawyers work produced; the strength of the claims (because substantial settlement

value may sometimes be produced even though the litigation added little value -- i.e., perhaps any

lawyer could have settled this claim for this substantial value or more); the amount of complexity of

the legal services; the fee customarily charged for such services; and the contingent nature of the

undertaking.

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n29 Of the total requested amount, approximately $ 710,000 is designated as reimbursement for the

number of hours spent by the attorneys on the case, calculated at their normal billing rate, and $

53,000 for out-of-pocket expenses.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -



In this case no factor points to a substantial fee, other than the amount and sophistication of the

lawyer services required. There is only a modest substantive benefit produced; in the particular

circumstances of the government activity there was realistically a very slight contingency faced by

the attorneys at the time they expended time. The services rendered required a high degree of

sophistication and expertise. I am told that at normal hourly billing rates approximately $ 710,000 of

time was expended by the attorneys.

In these circumstances, I conclude that an award of a fee determined by reference to the time

expended at normal hourly rates plus a premium of 15% of that amount to reflect the limited degree

of real contingency in the undertaking, is fair. Thus I will award a fee of $ 816,000 plus $ 53,000 of

expenses advanced by counsel.

I am today entering an order consistent with the foregoing. n30

- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -

n30 The court has been informed by letter of counsel that after the fairness of the proposed

settlement had been submitted to the court, Caremark was involved in a merger in which its stock

was canceled and the holders of its stock became entitled to shares of stock of the acquiring

corporation. No party to this suit, or the surviving corporation, has sought to dismiss this case

thereafter on the basis that plaintiffs' have loss standing to sue. As plaintiffs continue to have an

equity interest in the entity that owns the claims and more especially because no party has moved

for any modification of the procedural setting of the matter submitted, I conclude that any merger

that may have occurred is without effect on the decision of the motion or the judgment to be

entered.

- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -

IN THE SUPREME COURT OF THE STATE OF DELAWARE WILLIAM STONE AND SANDRA § STONE, derivatively on behalf of § Nominal Defendant AmSOUTH § BANCORPORATION, § No. 93, 2006 § Plaintiffs Below, § Court Below – Court of Chancery Appellants, § of the State of Delaware, § in and for New Castle County v. § C.A. No. 1570-N § C. DOWD RITTER, RONALD L. § KUEHN, JR., CLAUDE B. NIELSEN,§ JAMES R. MALONE, EARNEST W. § DAVENPORT, JR., MARTHA R. § INGRAM, CHARLES D. § McCRARY, CLEOPHUS THOMAS, § JR., RODNEY C. GILBERT, § VICTORIA B. JACKSON, J. § HAROLD CHANDLER, JAMES E. § DALTON, ELMER B. HARRIS, § BENJAMIN F. PAYTON, and § JOHN N. PALMER, § § Defendants Below, § Appellees, § § and § § AmSOUTH BANCORPORATION, § § Nominal Defendant Below, § Appellee. § Submitted: October 5, 2006 Decided: November 6, 2006 Before STEELE, Chief Justice, HOLLAND, BERGER, JACOBS, and RIDGELY, Justices (constituting the Court en Banc).

2

Upon appeal from the Court of Chancery. AFFIRMED.

Brian D. Long, Esquire (argued) and Seth D. Rigrodsky, Esquire, of Rigrodsky & Long, P.A., Wilmington, Delaware, for appellants.

Jesse A. Finkelstein, Esquire, Raymond J. DiCamillo, Esquire, and Lisa Zwally Brown, Esquire, of Richards, Layton & Finger, Wilmington, Delaware, David B. Tulchin, Esquire (argued), L. Wiesel, Esquire, and Jacob F. M. Oslick, Esquire, of Sullivan & Cromwell LLP, New York, New York, for appellees.

HOLLAND, Justice:

3

This is an appeal from a final judgment of the Court of Chancery

dismissing a derivative complaint against fifteen present and former

directors of AmSouth Bancorporation (“AmSouth”), a Delaware

corporation. The plaintiffs-appellants, William and Sandra Stone, are

AmSouth shareholders and filed their derivative complaint without making a

pre-suit demand on AmSouth’s board of directors (the “Board”). The Court

of Chancery held that the plaintiffs had failed to adequately plead that such a

demand would have been futile. The Court, therefore, dismissed the

derivative complaint under Court of Chancery Rule 23.1.

The Court of Chancery characterized the allegations in the derivative

complaint as a “classic Caremark claim,” a claim that derives its name from

In re Caremark Int’l Deriv. Litig.1 In Caremark, the Court of Chancery

recognized that: “[g]enerally where a claim of directorial liability for

corporate loss is predicated upon ignorance of liability creating activities

within the corporation . . . only a sustained or systematic failure of the board

to exercise oversight–such as an utter failure to attempt to assure a

1 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996).

4

reasonable information and reporting system exists–will establish the lack of

good faith that is a necessary condition to liability.”2

In this appeal, the plaintiffs acknowledge that the directors neither

“knew [n]or should have known that violations of law were occurring,” i.e.,

that there were no “red flags” before the directors. Nevertheless, the

plaintiffs argue that the Court of Chancery erred by dismissing the derivative

complaint which alleged that “the defendants had utterly failed to implement

any sort of statutorily required monitoring, reporting or information controls

that would have enabled them to learn of problems requiring their attention.”

The defendants argue that the plaintiffs’ assertions are contradicted by the

derivative complaint itself and by the documents incorporated therein by

reference.

Consistent with our opinion in In re Walt Disney Co. Deriv Litig, we

hold that Caremark articulates the necessary conditions for assessing

director oversight liability.3 We also conclude that the Caremark standard

was properly applied to evaluate the derivative complaint in this case.

Accordingly, the judgment of the Court of Chancery must be affirmed.

2 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d at 971; see also David B. Shaev Profit

Sharing Acct. v. Armstrong, 2006 WL 391931, at *5 (Del. Ch.); Guttman v. Huang, 823 A.2d 492, 506 (Del. Ch. 2003). 3 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006).

5

Facts

This derivative action is brought on AmSouth’s behalf by William and

Sandra Stone, who allege that they owned AmSouth common stock “at all

relevant times.” The nominal defendant, AmSouth, is a Delaware

corporation with its principal executive offices in Birmingham, Alabama.

During the relevant period, AmSouth’s wholly-owned subsidiary, AmSouth

Bank, operated about 600 commercial banking branches in six states

throughout the southeastern United States and employed more than 11,600

people.

In 2004, AmSouth and Amsouth Bank paid $40 million in fines and

$10 million in civil penalties to resolve government and regulatory

investigations pertaining principally to the failure by bank employees to file

“Suspicious Activity Reports” (“SARs”), as required by the federal Bank

Secrecy Act (“BSA”)4 and various anti-money-laundering (“AML”)

regulations.5 Those investigations were conducted by the United States

4 31 U.S.C. § 5318 (2006) et seq. The Bank Secrecy Act and the regulations promulgated thereunder require banks to file with the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury known as “FinCEN,” a written “Suspicious Activity Report” (known as a “SAR”) whenever, inter alia, a banking transaction involves at least $5,000 “and the bank knows, suspects, or has reason to suspect” that, among other possibilities, the “transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities. . . .” 31 U.S.C. § 5318(g) (2006); 31 C.F.R. § 103.18(a)(2) (2006). 5 See, e.g., 31 C.F.R. § 103.18(a)(2) (2006).

6

Attorney’s Office for the Southern District of Mississippi (“USAO”), the

Federal Reserve, FinCEN and the Alabama Banking Department. No fines

or penalties were imposed on AmSouth’s directors, and no other regulatory

action was taken against them.

The government investigations arose originally from an unlawful

“Ponzi” scheme operated by Louis D. Hamric, II and Victor G. Nance. In

August 2000, Hamric, then a licensed attorney, and Nance, then a registered

investment advisor with Mutual of New York, contacted an AmSouth branch

bank in Tennessee to arrange for custodial trust accounts to be created for

“investors” in a “business venture.” That venture (Hamric and Nance

represented) involved the construction of medical clinics overseas. In

reality, Nance had convinced more than forty of his clients to invest in

promissory notes bearing high rates of return, by misrepresenting the nature

and the risk of that investment. Relying on similar misrepresentations by

Hamric and Nance, the AmSouth branch employees in Tennessee agreed to

provide custodial accounts for the investors and to distribute monthly

interest payments to each account upon receipt of a check from Hamric and

instructions from Nance.

The Hamric-Nance scheme was discovered in March 2002, when the

investors did not receive their monthly interest payments. Thereafter,

7

Hamric and Nance became the subject of several civil actions brought by the

defrauded investors in Tennessee and Mississippi (and in which AmSouth

also was named as a defendant), and also the subject of a federal grand jury

investigation in the Southern District of Mississippi. Hamric and Nance

were indicted on federal money-laundering charges, and both pled guilty.

The authorities examined AmSouth’s compliance with its reporting

and other obligations under the BSA. On November 17, 2003, the USAO

advised AmSouth that it was the subject of a criminal investigation. On

October 12, 2004, AmSouth and the USAO entered into a Deferred

Prosecution Agreement (“DPA”) in which AmSouth agreed: first, to the

filing by USAO of a one-count Information in the United States District

Court for the Southern District of Mississippi, charging AmSouth with

failing to file SARs; and second, to pay a $40 million fine. In conjunction

with the DPA, the USAO issued a “Statement of Facts,” which noted that

although in 2000 “at least one” AmSouth employee suspected that Hamric

was involved in a possibly illegal scheme, AmSouth failed to file SARs in a

timely manner. In neither the Statement of Facts nor anywhere else did the

USAO ascribe any blame to the Board or to any individual director.

On October 12, 2004, the Federal Reserve and the Alabama Banking

Department concurrently issued a Cease and Desist Order against AmSouth,

8

requiring it, for the first time, to improve its BSA/AML program. That

Cease and Desist Order required AmSouth to (among other things) engage

an independent consultant “to conduct a comprehensive review of the

Bank’s AML Compliance program and make recommendations, as

appropriate, for new policies and procedures to be implemented by the

Bank.” KPMG Forensic Services (“KPMG”) performed the role of

independent consultant and issued its report on December 10, 2004 (the

“KPMG Report”).

Also on October 12, 2004, FinCEN and the Federal Reserve jointly

assessed a $10 million civil penalty against AmSouth for operating an

inadequate anti-money-laundering program and for failing to file SARs. In

connection with that assessment, FinCEN issued a written Assessment of

Civil Money Penalty (the “Assessment”), which included detailed

“determinations” regarding AmSouth’s BSA compliance procedures.

FinCEN found that “AmSouth violated the suspicious activity reporting

requirements of the Bank Secrecy Act,” and that “[s]ince April 24, 2002,

AmSouth has been in violation of the anti-money-laundering program

requirements of the Bank Secrecy Act.” Among FinCEN’s specific

determinations were its conclusions that “AmSouth’s [AML compliance]

program lacked adequate board and management oversight,” and that

9

“reporting to management for the purposes of monitoring and oversight of

compliance activities was materially deficient.” AmSouth neither admitted

nor denied FinCEN’s determinations in this or any other forum.

Demand Futility and Director Independence

It is a fundamental principle of the Delaware General Corporation

Law that “[t]he business and affairs of every corporation organized under

this chapter shall be managed by or under the direction of a board of

directors . . . .”6 Thus, “by its very nature [a] derivative action impinges on

the managerial freedom of directors.”7 Therefore, the right of a stockholder

to prosecute a derivative suit is limited to situations where either the

stockholder has demanded the directors pursue a corporate claim and the

directors have wrongfully refused to do so, or where demand is excused

because the directors are incapable of making an impartial decision

regarding whether to institute such litigation.8 Court of Chancery Rule 23.1,

accordingly, requires that the complaint in a derivative action “allege with

particularity the efforts, if any, made by the plaintiff to obtain the action the

6 Del. Code Ann. tit. 8, § 141(a) (2006). See Rales v. Blasband, 634 A.2d 927, 932 (Del. 1993). 7 Pogostin v. Rice, 480 A.2d 619, 624 (Del. 1984). 8 Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984), overruled on other grounds by Brehm

v. Eisner, 746 A.2d 244 (Del. 2000).

10

plaintiff desires from the directors [or] the reasons for the plaintiff’s failure

to obtain the action or for not making the effort.”9

In this appeal, the plaintiffs concede that “[t]he standards for

determining demand futility in the absence of a business decision” are set

forth in Rales v. Blasband.10 To excuse demand under Rales, “a court must

determine whether or not the particularized factual allegations of a

derivative stockholder complaint create a reasonable doubt that, as of the

time the complaint is filed, the board of directors could have properly

exercised its independent and disinterested business judgment in responding

to a demand.”11 The plaintiffs attempt to satisfy the Rales test in this

proceeding by asserting that the incumbent defendant directors “face a

substantial likelihood of liability” that renders them “personally interested in

the outcome of the decision on whether to pursue the claims asserted in the

complaint,” and are therefore not disinterested or independent.12

9 Ch. Ct. R. 23.1. Allegations of demand futility under Rule 23.1 “must comply with

stringent requirements of factual particularity that differ substantially from the permissive notice pleadings governed solely by Chancery Rule 8(a).” Brehm v. Eisner, 746 A.2d at 254. 10 Rales v. Blasband, 634 A.2d 927 (Del. 1993). 11 Id. at 934. 12

The fifteen defendants include eight current and seven former directors. The

complaint concedes that seven of the eight current directors are outside directors who have never been employed by AmSouth. One board member, C. Dowd Ritter, the Chairman, is an officer or employee of AmSouth.

11

Critical to this demand excused argument is the fact that the directors’

potential personal liability depends upon whether or not their conduct can be

exculpated by the section 102(b)(7) provision contained in the AmSouth

certificate of incorporation.13 Such a provision can exculpate directors from

monetary liability for a breach of the duty of care, but not for conduct that is

not in good faith or a breach of the duty of loyalty.14 The standard for

assessing a director’s potential personal liability for failing to act in good

faith in discharging his or her oversight responsibilities has evolved

beginning with our decision in Graham v. Allis-Chalmers Manufacturing

Company,15 through the Court of Chancery’s Caremark decision to our most

recent decision in Disney.16 A brief discussion of that evolution will help

illuminate the standard that we adopt in this case.

Graham and Caremark

Graham was a derivative action brought against the directors of Allis-

Chalmers for failure to prevent violations of federal anti-trust laws by Allis-

Chalmers employees. There was no claim that the Allis-Chalmers directors

knew of the employees’ conduct that resulted in the corporation’s liability.

Rather, the plaintiffs claimed that the Allis-Chalmers directors should have

13 Del. Code Ann. tit. 8, § 102(b)(7) (2006). 14 Id.; see In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006). 15 Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125 (Del. 1963). 16 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006).

12

known of the illegal conduct by the corporation’s employees. In Graham,

this Court held that “absent cause for suspicion there is no duty upon the

directors to install and operate a corporate system of espionage to ferret out

wrongdoing which they have no reason to suspect exists.”17

In Caremark, the Court of Chancery reassessed the applicability of

our holding in Graham when called upon to approve a settlement of a

derivative lawsuit brought against the directors of Caremark International,

Inc. The plaintiffs claimed that the Caremark directors should have known

that certain officers and employees of Caremark were involved in violations

of the federal Anti-Referral Payments Law. That law prohibits health care

providers from paying any form of remuneration to induce the referral of

Medicare or Medicaid patients. The plaintiffs claimed that the Caremark

directors breached their fiduciary duty for having “allowed a situation to

develop and continue which exposed the corporation to enormous legal

liability and that in so doing they violated a duty to be active monitors of

corporate performance.”18

In evaluating whether to approve the proposed settlement agreement

in Caremark, the Court of Chancery narrowly construed our holding in

Graham “as standing for the proposition that, absent grounds to suspect

17

Graham v. Allis-Chalmers Mfg. Co., 188 A.2d at 130 (emphasis added). 18 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).

13

deception, neither corporate boards nor senior officers can be charged with

wrongdoing simply for assuming the integrity of employees and the honesty

of their dealings on the company’s behalf.”19 The Caremark Court opined it

would be a “mistake” to interpret this Court’s decision in Graham to mean

that:

corporate boards may satisfy their obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.20

To the contrary, the Caremark Court stated, “it is important that the

board exercise a good faith judgment that the corporation’s information and

reporting system is in concept and design adequate to assure the board that

appropriate information will come to its attention in a timely manner as a

matter of ordinary operations, so that it may satisfy its responsibility.”21 The

Caremark Court recognized, however, that “the duty to act in good faith to

be informed cannot be thought to require directors to possess detailed

19 Id. at 969. 20 Id. at 970. 21 Id.

14

information about all aspects of the operation of the enterprise.”22 The Court

of Chancery then formulated the following standard for assessing the

liability of directors where the directors are unaware of employee

misconduct that results in the corporation being held liable:

Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation, as in Graham or in this case, . . . only a sustained or systematic failure of the board to exercise oversight–such as an utter failure to attempt to assure a reasonable information and reporting system exists–will establish the lack of good faith that is a necessary condition to liability.23

Caremark Standard Approved

As evidenced by the language quoted above, the Caremark standard

for so-called “oversight” liability draws heavily upon the concept of director

failure to act in good faith. That is consistent with the definition(s) of bad

faith recently approved by this Court in its recent Disney24 decision, where

we held that a failure to act in good faith requires conduct that is

qualitatively different from, and more culpable than, the conduct giving rise

to a violation of the fiduciary duty of care (i.e., gross negligence).25 In

22 Id. at 971. 23 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d at 971. 24 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006). 25 Id. at 66.

15

Disney, we identified the following examples of conduct that would

establish a failure to act in good faith:

A failure to act in good faith may be shown, for instance, where the fiduciary intentionally acts with a purpose other than that of advancing the best interests of the corporation, where the fiduciary acts with the intent to violate applicable positive law, or where the fiduciary intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for his duties. There may be other examples of bad faith yet to be proven or alleged, but these three are the most salient.26

The third of these examples describes, and is fully consistent with, the

lack of good faith conduct that the Caremark court held was a “necessary

condition” for director oversight liability, i.e., “a sustained or systematic

failure of the board to exercise oversight–such as an utter failure to attempt

to assure a reasonable information and reporting system exists . . . .”27

Indeed, our opinion in Disney cited Caremark with approval for that

proposition.28 Accordingly, the Court of Chancery applied the correct

standard in assessing whether demand was excused in this case where failure

to exercise oversight was the basis or theory of the plaintiffs’ claim for

relief.

It is important, in this context, to clarify a doctrinal issue that is

critical to understanding fiduciary liability under Caremark as we construe

26 Id. at 67. 27 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 971 (Del. Ch. 1996). 28 In re Walt Disney Co. Deriv. Litig., 906 A.2d at 67 n.111.

16

that case. The phraseology used in Caremark and that we employ here—

describing the lack of good faith as a “necessary condition to liability”—is

deliberate. The purpose of that formulation is to communicate that a failure

to act in good faith is not conduct that results, ipso facto, in the direct

imposition of fiduciary liability.29 The failure to act in good faith may result

in liability because the requirement to act in good faith “is a subsidiary

element[,]” i.e., a condition, “of the fundamental duty of loyalty.”30 It

follows that because a showing of bad faith conduct, in the sense described

in Disney and Caremark, is essential to establish director oversight liability,

the fiduciary duty violated by that conduct is the duty of loyalty.

This view of a failure to act in good faith results in two additional

doctrinal consequences. First, although good faith may be described

colloquially as part of a “triad” of fiduciary duties that includes the duties of

care and loyalty,31 the obligation to act in good faith does not establish an

independent fiduciary duty that stands on the same footing as the duties of

care and loyalty. Only the latter two duties, where violated, may directly

result in liability, whereas a failure to act in good faith may do so, but

29 That issue, whether a violation of the duty to act in good faith is a basis for the direct imposition of liability, was expressly left open in Disney. 906 A.2d at 67 n.112. We address that issue here. 30 Guttman v. Huang, 823 A.2d 492, 506 n.34 (Del. Ch. 2003). 31 See Cede & Co. v. Technicolor, Inc., 634 A.2d 345, 361 (Del. 1993).

17

indirectly. The second doctrinal consequence is that the fiduciary duty of

loyalty is not limited to cases involving a financial or other cognizable

fiduciary conflict of interest. It also encompasses cases where the fiduciary

fails to act in good faith. As the Court of Chancery aptly put it in Guttman,

“[a] director cannot act loyally towards the corporation unless she acts in the

good faith belief that her actions are in the corporation’s best interest.”32

We hold that Caremark articulates the necessary conditions predicate

for director oversight liability: (a) the directors utterly failed to implement

any reporting or information system or controls; or (b) having implemented

such a system or controls, consciously failed to monitor or oversee its

operations thus disabling themselves from being informed of risks or

problems requiring their attention. In either case, imposition of liability

requires a showing that the directors knew that they were not discharging

their fiduciary obligations.33 Where directors fail to act in the face of a

known duty to act, thereby demonstrating a conscious disregard for their

responsibilities,34 they breach their duty of loyalty by failing to discharge

that fiduciary obligation in good faith.35

32 Guttman v. Huang, 823 A.2d 492, 506 n.34 (Del. Ch. 2003). 33 Id. at 506. 34 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27, 67 (Del. 2006). 35 See Guttman v. Haung, 823 A.2d at 506.

18

Chancery Court Decision

The plaintiffs contend that demand is excused under Rule 23.1

because AmSouth’s directors breached their oversight duty and, as a result,

face a “substantial likelihood of liability” as a result of their “utter failure” to

act in good faith to put into place policies and procedures to ensure

compliance with BSA and AML obligations. The Court of Chancery found

that the plaintiffs did not plead the existence of “red flags” – “facts showing

that the board ever was aware that AmSouth’s internal controls were

inadequate, that these inadequacies would result in illegal activity, and that

the board chose to do nothing about problems it allegedly knew existed.” In

dismissing the derivative complaint in this action, the Court of Chancery

concluded:

This case is not about a board’s failure to carefully consider a material corporate decision that was presented to the board. This is a case where information was not reaching the board because of ineffective internal controls. . . . With the benefit of hindsight, it is beyond question that AmSouth’s internal controls with respect to the Bank Secrecy Act and anti-money laundering regulations compliance were inadequate. Neither party disputes that the lack of internal controls resulted in a huge fine--$50 million, alleged to be the largest ever of its kind. The fact of those losses, however, is not alone enough for a court to conclude that a majority of the corporation’s board of directors is disqualified from considering demand that AmSouth bring suit against those responsible.36

36 Stone v. Ritter, C.A. No. 1570-N (Del. Ch. 2006) (Letter Opinion).

19

This Court reviews de novo a Court of Chancery’s decision to dismiss a

derivative suit under Rule 23.1.37

Reasonable Reporting System Existed

The KPMG Report evaluated the various components of AmSouth’s

longstanding BSA/AML compliance program. The KPMG Report reflects

that AmSouth’s Board dedicated considerable resources to the BSA/AML

compliance program and put into place numerous procedures and systems to

attempt to ensure compliance. According to KPMG, the program’s various

components exhibited between a low and high degree of compliance with

applicable laws and regulations.

The KPMG Report describes the numerous AmSouth employees,

departments and committees established by the Board to oversee AmSouth’s

compliance with the BSA and to report violations to management and the

Board:

BSA Officer. Since 1998, AmSouth has had a “BSA Officer” “responsible for all BSA/AML-related matters including employee training, general communications, CTR reporting and SAR reporting,” and “presenting AML policy and program changes to the Board of Directors, the managers at the various lines of business, and participants in the annual training of security and audit personnel[;]”

37 Beam ex rel. Martha Stewart Living Omnimedia Inc. v. Stewart, 845 A.2d 1040, 1048 (Del. 2004).

20

BSA/AML Compliance Department. AmSouth has had for years a BSA/AML Compliance Department, headed by the BSA Officer and comprised of nineteen professionals, including a BSA/AML Compliance Manager and a Compliance Reporting Manager; Corporate Security Department. AmSouth’s Corporate Security Department has been at all relevant times responsible for the detection and reporting of suspicious activity as it relates to fraudulent activity, and William Burch, the head of Corporate Security, has been with AmSouth since 1998 and served in the U.S. Secret Service from 1969 to 1998; and Suspicious Activity Oversight Committee. Since 2001, the “Suspicious Activity Oversight Committee” and its predecessor, the “AML Committee,” have actively overseen AmSouth’s BSA/AML compliance program. The Suspicious Activity Oversight Committee’s mission has for years been to “oversee the policy, procedure, and process issues affecting the Corporate Security and BSA/AML Compliance Programs, to ensure that an effective program exists at AmSouth to deter, detect, and report money laundering, suspicious activity and other fraudulent activity.”

The KPMG Report reflects that the directors not only discharged their

oversight responsibility to establish an information and reporting system, but

also proved that the system was designed to permit the directors to

periodically monitor AmSouth’s compliance with BSA and AML

regulations. For example, as KPMG noted in 2004, AmSouth’s designated

BSA Officer “has made annual high-level presentations to the Board of

Directors in each of the last five years.” Further, the Board’s Audit and

Community Responsibility Committee (the “Audit Committee”) oversaw

21

AmSouth’s BSA/AML compliance program on a quarterly basis. The

KPMG Report states that “the BSA Officer presents BSA/AML training to

the Board of Directors annually,” and the “Corporate Security training is

also presented to the Board of Directors.”

The KPMG Report shows that AmSouth’s Board at various times

enacted written policies and procedures designed to ensure compliance with

the BSA and AML regulations. For example, the Board adopted an

amended bank-wide “BSA/AML Policy” on July 17, 2003–four months

before AmSouth became aware that it was the target of a government

investigation. That policy was produced to plaintiffs in response to their

demand to inspect AmSouth’s books and records pursuant to section 22038

and is included in plaintiffs’ appendix. Among other things, the July 17,

2003, BSA/AML Policy directs all AmSouth employees to immediately

report suspicious transactions or activity to the BSA/AML Compliance

Department or Corporate Security.

Complaint Properly Dismissed

In this case, the adequacy of the plaintiffs’ assertion that demand is

excused depends on whether the complaint alleges facts sufficient to show

that the defendant directors are potentially personally liable for the failure of

38 Del. Code Ann. tit. 8, § 220 (2006).

22

non-director bank employees to file SARs. Delaware courts have recognized

that “[m]ost of the decisions that a corporation, acting through its human

agents, makes are, of course, not the subject of director attention.”39

Consequently, a claim that directors are subject to personal liability for

employee failures is “possibly the most difficult theory in corporation law

upon which a plaintiff might hope to win a judgment.”40

For the plaintiffs’ derivative complaint to withstand a motion to

dismiss, “only a sustained or systematic failure of the board to exercise

oversight–such as an utter failure to attempt to assure a reasonable

information and reporting system exists–will establish the lack of good faith

that is a necessary condition to liability.”41 As the Caremark decision noted:

Such a test of liability–lack of good faith as evidenced by sustained or systematic failure of a director to exercise reasonable oversight–is quite high. But, a demanding test of liability in the oversight context is probably beneficial to corporate shareholders as a class, as it is in the board decision context, since it makes board service by qualified persons more likely, while continuing to act as a stimulus to good faith

performance of duty by such directors.42

The KPMG Report–which the plaintiffs explicitly incorporated by

reference into their derivative complaint–refutes the assertion that the

39 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d at 968. 40 Id. at 967. 41 Id. at 971. 42 Id. (emphasis in original).

23

directors “never took the necessary steps . . . to ensure that a reasonable BSA

compliance and reporting system existed.” KPMG’s findings reflect that the

Board received and approved relevant policies and procedures, delegated to

certain employees and departments the responsibility for filing SARs and

monitoring compliance, and exercised oversight by relying on periodic

reports from them. Although there ultimately may have been failures by

employees to report deficiencies to the Board, there is no basis for an

oversight claim seeking to hold the directors personally liable for such

failures by the employees.

With the benefit of hindsight, the plaintiffs’ complaint seeks to equate

a bad outcome with bad faith. The lacuna in the plaintiffs’ argument is a

failure to recognize that the directors’ good faith exercise of oversight

responsibility may not invariably prevent employees from violating criminal

laws, or from causing the corporation to incur significant financial liability,

or both, as occurred in Graham, Caremark and this very case. In the

absence of red flags, good faith in the context of oversight must be measured

by the directors’ actions “to assure a reasonable information and reporting

system exists” and not by second-guessing after the occurrence of employee

conduct that results in an unintended adverse outcome.43 Accordingly, we

43

Id. at 967-68, 971.

24

hold that the Court of Chancery properly applied Caremark and dismissed

the plaintiffs’ derivative complaint for failure to excuse demand by alleging

particularized facts that created reason to doubt whether the directors had

acted in good faith in exercising their oversight responsibilities.

Conclusion

The judgment of the Court of Chancery is affirmed.

IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE

) IN RE CITIGROUP INC. SHAREHOLDER ) Civil Action No. 3338-CC DERIVATIVE LITIGATION )

)

OPINION

Date Submitted: January 28, 2009 Date Decided: February 24, 2009

Pamela S. Tikellis, Meghan A. Adams, and Tiffany J. Cramer, of CHIMICLES & TIKELLIS LLP, Wilmington, Delaware; OF COUNSEL: Marvin A. Miller, of MILLER LAW LLC, Chicago, Illinois; Daniel W. Krasner, Peter C. Harrar, and Matthew M. Guiney, of WOLF HALDENSTEIN ADLER FREEMAN & HERZ LLP, New York, New York, Attorneys for Plaintiffs.

Gregory P. Williams and John D. Hendershot, of RICHARDS, LAYTON & FINGER, P.A., Wilmington, Delaware, Attorneys for Defendants and Nominal Defendant Citigroup Inc.

Brad S. Karp, Richard A. Rosen, and Susanna M. Buergel, of PAUL, WEISS, RIFKIND, WHARTON & GARRISON LLP, New York, New York, Attorneys for Defendants Charles Prince, Winfried Bischoff, Robert E. Rubin, David C. Bushnell, John C. Gerspach, Lewis B. Kaden, Sallie L. Krawcheck, and Gary Crittenden.

Robert D. Joffe and Richard W. Clary, of CRAVATH, SWAINE & MOORE LLP, New York, New York, Attorneys for Defendants C. Michael Armstrong, Alain J.P. Belda, George David, Kenneth T. Derr, John M. Deutch, Roberto Hernández Ramirez, Andrew N. Liveris, Anne M. Mulcahy, Richard D. Parsons, Judith Rodin, Robert L. Ryan, Franklin A. Thomas, Ann Dibble Jordan, Klaus Kleinfeld, and Dudley C. Mecum.

EFiled: Feb 24 2009 3:05PM EST

Transaction ID 23919905

Case No. 3338-CC

Lawrence B. Pedowitz, George T. Conway III, Jonathan M. Moses, and John F. Lynch, of WACHTELL, LIPTON, ROSEN & KATZ, New York, New York, Attorneys for Nominal Defendant Citigroup Inc.

CHANDLER, Chancellor

This is a shareholder derivative action brought on behalf of Citigroup Inc.

(“Citigroup” or the “Company”), seeking to recover for the Company its losses

arising from exposure to the subprime lending market. Plaintiffs, shareholders of

Citigroup, brought this action against current and former directors and officers of

Citigroup, alleging, in essence, that the defendants breached their fiduciary duties

by failing to properly monitor and manage the risks the Company faced from

problems in the subprime lending market and for failing to properly disclose

Citigroup’s exposure to subprime assets. Plaintiffs allege that there were extensive

“red flags” that should have given defendants notice of the problems that were

brewing in the real estate and credit markets and that defendants ignored these

warnings in the pursuit of short term profits and at the expense of the Company’s

long term viability.

Plaintiffs further allege that certain defendants are liable to the Company for

corporate waste for (1) allowing the Company to purchase $2.7 billion in subprime

loans from Accredited Home Lenders in March 2007 and from Ameriquest Home

Mortgage in September 2007; (2) authorizing and not suspending the Company’s

share repurchase program in the first quarter of 2007, which allegedly resulted in

the Company buying its own shares at “artificially inflated prices;” (3) approving a

multi-million dollar payment and benefit package for defendant Charles Prince,

whom plaintiffs describe as largely responsible for Citigroup’s problems, upon his

1

retirement as Citigroup’s CEO in November 2007; and (4) allowing the Company

to invest in structured investment vehicles (“SIVs”) that were unable to pay off

maturing debt.

Pending before the Court is defendants’ motion (1) to dismiss or stay the

action in favor of an action pending in the Southern District of New York (the

“New York Action”) or (2) to dismiss the complaint for failure to state a claim

under Court of Chancery Rule 12(b)(6) and for failure to properly plead demand

futility under Court of Chancery Rule 23.1. For the reasons set forth below, the

motion to stay or dismiss in favor of the New York Action is denied. The motion to

dismiss is denied as to the claim in Count III for waste for approval of the

November 4, 2007 Prince letter agreement. All other claims are dismissed for

failure to adequately plead demand futility pursuant to Rule 23.1.

I. BACKGROUND

A. The Parties

Citigroup is a global financial services company whose businesses provide a

broad range of financial services to consumers and businesses. Citigroup was

incorporated in Delaware in 1988 and maintains its principal executive offices in

New York, New York.

Defendants in this action are current and former directors and officers of

Citigroup. The complaint names thirteen members of the Citigroup board of

2

directors on November 9, 2007, when the first of plaintiffs’ now-consolidated

derivative actions was filed.1 Plaintiffs allege that a majority of the director

defendants were members of the Audit and Risk Management Committee (“ARM

Committee”) in 2007 and were considered audit committee financial experts as

defined by the Securities and Exchange Commission.

Plaintiffs Montgomery County Employees’ Retirement Fund, City of New

Orleans Employees’ Retirement System, Sheldon M. Pekin Irrevocable

Descendants Trust Dated 10/01/01, and Carole Kops are all owners of shares of

Citigroup stock.

B. Citigroup’s Exposure to the Subprime Crisis

Plaintiffs allege that since as early as 2006, defendants have caused and

allowed Citigroup to engage in subprime lending2 that ultimately left the Company

exposed to massive losses by late 2007.3 Beginning in late 2005, house prices,

which many believe were artificially inflated by speculation and easily available

1 The director defendants are C. Michael Armstrong, Alain J.P. Belda, George David, Kenneth T. Derr, John M. Deutch, Andrew N. Liveris, Anne M. Mulcahy, Richard D. Parsons, Roberto Hernández Ramirez, Judith Rodin, Robert E. Rubin, Robert L. Ryan, and Franklin A. Thomas (collectively, the “director defendants”). Plaintiffs and defendants agree that the director defendants constitute the board for demand futility purposes. The complaint also names (1) former Citigroup directors Ann Dibble Jordan, Klaus Kleinfeld, and Dudley C. Mecum and (2) former and current officers and senior management of Citigroup Charles Prince, Winfried Bischoff, David C. Bushnell, Gary Crittenden, John C. Gerspach, Lewis B. Kaden, and Sallie L. Krawcheck.2 “Subprime” generally refers to borrowers who do not qualify for prime interest rates, typically due to weak credit histories, low credit scores, high debt-burden ratios, or high loan-to-value ratios.3 The facts are drawn from the complaint and taken as true for purposes of the motion to dismiss.

3

credit, began to plateau, and then deflate. Adjustable rate mortgages issued earlier

in the decade began to reset, leaving many homeowners with significantly

increased monthly payments. Defaults and foreclosures increased, and assets

backed by income from residential mortgages began to decrease in value. By

February 2007, subprime mortgage lenders began filing for bankruptcy and

subprime mortgages packaged into securities began experiencing increasing levels

of delinquency. In mid-2007, rating agencies downgraded bonds backed by

subprime mortgages.

Much of Citigroup’s exposure to the subprime lending market arose from its

involvement with collateralized debt obligations (“CDOs”)—repackaged pools of

lower rated securities that Citigroup created by acquiring asset-backed securities,

including residential mortgage backed securities (“RMBSs”),4 and then selling

rights to the cash flows from the securities in classes, or tranches, with different

levels of risk and return. Included with at least some of the CDOs created by

Citigroup was a “liquidity put”—an option that allowed the purchasers of the

CDOs to sell them back to Citigroup at original value.

According to plaintiffs, Citigroup’s alleged $55 billion subprime exposure

was in two areas of the Company’s Securities & Banking Unit. The first portion

totaled $11.7 billion and included securities tied to subprime loans that were being

4 RMBSs are securities whose cash flows come from residential debt such as mortgages.

4

held until they could be added to debt pools for investors. The second portion

included $43 billion of super-senior securities, which are portions of CDOs backed

in part by RMBS collateral.5

By late 2007, it was apparent that Citigroup faced significant losses on its

subprime-related assets, including the following as alleged by plaintiffs:

October 1, 2007: Citigroup announced it would write-down approximately $1.4 billion on funded and unfunded highly leveraged finance commitments.

October 15, 2007: Citigroup issued a press release reporting a net income of $2.38 billion, a 57% decline from the Company’s prior year results.

November 4, 2007: Citigroup announced significant declines on the fair value of the approximately $55 billion in the Company’s U.S. subprime-related direct exposures, and estimated that further write downs would be between $8 and $11 billion.

November 6, 2007: Citigroup disclosed that it provided $7.6 billion of emergency financing to the seven SIVs the Company operated after they were unable to repay maturing debt. The SIVs drew on the $10 billion of so-called committed liquidity provided by Citigroup. On December 13, 2007 Citigroup bailed out seven of its affiliated SIVs by bringing $49 billion in assets onto its balance sheet and taking full responsibility for the SIVs’ $49 billion worth of assets.

January 15, 2008: Citigroup announced it would take an additional $18.1 billion write-down for the fourth quarter 2007 and a quarterly loss of $9.83 billion. Citigroup also announced that the Company lowered its dividend to $0.32 per share, a 40% decline from the Company’s previous dividend disbursement.

5 Rights to cash flows from CDOs are divided into tranches rated by credit risk, whereby the senior tranches are paid before the junior tranches.

5

By March 2008, Citigroup shares traded below book value and the Company announced that it would lay off an additional 2,000 employees, bringing Citigroup’s total layoff since the beginning of the subprime market crisis to more than 6,000.

July 18, 2008: Citigroup announced it lost $2.5 billion in the second quarter, largely caused by $7.2 billion of write-downs of Citigroup’s investments in mortgages and other loans and by weakness in the consumer market.

Plaintiffs also allege that Citigroup was exposed to the subprime mortgage

market through its use of SIVs. Banks can create SIVs by borrowing cash (by

selling commercial paper) and using the proceeds to purchase loans; in other

words, the SIVs sell short term debt and buy longer-term, higher yielding assets.

According to plaintiffs, Citigroup’s SIVs invested in riskier assets, such as home

equity loans, rather than the low-risk assets traditionally used by SIVs.

The problems in the subprime market left Citigroup’s SIVs unable to pay

their investors. The SIVs held subprime mortgages that had decreased in value,

and the normally liquid commercial paper market became illiquid. Because the

SIVs could no longer meet their cash needs by attracting new investors, they had to

sell assets at allegedly “fire sale” prices. In November 2007, Citigroup disclosed

that it provided $7.6 billion of emergency financing to the seven SIVs the

Company operated after they were unable to repay maturing debt. Ultimately,

Citigroup was forced to bail out seven of its affiliated SIVs by bringing $49 billion

6

in assets onto its balance sheet, notwithstanding that Citigroup previously

represented that it would manage the SIVs on an arms-length basis.

C. Plaintiffs’ Claims

Plaintiffs allege that defendants are liable to the Company for breach of

fiduciary duty for (1) failing to adequately oversee and manage Citigroup’s

exposure to the problems in the subprime mortgage market, even in the face of

alleged “red flags” and (2) failing to ensure that the Company’s financial reporting

and other disclosures were thorough and accurate.6 As will be more fully

explained below, the “red flags” alleged in the eighty-six page Complaint are

generally statements from public documents that reflect worsening conditions in

the financial markets, including the subprime and credit markets, and the effects

6 Plaintiffs also assert a claim for “reckless and gross mismanagement.” Consol. Second Am. Derivative Compl. (hereinafter, “Compl.”) ¶¶ 219-25. Delaware law does not recognize an independent cause of action against corporate directors and officers for reckless and gross mismanagement; such claims are treated as claims for breach of fiduciary duty. Delaware fiduciary duties are based in common law and have been carefully crafted to define the responsibilities of directors and managers, as fiduciaries, to the corporation. In defining these duties, the courts balance specific policy considerations such as the need to keep directors and officers accountable to shareholders and the degree to which the threat of personal liability may discourage beneficial risk taking. These common law standards thus govern the duties that directors and officers owe the corporation as well as claims such as those for “reckless and gross mismanagement,” even if those claims are asserted separate and apart from claims of breach of fiduciary duty. See Metro Commc’n Corp. BVI v. Advanced Mobilecomm Techs. Inc., 854 A.2d 121, 155-57 (Del. Ch. 2004); Albert v. Alex. Brown Mgmt. Servs., Inc., 2004 WL 2050527, at *6 (Del. Super. Sept. 15, 2004) (“[A] claim that a corporate manager acted with gross negligence is the same as a claim that she breached her fiduciary duty of care.”). Plaintiffs seem to agree that Count IV’s claims for “reckless and gross mismanagement” do not assert a separate cause of action against defendants. In the two sentences of their answering brief on the motion to dismiss that address Count IV, plaintiffs equate Count IV to their Caremark claim in Count I. Because I find that Count I fails, it follows that Court IV also fails.

7

those worsening conditions had on market participants, including Citigroup’s

peers. By way of example only, plaintiffs’ “red flags” include the following:

May 27, 2005: Economist Paul Krugman of the New York Times saidhe saw “signs that America’s housing market, like the stock market at the end of the last decade, is approaching the final, feverish stages of a speculative bubble.”

May 2006: Ameriquest Mortgage, one of the United States’ leading wholesale subprime lenders, announced the closing of each of its 229 retail offices and reduction of 3,800 employees.

February 12, 2007: ResMae Mortgage, a subprime lender, filed for bankruptcy. According to Bloomberg, in its Chapter 11 filing, ResMae stated that “[t]he subprime mortgage market has recently been crippled and a number of companies stopped originating loans and United States housing sales have slowed and defaults by borrowers have risen.”

April 18, 2007: Freddie Mac announced plans to refinance up to $20 billion of loans held by subprime borrowers who would be unable to afford their adjustable-rate mortgages at the reset rate.

July 10, 2007: Standard and Poor’s and Moody’s downgraded bonds backed by subprime mortgages.

August 1, 2007: Two hedge funds managed by Bear Stearns that invested heavily in subprime mortgages declared bankruptcy.

August 9, 2007: American International Group, one of the largest United States mortgage lenders, warned that mortgage defaults were spreading beyond the subprime sector, with delinquencies becoming more common among borrowers in the category just above subprime.

October 18, 2007: Standard & Poor’s cut the credit ratings on $23.35 billion of securities backed by pools of home loans that were offered to borrowers during the first half of the year. The downgrades even

8

hit securities rated AAA, which was the highest of the ten investment-grade ratings and the rating of government debt.7

Plaintiffs also allege that the director defendants and certain other

defendants are liable to the Company for waste for: (1) allowing the Company to

purchase $2.7 billion in subprime loans from Accredited Home Lenders in March

2007 and from Ameriquest Home Mortgage in September 2007; (2) authorizing

and not suspending the Company’s share repurchase program in the first quarter of

2007, which allegedly resulted in the Company buying its own shares at

“artificially inflated prices;” (3) approving a multi-million dollar payment and

benefit package for defendant Prince upon his retirement as Citigroup’s CEO in

November 2007; and (4) allowing the Company to invest in SIVs that were unable

to pay off maturing debt.

D. The Procedural History

1. The New York Action

The first New York Action was filed on November 6, 2007 in the United

States District Court for the Southern District of New York. On August 22, 2008,

the five pending derivative actions were consolidated as In re Citigroup, Inc.

Shareholder Derivative Litigation, No 07 Civ. 9841, and on September 23, 2008,

the Court appointed lead counsel and lead plaintiffs. Plaintiffs filed a consolidated

7 Compl. ¶¶ 73-74. I have provided only a small sample of the numerous “red flags” alleged in the Complaint.

9

complaint on November 10, 2008, alleging: (1) violation of the Securities

Exchange Act of 1934 (“Exchange Act”) § 10(b) and Rule 10b-5 (derivatively on

behalf of Citigroup); (2) breach of fiduciary duties of care, loyalty, and good faith;

(3) breach of fiduciary duty for insider trading and misappropriation of

information; (4) breach of fiduciary duty of disclosure; (5) waste of corporate

assets; and (6) unjust enrichment. Defendants filed a motion to dismiss on

December 23, 2008, and pursuant to the schedule set by the Federal District Court,

the motion to dismiss the New York Action will be fully briefed by late February

2009.

2. The Delaware Action

This action was commenced on November 9, 2007, and the four pending

actions were consolidated on February 5, 2008. Defendants filed a motion to

dismiss the Consolidated Amended Derivative Complaint on April 21, 2008.

Plaintiffs responded by filing a Consolidated Second Amended Derivative

Complaint (the “Complaint”), which was accepted by the Court on September 15,

2008. Pending before the Court is defendants’ motion to dismiss or stay.

II. MOTION TO DISMISS OR STAY IN

FAVOR OF THE NEW YORK ACTION

A. Legal Standard

Defendants seek a stay of this action in favor of the New York Action.

Under McWane, this Court may, in the exercise of its discretion, stay an action

10

“when there is a prior action pending elsewhere, in a court capable of doing prompt

and complete justice, involving the same parties and the same issues.”8 Such

discretion allows the Court, for reasons of comity and the fair and orderly

administration of justice, to ensure that a plaintiff’s choice of forum is not defeated

and to properly confine litigation to the forum in which it is first commenced.9

Where, however, the actions are contemporaneously filed such that the action

pending elsewhere is not considered “first-filed,” the Court will consider the

motion “under the traditional forum non conveniens framework without regard to a

McWane-type preference of one action over the other.”10 Where, as here, the

actions were filed within the same general time frame, the Court considers the

actions simultaneously filed so as to avoid a “race to the courthouse.”11 Because

the actions were filed only a few days apart, I consider them contemporaneous.12

8McWane Cast Iron Pipe Corp. v. McDowell-Wellman Eng’g Co., 263 A.2d 281, 283 (Del.

1970).9

See id. 10

In re The Bear Stearns Cos. S’holder Litig., C.A. No. 3643-VCP, 2008 WL 959992, at *5 (Del. Ch. Apr. 9, 2008) (quoting Rapoport v. The Litig. Trust of MDIP Inc., C.A. No. 1035-N, 2005 WL 3277911, at *2 (Del. Ch. Nov. 23, 2005)); see County of York Employees Ret. Plan v.

Merrill Lynch & Co., C.A. No. 4066-VCN, 2008 WL 4824053, at *3 (Del. Ch. Oct. 28, 2008).11

Merrill Lynch, 2008 WL 4824053, at *3 (citing Texas Instruments Inc. v. Cyrix Corp., C.A. No. 13288, 1994 WL 96983, at *3-4 (Del. Ch. Mar. 22, 1994)). 12

Bear Stearns, 2008 WL 959992, at *5 (treating actions filed three days apart as contemporaneous). The parties agree that the New York Action was first commenced on November 6, 2007. Plaintiffs assert that this action was first commenced on November 7, 2007—meaning it was filed the day after the New York Action. The Court’s records, however, indicate that this action was first commenced on November 9, 2007. Even assuming the November 9, 2007 filing, however, I still consider the actions contemporaneously filed.

11

Additionally, even where there is a first filed derivative or class action, this

Court has recognized the difficulty presented by the McWane doctrine. A

shareholder plaintiff in a derivative suit alleges claims in the right of the

corporation rather than directly; thus, representative actions raise the concern that

the best interest of the class might diverge from the best interest of the

representative plaintiff’s attorneys. To avoid exacerbating this potential conflict,

the Court gives less weight to the first filed status of a lawsuit, and instead “will

examine more closely the relevant factors bearing on where the case should best

proceed, using something akin to a forum non conveniens analysis.”13 I turn now

to the forum non conveniens standard.

When assessing whether to stay or dismiss an action under the doctrine of

forum non conveniens this Court considers six factors:

1) the applicability of Delaware law in the action; 2) the relative ease of access to proof; 3) the availability of compulsory process for witnesses; 4) the pendency or non-pendency of any similar actions in other jurisdictions; 5) the possibility of a need to view the premises; and 6) all other practical considerations which would serve to make the trial easy, expeditious and inexpensive.14

13Biondi v. Scrushy, 820 A.2d 1148, 1159 & n.22 (Del. Ch. 2003) (“Where one person seeking

to act in a representative capacity chooses to litigate in Delaware and another in a different forum, there is little reason to accord decisive weight to the priority of filing, at least where no prejudicial delay has occurred. Other factors bearing on the convenience of the parties and the interests of Delaware in resolving the dispute will be more important.”). See Ryan v. Gifford,918 A.2d 341, 349 (Del. Ch. 2007). 14

In re Chambers Dev. Co. S’holders Litig., C.A. No. 12508, 1993 WL 179335, at *2 (Del. Ch. May 20, 1993).

12

A party is not entitled to a stay as a matter of right; rather, the granting of a motion

to stay rests with the sound discretion of the Court. This Court is rightfully

hesitant to grant motions to stay based on forum non conveniens, and the doctrine

is not a vehicle by which the Court should determine which forum would be most

convenient for the parties.15 Rather, a defendant bears the burden of showing

entitlement to a stay or dismissal on grounds of forum non conveniens: in a case

where a stay will likely have substantially the same effect as a dismissal, the

defendant must show that one or more of the factors, either separately or together,

would subject the defendant to sufficient hardship to warrant staying the

proceedings.16

15See Taylor v. LSI Logic Corp., 689 A.2d 1196, 1199 (Del. 1997) (“An action may not be

dismissed upon bare allegations of inconvenience without a particularized showing of the hardships relied upon.”).16

Bear Stearns, 2008 WL 959992, at *5 (“Motions to stay litigation on grounds of forum non

conveniens are granted only in the rare case.”); Aveta, Inc. v. Colon, 942 A.2d 603, 608 (Del. Ch. 2008) (“[T]o achieve a stay or dismissal for forum non conveniens, a defendant must demonstrate that litigating in the plaintiff’s chosen forum would present an overwhelming hardship.”); Ryan, 918 A.2d at 351 (citing Berger v. Intelident Solutions, Inc., 906 A.2d 134 (Del. 2006)). I am aware of the so-called debate as to whether there exists a different standard for staying, rather than dismissing, litigation on forum non conveniens grounds. See Kolber v.

Holyoke Shares, Inc., 213 A.2d 444, 446-47 (Del. 1965); Sprint Nextel Corp. v. iPCS, Inc., C.A. No. 3746-VCP, 2008 WL 4516645, at *2 n.8 (Del. Ch. Oct. 8, 2008); Bear Stearns, 2008 WL 959992, at *5 n.22; Brandin v. Deason, 941 A.2d 1020, 1024 n.13 (Del. Ch. 2007); HFTP Invs.

v. ARIAD Pharm., Inc., 752 A.2d 115, 121 (Del. Ch. 1999). I see no reason, however, to make such a distinction in a case in which a stay would likely have the same ultimate effect as a dismissal. This Court has clearly articulated the policy justifications for requiring a showing of overwhelming hardship in order to dismiss on grounds of forum non conveniens, for example, (1) the plaintiff’s interest in litigating in the chosen forum, (2) Delaware’s interest in deciding issues of Delaware law, and (3) Delaware’s interest in adjudicating disputes involving Delaware entities. See, e.g., In re Topps Co. S’holders Litig., 924 A.2d 951, 956-64 (Del. Ch. 2007). Those same policy justifications apply when the Court is considering a motion to stay on grounds of forum non conveniens that would have the same practical effect as dismissal.

13

B. Forum Non Conveniens Analysis

Although there may be some overlap with the New York Action, defendants

have failed to meet their burden of showing hardship that would entitle them to a

stay or dismissal in favor of the New York Action.17 First, Delaware law applies

to this action. Citigroup is incorporated in Delaware, and the fiduciary duties owed

by its officers and directors are governed by Delaware law. Defendants argue that

this case does not pose novel issues of Delaware law and only calls for application

of the established doctrines governing Caremark and waste claims to the facts in

this case. Of course, the contextual application of Delaware fiduciary duty law is

not novel. This case, however, raises important issues regarding the standards

governing directors and officers of Delaware corporations, and Delaware has an

ongoing interest in applying our law to director conduct in the context of current

While there are certainly significant procedural differences, in many cases the practical effect of staying litigation in favor of a lawsuit pending in another jurisdiction is the same as ordering dismissal. A stay in favor of another action results in the action in Delaware being put on hold until the resolution of the action in another jurisdiction, at which point principles of res

judicata would likely apply. In light of this practical consideration, this Court must defer to the doctrine of the Supreme Court of this State, and the policy considerations underlying such doctrine, and should be extremely chary about disposing of cases on grounds of forum non

conveniens, either by granting dismissal or a stay. See, e.g., Candlewood Timber Group, LLC v.

Pan Am. Energy, LLC, 859 A.2d 989, 998 (Del. 2004); Mar-Land Indus. Contractors, Inc. v.

Caribbean Petroleum Ref., L.P., 777 A.2d 774, 777-778 (Del. 2001). To do otherwise would allow and encourage defendants to move this Court for a stay, rather than a dismissal, and thereby achieve the same result without the showing of hardship articulated by the Supreme Court.17 Alternatively, even if the Court were to apply a preponderance of the evidence standard rather than requiring a showing of hardship, this case would still not warrant a stay. As in Merrill

Lynch, “nothing in the forum non conveniens analysis offers any persuasive reason for rejecting the Plaintiff’s choice of forum for the bringing of its claims.” Merrill Lynch, 2008 WL 4824053, at *4.

14

market conditions—conditions which change rapidly and pose new challenges for

directors and officers of Delaware corporations.18

Second, the relative ease of access to proof should not be accorded much

weight in this case. Although access to proof may be marginally easier in New

York, collecting evidence from other jurisdictions is regularly handled with ease in

this Court.19

Third, the availability of compulsory process for witnesses should not be

given much weight in this case. Although witnesses may be located in New York,

“the process of issuing commissions to take discovery in another state is efficient,

effective, and routinely accomplished.”20 Defendants have failed to identify

documents or witnesses that will be unavailable if litigation continues in Delaware.

Fourth, although there is an action pending in New York that arises out of

the same nucleus of operative fact, the pendency of such action does not give rise

to the hardship required to establish entitlement to a stay. Although some overlap

may result, the pendency of a similar action in another jurisdiction regarding

corporate governance issues under Delaware law does not necessarily override the

interest of Delaware in resolving such claims. Defendants argue that a stay should

be granted because the New York Court is the only court capable of granting

18See id. at *3; Topps, 924 A.2d at 954 (“When new issues arise, the state of incorporation has a

particularly strong interest in addressing them, and providing guidance.”). 19

See Merrill Lynch, 2008 WL 4824053, at *3. It is also highly unlikely that this case will require a view of the premises. 20

Id.

15

complete relief because the New York Action includes claims that can only be

adjudicated in federal court, specifically claims under Exchange Act § 10(b) and

Rule 10b-5. In response, plaintiffs argue that this Court should refuse to grant a

stay because the complaint in the New York Action contains meager Caremark

allegations compared to the Complaint in this action. According to plaintiffs, the

claims in the New York Action are primarily for securities fraud and insider

trading and set forth demand futility allegations based on defendants’

misrepresentations, omissions, and insider sales.

While the authority of one Court to grant complete relief may be a relevant

consideration under the pendency of similar actions prong of the forum non

conveniens analysis, it is not outcome determinative. In this case, it does not even

approach the required showing of hardship defendants would have to make in

order to warrant a stay of the proceedings, and I need not further scrutinize the

arguments on this prong of the test.

Finally, the “important and atypical practical considerations,” described by

the Bear Stearns Court as sui generis, are not present in this case.21 In Bear

Stearns, the Court was faced with a case involving the Federal Reserve Bank and

the Department of the Treasury in which inconsistent rulings could “negatively

impact not only the parties involved, but also the U.S. financial markets and the

21Bear Stearns, 2008 WL 959992, at *6-8.

16

national economy.”22 In light of, among other things, “the persuasive practical

reasons against embarking unnecessarily on a collision course with our sister court

in New York in these extraordinary circumstances,” the Court granted the motion

for a stay after finding that the defendants had shown that failure to stay the action

would result in overwhelming hardship.23 Defendants in this action have not

shown analogous practical circumstances or that proceeding in Delaware would

result in significant hardship. The essence of defendants’ argument in favor of the

stay is that the Court in the New York Action is capable of hearing all the claims

and that it would be more expedient and convenient to litigate in New York rather

than Delaware.24 Such considerations, however, without more, are not sufficient

to entitle defendants to a stay on forum non conveniens grounds.

III. THE MOTION TO DISMISS UNDER RULE 23.1

A. The Legal Standard for Demand Excused

The decision whether to initiate or pursue a lawsuit on behalf of the

corporation is generally within the power and responsibility of the board of

directors.25 This follows from the “cardinal precept of the General Corporation

Law of the State of Delaware . . . that directors, rather than shareholders, manage

22Id. at *8; see Merrill Lynch, 2008 WL 4824053, at *4.

23Bear Stearns, 2008 WL 959992, at *8.

24 The New York Action is pending in the Southern District of New York before Judge Sidney H. Stein. The decision not to stay this action should not be seen as reflecting on the expertise of Judge Stein, who, to my knowledge, is an excellent jurist, fully capable of adjudicating issues of Delaware law.25 8 Del. C. § 141(a).

17

the business and affairs of the corporation.”26 Accordingly, in order to cause the

corporation to pursue litigation, a shareholder must either (1) make a pre-suit

demand by presenting the allegations to the corporation’s directors, requesting that

they bring suit, and showing that they wrongfully refused to do so, or (2) plead

facts showing that demand upon the board would have been futile.27 Where, as

here, a plaintiff does not make a pre-suit demand on the board of directors, the

complaint must plead with particularity facts showing that a demand on the board

would have been futile.28 The purpose of the demand requirement is not to

insulate defendants from liability; rather, the demand requirement and the strict

requirements of factual particularity under Rule 23.1 “exist[] to preserve the

primacy of board decisionmaking regarding legal claims belonging to the

corporation.”29

Under the familiar Aronson test, to show demand futility, plaintiffs must

provide particularized factual allegations that raise a reasonable doubt that “(1) the

directors are disinterested and independent [or] (2) the challenged transaction was

otherwise the product of a valid exercise of business judgment.”30 Where,

however, plaintiffs complain of board inaction and do not challenge a specific

26Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984).

27See Stone v. Ritter, 911 A.2d 362, 366-67 (Del. 2006).

28 Ct. Ch. R. 23.1(a); see Stone, 911 A.2d at 367 n.9; Brehm v. Eisner, 746 A.2d 244, 254 (Del. 2000).29

Am. Int’l Group, Inc., Consol. Derivative Litig., C.A. No. 769-VCS, 2009 WL 366613, at *29 (Del. Ch. Feb. 10, 2009).30

Brehm, 746 A.2d at 253 (quoting Aronson, 473 A.2d at 814).

18

decision of the board, there is no “challenged transaction,” and the ordinary

Aronson analysis does not apply.31 Instead, to show demand futility where the

subject of the derivative suit is not a business decision of the board, a plaintiff must

allege particularized facts that “create a reasonable doubt that, as of the time the

complaint is filed, the board of directors could have properly exercised its

independent and disinterested business judgment in responding to a demand.”32

In evaluating whether demand is excused, the Court must accept as true the

well pleaded factual allegations in the Complaint. The pleadings, however, are

held to a higher standard under Rule 23.1 than under the permissive notice

pleading standard under Court of Chancery Rule 8(a). To establish that demand is

excused under Rule 23.1, the pleadings must comply with “stringent requirements

of factual particularity” and set forth “particularized factual statements that are

essential to the claim.”33 “A prolix complaint larded with conclusory language . . .

does not comply with these fundamental pleading mandates.”34

Plaintiffs have not alleged that a majority of the board was not independent

for purposes of evaluating demand. Rather, as to the claims for waste asserted in

Count III, plaintiffs allege that the approval of certain transactions did not

constitute a valid exercise of business judgment under the second prong of the

31Rales v. Blasband, 634 A.2d 927, 933-34 (Del. 1993).

32Id. at 934.

33Brehm, 746 A.2d at 254.

34Id.

19

Aronson test. Plaintiffs allege that demand is futile as to Counts I, II, and IV

because the director defendants are not able to exercise disinterested business

judgment in responding to a demand because their failure of oversight subjects

them to a substantial likelihood of personal liability. According to plaintiffs, the

director defendants face a substantial threat of personal liability because their

conscious disregard of their duties and lack of proper supervision and oversight

caused the Company to be overexposed to risk in the subprime mortgage market.

Demand is not excused solely because the directors would be deciding to sue

themselves.35 Rather, demand will be excused based on a possibility of personal

director liability only in the rare case when a plaintiff is able to show director

conduct that is “so egregious on its face that board approval cannot meet the test of

business judgment, and a substantial likelihood of director liability therefore

exists.”36

35Jacobs v. Yang, C.A. No. 206-N, 2004 WL 1728521, at *6 n.31 (Del. Ch. Aug. 2, 2004).

36Aronson, 473 A.2d at 815. The Complaint appears to allege that demand on defendants Rubin

and Ramirez would be futile because 1) Rubin faces a substantial threat of personal liability because he benefited personally by wrongfully selling stock while in possession of material non-public information; 2) Rubin is beholden to defendants Belda, Derr, and Parsons due to the extraordinary monetary compensation and other benefits they approved for him while he was a director and despite his lack of operational responsibility; and 3) Ramirez is not independent because he ran a subsidiary of Citigroup and received security and other services valued at more than $2 million from Citigroup while doing so. See Compl. ¶¶ 181-82. The Court does not need to determine the adequacy of these demand futility allegations because plaintiffs have not made similar individualized allegations regarding the other director defendants. Thus, even if the allegations in the Complaint are sufficient to excuse demand as to Rubin and Ramirez, plaintiffs have still failed to properly plead demand futility for a majority of the director defendants. As further explained below, instead of providing similar individualized assertions for the other director defendants, plaintiffs rely on the “group” accusation mode of pleading demand futility.

20

B. Demand Futility Regarding Plaintiffs’ Fiduciary Duty Claims

Plaintiffs’ argument is based on a theory of director liability famously

articulated by former-Chancellor Allen in In re Caremark.37 Before Caremark, in

Graham v. Allis-Chalmers Manufacturing Company,38 the Delaware Supreme

Court, in response to a theory that the Allis-Chalmers directors were liable because

they should have known about employee violations of federal anti-trust laws, held

that “absent cause for suspicion there is no duty upon the directors to install and

operate a corporate system of espionage to ferret out wrongdoing which they have

no reason to suspect exists.”39 Over thirty years later, in the context of approval of

a settlement of a class action, former-Chancellor Allen took the opportunity to

revisit the duty to monitor under Delaware law. In Caremark, the plaintiffs alleged

that the directors were liable because they should have known that certain officers

and employees were violating the federal Anti-Referral Payments Law. In

analyzing these claims, the Court began, appropriately, by reviewing the duty of

care and the protections of the business judgment rule.

With regard to director liability standards, the Court distinguished between

(1) “a board decision that results in a loss because that decision was ill advised or

‘negligent’” and (2) “an unconsidered failure of the board to act in circumstances

Had plaintiffs provided individual allegations as to each of the director defendants, the outcome of this case may have been different. 37

In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).38 188 A.2d 125 (Del. 1963).39

Id. at 130.

21

in which due attention would, arguably, have prevented the loss.”40 In the former

class of cases, director action is analyzed under the business judgment rule, which

prevents judicial second guessing of the decision if the directors employed a

rational process and considered all material information reasonably available—a

standard measured by concepts of gross negligence.41 As former-Chancellor Allen

explained:

What should be understood, but may not widely be understood by courts or commentators who are not often required to face such questions, is that compliance with a director’s duty of care can never appropriately be judicially determined by reference to the content of

the board decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the process employed. That is, whether a judge or jury considering the matter after the fact, believes a decision substantively wrong, or degrees of wrong extending through “stupid” to “egregious” or “irrational”, provides no ground for director liability, so long as the court determines that the process employed was either rational or employed in a good faith

effort to advance corporate interests. To employ a different rule—one that permitted an “objective” evaluation of the decision—would expose directors to substantive second guessing by ill-equipped judges or juries, which would, in the long-run, be injurious to investor interests. Thus, the business judgment rule is process oriented and informed by a deep respect for all good faith board decisions.42

In the latter class of cases, where directors are alleged to be liable for a

failure to monitor liability creating activities, the Caremark Court, in a

reassessment of the holding in Graham, stated that while directors could be liable

40Caremark, 698 A.2d at 967.

41Id; see Brehm, 746 A.2d at 259.

42Caremark, 698 A.2d at 967-68 (footnotes omitted).

22

for a failure to monitor, “only a sustained or systematic failure of the board to

exercise oversight—such as an utter failure to attempt to assure a reasonable

information and reporting system exists—will establish the lack of good faith that

is a necessary condition to liability.”43

In Stone v. Ritter, the Delaware Supreme Court approved the Caremark

standard for director oversight liability and made clear that liability was based on

the concept of good faith, which the Stone Court held was embedded in the

fiduciary duty of loyalty and did not constitute a freestanding fiduciary duty that

could independently give rise to liability.44 As the Stone Court explained:

Caremark articulates the necessary conditions predicate for director oversight liability: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. In either case, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.45

Thus, to establish oversight liability a plaintiff must show that the directors knew

they were not discharging their fiduciary obligations or that the directors

demonstrated a conscious disregard for their responsibilities such as by failing to

43Id. at 971.

44Stone, 911 A.2d at 370.

45Id. (footnotes omitted).

23

act in the face of a known duty to act.46 The test is rooted in concepts of bad faith;

indeed, a showing of bad faith is a necessary condition to director oversight

liability.47

1. Plaintiffs’ Caremark Allegations

Plaintiffs’ theory of how the director defendants will face personal liability

is a bit of a twist on the traditional Caremark claim. In a typical Caremark case,

plaintiffs argue that the defendants are liable for damages that arise from a failure

to properly monitor or oversee employee misconduct or violations of law. For

example, in Caremark the board allegedly failed to monitor employee actions in

violation of the federal Anti-Referral Payments Law; in Stone, the directors were

charged with a failure of oversight that resulted in liability for the company

because of employee violations of the federal Bank Secrecy Act.48

46See Guttman v. Huang, 823 A.2d 492, 506 (Del. Ch. 2003) (“[T]he [Caremark] opinion

articulates a standard for liability for failures of oversight that requires a showing that the directors breached their duty of loyalty by failing to attend to their duties in good faith. Put otherwise, the decision premises liability on a showing that the directors were conscious of the fact that they were not doing their jobs.”) (footnote omitted). 47

Stone, 911 A.2d at 369; Desimone v. Barrows, 924 A.2d 908, 935 (Del. Ch. 2007) (“Caremark

itself encouraged directors to act with reasonable diligence, but plainly held that director liability for failure to monitor required a finding that the directors acted with the state of mind traditionally used to define the mindset of a disloyal director—bad faith—because their indolence was so persistent that it could not be ascribed to anything other than a knowing decision not to even try to make sure the corporation’s officers had developed and were implementing a prudent approach to ensuring law compliance. By reinforcing that a scienter-based standard applies to claims in the delicate monitoring context, Stone ensured that the protections that exculpatory charter provisions afford to independent directors against damage claims would not be eroded.”) (footnotes omitted). 48

See, e.g., David B. Shaev Profit Sharing Account v. Armstrong, C.A. No. 1449-N, 2006 WL 391931, at *2 (Del. Ch. Feb. 13, 2006) (Caremark claims for failure to discover involvement in allegedly fraudulent business practices).

24

In contrast, plaintiffs’ Caremark claims are based on defendants’ alleged

failure to properly monitor Citigroup’s business risk, specifically its exposure to

the subprime mortgage market. In their answering brief, plaintiffs allege that the

director defendants are personally liable under Caremark for failing to “make a

good faith attempt to follow the procedures put in place or fail[ing] to assure that

adequate and proper corporate information and reporting systems existed that

would enable them to be fully informed regarding Citigroup’s risk to the subprime

mortgage market.”49 Plaintiffs point to so-called “red flags” that should have put

defendants on notice of the problems in the subprime mortgage market and further

allege that the board should have been especially conscious of these red flags

because a majority of the directors (1) served on the Citigroup board during its

previous Enron related conduct and (2) were members of the ARM Committee and

considered financial experts.

Although these claims are framed by plaintiffs as Caremark claims,

plaintiffs’ theory essentially amounts to a claim that the director defendants should

be personally liable to the Company because they failed to fully recognize the risk

posed by subprime securities. When one looks past the lofty allegations of duties

of oversight and red flags used to dress up these claims, what is left appears to be

plaintiff shareholders attempting to hold the director defendants personally liable

49 Pls.’ Answering Br. at 2.

25

for making (or allowing to be made) business decisions that, in hindsight, turned

out poorly for the Company. Delaware Courts have faced these types of claims

many times and have developed doctrines to deal with them—the fiduciary duty of

care and the business judgment rule. These doctrines properly focus on the

decision-making process rather than on a substantive evaluation of the merits of

the decision. This follows from the inadequacy of the Court, due in part to a

concept known as hindsight bias,50 to properly evaluate whether corporate

decision-makers made a “right” or “wrong” decision.

The business judgment rule “is a presumption that in making a business

decision the directors of a corporation acted on an informed basis, in good faith

and in the honest belief that the action taken was in the best interests of the

company.”51 The burden is on plaintiffs, the party challenging the directors’

decision, to rebut this presumption.52 Thus, absent an allegation of interestedness

or disloyalty to the corporation, the business judgment rule prevents a judge or jury

from second guessing director decisions if they were the product of a rational

process and the directors availed themselves of all material and reasonably

50 “Hindsight bias is the tendency for people with knowledge of an outcome to exaggerate the extent to which they believe that outcome could have been predicted.” Hal R. Arkes & Cindy A. Schipani, Medical Malpractice v. The Business Judgment Rule: Differences in Hindsight Bias,73 OR. L. REV. 587, 587 (1994). 51

Aronson, 473 A.2d at 812. 52

Id.

26

available information. The standard of director liability under the business

judgment rule “is predicated upon concepts of gross negligence.”53

Additionally, Citigroup has adopted a provision in its certificate of

incorporation pursuant to 8 Del. C. § 102(b)(7) that exculpates directors from

personal liability for violations of fiduciary duty, except for, among other things,

breaches of the duty of loyalty or actions or omissions not in good faith or that

involve intentional misconduct or a knowing violation of law. Because the director

defendants are “exculpated from liability for certain conduct, ‘then a serious threat

of liability may only be found to exist if the plaintiff pleads a non-exculpated claim

against the directors based on particularized facts.’”54 Here, plaintiffs have not

alleged that the directors were interested in the transaction and instead root their

theory of director personal liability in bad faith.

The Delaware Supreme Court has stated that bad faith conduct may be found

where a director “intentionally acts with a purpose other than that of advancing the

best interests of the corporation, . . . acts with the intent to violate applicable

positive law, or . . . intentionally fails to act in the face of a known duty to act,

demonstrating a conscious disregard for his duties.”55 More recently, the Delaware

Supreme Court held that when a plaintiff seeks to show that demand is excused

53Id.

54Wood v. Baum, 953 A.2d 136, 141 (Del. 2008) (quoting Guttman, 823 A.2d at 501).

55In re Walt Disney Co. Derivative Litig., 906 A.2d 27, 67 (Del. 2006).

27

because directors face a substantial likelihood of liability where “directors are

exculpated from liability except for claims based on ‘fraudulent,’ ‘illegal’ or ‘bad

faith’ conduct, a plaintiff must also plead particularized facts that demonstrate that

the directors acted with scienter, i.e., that they had ‘actual or constructive

knowledge’ that their conduct was legally improper.”56 A plaintiff can thus plead

bad faith by alleging with particularity that a director knowingly violated a

fiduciary duty or failed to act in violation of a known duty to act, demonstrating a

conscious disregard for her duties.

Turning now specifically to plaintiffs’ Caremark claims, one can see a

similarity between the standard for assessing oversight liability and the standard

for assessing a disinterested director’s decision under the duty of care when the

company has adopted an exculpatory provision pursuant to § 102(b)(7). In either

case, a plaintiff can show that the director defendants will be liable if their acts or

omissions constitute bad faith. A plaintiff can show bad faith conduct by, for

example, properly alleging particularized facts that show that a director

consciously disregarded an obligation to be reasonably informed about the business

and its risks or consciously disregarded the duty to monitor and oversee the

business.

56Wood, 953 A.2d at 141.

28

The Delaware Supreme Court made clear in Stone that directors of

Delaware corporations have certain responsibilities to implement and monitor a

system of oversight; however, this obligation does not eviscerate the core

protections of the business judgment rule—protections designed to allow corporate

managers and directors to pursue risky transactions without the specter of being

held personally liable if those decisions turn out poorly. Accordingly, the burden

required for a plaintiff to rebut the presumption of the business judgment rule by

showing gross negligence is a difficult one, and the burden to show bad faith is

even higher. Additionally, as former-Chancellor Allen noted in Caremark, director

liability based on the duty of oversight “is possibly the most difficult theory in

corporation law upon which a plaintiff might hope to win a judgment.”57 The

presumption of the business judgment rule, the protection of an exculpatory

§ 102(b)(7) provision, and the difficulty of proving a Caremark claim together

function to place an extremely high burden on a plaintiff to state a claim for

personal director liability for a failure to see the extent of a company’s business

risk.

To the extent the Court allows shareholder plaintiffs to succeed on a theory

that a director is liable for a failure to monitor business risk, the Court risks

undermining the well settled policy of Delaware law by inviting Courts to perform

57Caremark, 698 A.2d at 967.

29

a hindsight evaluation of the reasonableness or prudence of directors’ business

decisions. Risk has been defined as the chance that a return on an investment will

be different that expected. The essence of the business judgment of managers and

directors is deciding how the company will evaluate the trade-off between risk and

return. Businesses—and particularly financial institutions—make returns by

taking on risk; a company or investor that is willing to take on more risk can earn a

higher return. Thus, in almost any business transaction, the parties go into the deal

with the knowledge that, even if they have evaluated the situation correctly, the

return could be different than they expected.

It is almost impossible for a court, in hindsight, to determine whether the

directors of a company properly evaluated risk and thus made the “right” business

decision.58 In any investment there is a chance that returns will turn out lower than

expected, and generally a smaller chance that they will be far lower than expected.

When investments turn out poorly, it is possible that the decision-maker evaluated

the deal correctly but got “unlucky” in that a huge loss—the probability of which

was very small—actually happened. It is also possible that the decision-maker

58See Stephen M. Bainbridge, The Business Judgment Rule as Abstention Doctrine, 57 VAND. L.

REV. 83, 114-15 (2004) (“[T]here is a substantial risk that suing shareholders and reviewing judges will be unable to distinguish between competent and negligent management because bad outcomes often will be regarded, ex post, as having been foreseeable and, therefore, preventable ex ante. If liability results from bad outcomes, without regard to the ex ante quality of the decision or the decision-making process, however, managers will be discouraged from taking risks.”) (footnotes omitted).

30

improperly evaluated the risk posed by an investment and that the company

suffered large losses as a result.

Business decision-makers must operate in the real world, with imperfect

information, limited resources, and an uncertain future. To impose liability on

directors for making a “wrong” business decision would cripple their ability to

earn returns for investors by taking business risks. Indeed, this kind of judicial

second guessing is what the business judgment rule was designed to prevent, and

even if a complaint is framed under a Caremark theory, this Court will not

abandon such bedrock principles of Delaware fiduciary duty law. With these

considerations and the difficult standard required to show director oversight

liability in mind, I turn to an evaluation of the allegations in the Complaint.

a. The Complaint Does Not Properly Allege Demand Futility for Plaintiffs’ Fiduciary Duty Claims

In this case, plaintiffs allege that the defendants are liable for failing to

properly monitor the risk that Citigroup faced from subprime securities. While it

may be possible for a plaintiff to meet the burden under some set of facts, plaintiffs

in this case have failed to state a Caremark claim sufficient to excuse demand

based on a theory that the directors did not fulfill their oversight obligations by

failing to monitor the business risk of the company.

The allegations in the Complaint amount essentially to a claim that Citigroup

suffered large losses and that there were certain warning signs that could or should

31

have put defendants on notice of the business risks related to Citigroup’s

investments in subprime assets. Plaintiffs then conclude that because defendants

failed to prevent the Company’s losses associated with certain business risks, they

must have consciously ignored these warning signs or knowingly failed to monitor

the Company’s risk in accordance with their fiduciary duties.59 Such conclusory

allegations, however, are not sufficient to state a claim for failure of oversight that

would give rise to a substantial likelihood of personal liability, which would

require particularized factual allegations demonstrating bad faith by the director

defendants.

Plaintiffs do not contest that Citigroup had procedures and controls in place

that were designed to monitor risk. Plaintiffs admit that Citigroup established the

ARM Committee and in 2004 amended the ARM Committee charter to include the

fact that one of the purposes of the ARM Committee was to assist the board in

fulfilling its oversight responsibility relating to policy standards and guidelines for

risk assessment and risk management.60 The ARM Committee was also charged

with, among other things, (1) discussing with management and independent

auditors the annual audited financial statements, (2) reviewing with management

an evaluation of Citigroup’s internal control structure, and (3) discussing with

management Citigroup’s major credit, market, liquidity, and operational risk

59 Pls.’ Answering Br. at 39-40. 60 Compl. ¶ 185.

32

exposures and the steps taken by management to monitor and control such

exposures, including Citigroup’s risk assessment and risk management policies.61

According to plaintiffs’ own allegations, the ARM Committee met eleven times in

2006 and twelve times in 2007.62

Plaintiffs nevertheless argue that the director defendants breached their duty

of oversight either because the oversight mechanisms were not adequate or because

the director defendants did not make a good faith effort to comply with the

established oversight procedures. To support this claim, the Complaint alleges

numerous facts that plaintiffs argue should have put the director defendants on

notice of the impending problems in the subprime mortgage market and

Citigroup’s exposure thereto. Plaintiffs summarized some of these “red flags” in

their answering brief as follows:

the steady decline of the housing market and the impact the collapsing bubble would have on mortgages and subprime backed securities since as early as 2005;

December 2005 guidance from the FASB staff—“The FASB staff is aware of loan products whose contractual features may increase the exposure of the originator, holder, investor, guarantor, or servicer to risk of nonpayment or realization.”;

the drastic rise in foreclosure rates starting in 2006;

several large subprime lenders reporting substantial losses and filing for bankruptcy starting in 2006;

61Id. ¶ 187.

62Id. ¶ 189.

33

billions of dollars in losses reported by Citigroup’s peers, such as Bear Stearns and Merrill Lynch.

Plaintiffs argue that demand is excused because a majority of the director

defendants face a substantial likelihood of personal liability because they were

charged with management of Citigroup’s risk as members of the ARM Committee

and as audit committee financial experts and failed to properly oversee and

monitor such risk.63 As explained above, however, to establish director oversight

liability plaintiffs would ultimately have to prove bad faith conduct by the director

defendants. Plaintiffs fail to plead any particularized factual allegations that raise a

reasonable doubt that the director defendants acted in good faith.

The warning signs alleged by plaintiffs are not evidence that the directors

consciously disregarded their duties or otherwise acted in bad faith; at most they

63 Compl. ¶ 189; Pls.’ Answering Br. at 41-45. Directors with special expertise are not held to a higher standard of care in the oversight context simply because of their status as an expert. See

Canadian Commercial Workers Indus. Pension Plan v. Alden, C.A. No. 1184-N, 2006 WL 456786, at *7 n.54 (Del. Ch. Feb. 22, 2006); see also E. Norman Veasey & Christine T. Di Guglielmo, What Happened in Delaware Corporate Law and Governance from 1992-2004? A

Retrospective on Some Key Developments, 153 U. PA. L. REV. 1399, 1445-47 (2005). Directors of a committee charged with oversight of a company’s risk have additional responsibilities to monitor such risk; however, such responsibility does not change the standard of director liability under Caremark and its progeny, which requires a showing of bad faith. Evaluating director action under the bad faith standard is a contextual and fact specific inquiry and what a director knows and understands is, of course, relevant to such an inquiry. See In re Emerging Commc’ns,

Inc. S’holders Litig., C.A. No. 16415, 2004 WL 1305745, at *39-40 (Del. Ch. May 3, 2004). Even accepting, however, that a majority of the directors were members of the ARM Committee and considered audit committee financial experts, plaintiffs have not alleged facts showing that they demonstrated a conscious disregard for duty, or any other conduct or omission that would constitute bad faith. Even directors who are experts are shielded from judicial second guessing of their business decisions by the business judgment rule.

34

evidence that the directors made bad business decisions. The “red flags” in the

Complaint amount to little more than portions of public documents that reflected

the worsening conditions in the subprime mortgage market and in the economy

generally. Plaintiffs fail to plead “particularized facts suggesting that the Board

was presented with ‘red flags’ alerting it to potential misconduct” at the

Company.64 That the director defendants knew of signs of a deterioration in the

subprime mortgage market, or even signs suggesting that conditions could decline

further, is not sufficient to show that the directors were or should have been aware

of any wrongdoing at the Company or were consciously disregarding a duty

somehow to prevent Citigroup from suffering losses.65 Nothing about plaintiffs’

“red flags” supports plaintiffs’ conclusory allegation that “defendants have not

made a good faith attempt to assure that adequate and proper corporate information

and reporting systems existed that would enable them to be fully informed

regarding Citigroup’s risk to the subprime mortgage market.”66 Indeed, plaintiffs’

allegations do not even specify how the board’s oversight mechanisms were

inadequate or how the director defendants knew of these inadequacies and

consciously ignored them. Rather, plaintiffs seem to hope the Court will accept the

64Shaev, 2006 WL 391931, at *3.

65 That plaintiffs are unable to point to specific wrongdoing within the Company that caused Citigroup’s losses from exposure to the subprime mortgage market further supports my hypothesis that this case is not truly a Caremark case, but rather a straightforward claim of breach of the fiduciary duty of care. 66 Pls.’ Answering Br. at 62.

35

conclusion that since the Company suffered large losses, and since a properly

functioning risk management system would have avoided such losses, the directors

must have breached their fiduciary duties in allowing such losses.

Moving from such general ipse dixit syllogisms to the more specific,

plaintiffs argue that the director defendants, and especially those nine directors

who were on the board at the time, “should have been especially sensitive to the

red flags in the marketplace in light of the Company’s prior involvement in the

Enron Corporation debacle and other financial scandals earlier in the decade.”67

Plaintiffs also allege that the director defendants should have been especially alert

to the dangers of transactions involving SIVs because SIVs were involved in

Citigroup’s transactions with Enron that resulted in liability for the Company.

Plaintiffs allege that Citigroup helped finance transactions that allowed Enron to

hide its true financial condition and resulted in Citigroup paying approximately

$120 million in penalties and disgorgement as well as agreeing to new risk

management procedures designed to prevent similar conduct.

Plaintiffs fail in their attempt to impose some sort of higher standard of

liability on the director defendants that were on Citigroup’s board at the time of its

involvement with Enron. They have utterly failed to show how Citigroup’s

involvement with the financial scandals at Enron has any relevance to Citigroup’s

67Id. at 47.

36

investments in subprime securities. Plaintiffs cite McCall v. Scott68 to support the

proposition that directors who were on the board during previous misconduct

should be sensitive to similar circumstances which had previously prompted

investigations. That case, however, actually shows how plaintiffs’ attempt to

impose a higher standard on the directors because of the Enron scandal is

inadequate. Unlike here, the plaintiffs in McCall alleged numerous specific

instances of widespread, prevalent wrongdoing throughout the company and the

mechanisms by which the wrongdoing came to the board’s attention.69 The Sixth

Circuit in McCall did not, as plaintiffs assert, hold that alleged prior, unrelated

wrongdoing would make directors “sensitive to similar circumstances.”70 Unlike

plaintiffs’ allegations about Enron, the prior “experience” referenced in McCall

was an investigation and settlement for the same type of questionable billing

practices before the Sixth Circuit.71 Plaintiffs have not shown how involvement

with the Enron related scandals should have in any way put the director defendants

on a heightened alert to problems in the subprime mortgage market. Additionally,

the use of SIVs in the Enron related conduct would not serve to put the director

68 239 F.3d 808 (6th Cir. 2001).69

Id. at 819–24 (noting allegations of numerous financial irregularities in reports brought to the board’s attention).70 Pls.’ Answering Br. at 48. 71

See McCall, 239 F.3d at 821.

37

defendants on any type of heightened notice to the unrelated use of SIVs in

structuring transactions involving subprime securities.

The Complaint and plaintiffs’ answering brief repeatedly make the

conclusory allegation that the defendants have breached their duty of oversight, but

nowhere do plaintiffs adequately explain what the director defendants actually did

or failed to do that would constitute such a violation. Even while admitting that

Citigroup had a risk monitoring system in place, plaintiffs seem to conclude that,

because the director defendants (and the ARM Committee members in particular)

were charged with monitoring Citigroup’s risk, then they must be found liable

because Citigroup experienced losses as a result of exposure to the subprime

mortgage market. The only factual support plaintiffs provide for this conclusion

are “red flags” that actually amount to nothing more than signs of continuing

deterioration in the subprime mortgage market. These types of conclusory

allegations are exactly the kinds of allegations that do not state a claim for relief

under Caremark.

To recognize such claims under a theory of director oversight liability would

undermine the long established protections of the business judgment rule. It is

well established that the mere fact that a company takes on business risk and

suffers losses—even catastrophic losses—does not evidence misconduct, and

38

without more, is not a basis for personal director liability.72 That there were signs

in the market that reflected worsening conditions and suggested that conditions

may deteriorate even further is not an invitation for this Court to disregard the

presumptions of the business judgment rule and conclude that the directors are

liable because they did not properly evaluate business risk. What plaintiffs are

asking the Court to conclude from the presence of these “red flags” is that the

directors failed to see the extent of Citigroup’s business risk and therefore made a

“wrong” business decision by allowing Citigroup to be exposed to the subprime

mortgage market.

This Court’s recent decision in American International Group, Inc.

Consolidated Derivative Litigation73 demonstrates the stark contrast between the

allegations here and allegations that are sufficient to survive a motion to dismiss.

In AIG, the Court faced a motion to dismiss a complaint that included “well-pled

allegations of pervasive, diverse, and substantial financial fraud involving

managers at the highest levels of AIG.”74 In concluding that the complaint stated a

claim for relief under Rule 12(b)(6),75 the Court held that the factual allegations in

the complaint were sufficient to support an inference that AIG executives running

72See Gagliardi v. TriFoods Int’l, Inc., 683 A.2d 1049, 1051 (Del. Ch. 1996) (“The business

outcome of an investment project that is unaffected by director self-interest or bad faith, cannot itself be an occasion for director liability.”) (footnote omitted).73 C.A. No. 769-VCS, 2009 WL 366613 (Del. Ch. Feb. 10, 2009).74

Id. at *3.75 It is also significant that the AIG Court was analyzing the Complaint under the plaintiff-friendly standard of Rule 12(b)(6), rather than the particularized pleading standard of Rule 23.1.

39

those divisions knew of and approved much of the wrongdoing. The Court

reasoned that huge fraudulent schemes were unlikely to be perpetrated without the

knowledge of the executive in charge of that division of the company.76 Unlike the

allegations in this case, the defendants in AIG allegedly failed to exercise

reasonable oversight over pervasive fraudulent and criminal conduct. Indeed, the

Court in AIG even stated that the complaint there supported the assertion that top

AIG officials were leading a “criminal organization” and that “[t]he diversity,

pervasiveness, and materiality of the alleged financial wrongdoing at AIG is

extraordinary.”77

Contrast the AIG claims with the claims in this case. Here, plaintiffs argue

that the Complaint supports the reasonable conclusion that the director defendants

acted in bad faith by failing to see the warning signs of a deterioration in the

subprime mortgage market and failing to cause Citigroup to change its investment

policy to limit its exposure to the subprime market. Director oversight duties are

designed to ensure reasonable reporting and information systems exist that would

allow directors to know about and prevent wrongdoing that could cause losses for

the Company. There are significant differences between failing to oversee

employee fraudulent or criminal conduct and failing to recognize the extent of a

Company’s business risk. Directors should, indeed must under Delaware law,

76AIG, 2009 WL 366613 at *22.

77Id. at *23.

40

ensure that reasonable information and reporting systems exist that would put them

on notice of fraudulent or criminal conduct within the company. Such oversight

programs allow directors to intervene and prevent frauds or other wrongdoing that

could expose the company to risk of loss as a result of such conduct. While it may

be tempting to say that directors have the same duties to monitor and oversee

business risk, imposing Caremark-type duties on directors to monitor business risk

is fundamentally different. Citigroup was in the business of taking on and

managing investment and other business risks. To impose oversight liability on

directors for failure to monitor “excessive” risk would involve courts in conducting

hindsight evaluations of decisions at the heart of the business judgment of

directors. Oversight duties under Delaware law are not designed to subject

directors, even expert directors, to personal liability for failure to predict the future

and to properly evaluate business risk.78

78 If defendants had been able to predict the extent of the problems in the subprime mortgage market, then they would not only have been able to avoid losses, but presumably would have been able to make significant gains for Citigroup by taking positions that would have produced a return when the value of subprime securities dropped. Compl. ¶ 78. Query: if the Court were to adopt plaintiffs’ theory of the case—that the defendants are personally liable for their failure to see the problems in the subprime mortgage market and Citigroup’s exposure to them—then could not a plaintiff succeed on a theory that a director was personally liable for failure to predict the extent of the subprime mortgage crisis and profit from it, even if the company was not exposed to losses from the subprime mortgage market? If directors are going to be held liable for losses for failing to accurately predict market events, then why not hold them liable for failing to profit by predicting market events that, in hindsight, the director should have seen because of certain red (or green?) flags? If one expects director prescience in one direction, why not the other?

41

Instead of alleging facts that could demonstrate bad faith on the part of the

directors, by presenting the Court with the so called “red flags,” plaintiffs are

inviting the Court to engage in the exact kind of judicial second guessing that is

proscribed by the business judgment rule. In any business decision that turns out

poorly there will likely be signs that one could point to and argue are evidence that

the decision was wrong. Indeed, it is tempting in a case with such staggering

losses for one to think that they could have made the “right” decision if they had

been in the directors’ position. This temptation, however, is one of the reasons for

the presumption against an objective review of business decisions by judges, a

presumption that is no less applicable when the losses to the Company are large.

2. Plaintiffs’ Disclosure Allegations

Plaintiffs argue that demand is excused as futile because the director

defendants face a substantial likelihood of personal liability for violating their duty

of disclosure and would therefore be unable to exercise independent and

disinterested business judgment in responding to a demand.79 Plaintiffs allege that

the director defendants violated their duty of disclosure by, among other things,

failing to properly disclose the value of certain financial instruments,80 placing

underperforming assets in SIVs without fully disclosing the risk that Citigroup

79 Plaintiffs argue that the disclosure claims relate to actions taken by the board and are therefore subject to the Aronson standard. Plaintiffs request, however, that the Court review demand futility under the substantial likelihood of liability standard and present their demand futility arguments under that standard. 80 Compl. ¶ 172.

42

might have to bring the assets back onto its balance sheet,81 and failing to properly

account for guarantees, specifically the liquidity puts that allowed buyers of CDOs

to sell the products back to Citigroup at face value.82 Plaintiffs argue that the “red

flags” alleged in the Complaint lead to a reasonable inference that the director

defendants, and particularly the ARM Committee members, knew that certain

disclosures regarding the Company’s exposure to subprime assets were misleading.

“[E]ven in the absence of a request for shareholder action, shareholders are

entitled to honest communication from directors, given with complete candor and

in good faith.”83 When there is no request for shareholder action, a shareholder

plaintiff can demonstrate a breach of fiduciary duty by showing that the directors

“deliberately misinform[ed] shareholders about the business of the corporation,

either directly or by a public statement.”84 Citigroup’s certificate of incorporation

exculpates the director defendants from personal liability for violations of fiduciary

duty except for, among other things, breaches of the duty of loyalty and acts or

omissions not in good faith or that involve intentional misconduct or knowing

violation of law. Thus, to show a substantial likelihood of liability that would

excuse demand, plaintiffs must plead particularized factual allegations that

81Id. at ¶ 70.

82Id. at ¶¶ 163-65.

83In re infoUSA, Inc. S’holders Litig., 953 A.2d 963, 990 (Del. Ch. 2007).

84Malone v. Brincat, 722 A.2d 5, 14 (Del. 1998) (emphasis added); see infoUSA, 953 A.2d at

990 (finding that directors violate their fiduciary duties “where it can be shown that the directors involved issued their communication with the knowledge that it was deceptive or incomplete”).

43

“support the inference that the disclosure violation was made in bad faith,

knowingly or intentionally.”85 Additionally, directors of Delaware corporations

are fully protected in relying in good faith on the reports of officers and experts.86

The factual allegations in the Complaint are not sufficient to allow me to

reasonably conclude that the director defendants face a substantial likelihood of

liability that would prevent them from impartially considering a demand. This is

so for at least three reasons. First, plaintiffs fail to allege with sufficient specificity

the actual misstatements or omissions that constituted a violation of the board’s

duty of disclosure.87 The Complaint merely alleges, in general and conclusory

terms, that the director defendants did not adequately disclose certain risks faced

by the Company—for example, the risks posed by Citigroup’s SIVs and the

liquidity puts that allowed purchasers of CDOs to sell the instruments back to

85O’Reilly v. Transworld Healthcare, Inc., 745 A.2d 902, 915 (Del. Ch. Aug. 20, 1999).

86 8 Del. C. § 141(e) (“A member of the board of directors, or a member of any committee designated by the board of directors, shall, in the performance of such member’s duties, be fully protected in relying in good faith upon the records of the corporation and upon such information, opinions, reports or statements presented to the corporation by any of the corporation’s officers or employees, or committees of the board of directors, or by any other person as to matters the member reasonably believes are within such other person’s professional or expert competence and who has been selected with reasonable care by or on behalf of the corporation.”); see Brehm,746 A.2d at 261.87

See Pfeffer v. Redstone, No. 115, 2008, _ A.2d _, 2009 WL 188887, at *6 (Del. Jan. 23, 2009) (“Although there is ‘no reason to depart from the general pleading rules when alleging duty of disclosure violations,’ ‘it is inherent in disclosure cases that the misstated or omitted facts be identified and that the pleading not be merely conclusory.’”) (quoting Loudon v. Archer-Daniels-

Midland Co., 700 A.2d 135, 140 (Del. 1997)).

44

Citigroup at face value.88 The Complaint does not identify any actual disclosure

that was misleading or any statement that was made misleading as a result of an

omission of a material fact. Instead, plaintiffs allege, for instance, that the

Citigroup board “abdicated its fiduciary duties by not disclosing information on the

fair value of VIEs, CDOs and SIVs”89 and that “the ARM Committee abdicated its

fiduciary duties . . . to ensure the integrity of Citigroup’s financial statements and

financial reporting process, including earnings press releases and financial

information provided to analysts and rating agencies.”90

In other words, the disclosure allegations in the complaint do not meet the

stringent standard of factual particularity required under Rule 23.1. They fail to

allege with particularity which disclosures were misleading, when the Company

was obligated to make disclosures, what specifically the Company was obligated to

88 Compl. ¶¶ 160-73. To be fair, plaintiffs point to some specific statements in the Complaint. For example, paragraph 82 of the Complaint alleges that the director defendants “caused or allowed” Citigroup to issue a press release that highlighted, among other things, “positive trends from Citigroup’s strategic actions.” Paragraphs 88 and 99 of the Complaint allege that the director defendants “caused” Citigroup to issue press releases that stated that the Company had “generated strong momentum this quarter” and that cited decreasing credit costs “reflecting a stable global credit environment.” Even these allegations, however, fail to meet the strict pleading requirements under Rule 23.1. Pleading that the director defendants “caused” or “caused or allowed” the Company to issue certain statements is not sufficient particularized pleading to excuse demand under Rule 23.1. It is unclear from such allegations how the board was actually involved in creating or approving the statements, factual details that are crucial to determining whether demand on the board of directors would have been excused as futile. These allegations also fail for the other reasons described below, most notably because the Complaint fails to adequately plead facts reasonably suggesting that the director defendants made disclosures with knowledge that they were false or misleading or in bad faith.89 Compl. ¶ 172. 90

Id. at ¶ 161.

45

disclose, and how the Company failed to do so.91 This information is critical

because to establish a threat of director liability based on a disclosure violation,

plaintiffs must plead facts that show that the violation was made knowingly or in

bad faith, a showing that requires allegations regarding what the directors knew

and when. Without knowing when and how the alleged disclosure violations

occurred, it is impossible to determine if the directors made the misstatements or

omissions knowingly or in bad faith. As a result, the disclosure allegations in the

complaint do not meet the stringent requirements of factual particularity under

Rule 23.1.

Second, the Complaint does not contain specific factual allegations that

reasonably suggest sufficient board involvement in the preparation of the

disclosures that would allow me to reasonably conclude that the director

defendants face a substantial likelihood of personal liability.92 Plaintiffs do not

allege facts suggesting that the director defendants prepared the financial

91 The closest plaintiffs come to alleging a specific disclosure violation are the allegations that the Company failed to disclosure the existence of the liquidity puts until November 2007 and failed to disclose that the Company may have to take certain assets held by SIVs back onto its balance sheet. Compl. ¶¶ 70, 165-69. Even these claims, however, are vague and relatively light on the details of what the Company was required to disclose, when it was required to disclose it, and how its failure to do so would constitute a violation of the duty of disclosure. In any event, as discussed below, these claims fail to plead demand futility because plaintiffs have (1) failed to sufficiently allege facts showing that the director defendants were involved in preparing (or were otherwise responsible for) the alleged misleading disclosures and (2) failed to allege facts that would lead to a reasonable inference that the director defendants made any false or misleading statements or omissions knowingly or in bad faith. 92

See Wood, 953 A.2d at 142 (“The Board’s execution of [the company’s] financial reports, without more, is insufficient to create an inference that the directors had actual or constructive notice of any illegality.”).

46

statements or that they were directly responsible for the misstatements or

omissions. The Complaint merely alleges that Citigroup’s financial statements

contained false statements and material omissions and that the director defendants

reviewed the financial statements pursuant to their responsibilities under the ARM

Committee charter. Thus, I am unable to reasonably conclude that the director

defendants face a substantial likelihood of liability.

Third, and perhaps most importantly, the Complaint does not sufficiently

allege that the director defendants had knowledge that any disclosures or omissions

were false or misleading or that the director defendants acted in bad faith in not

adequately informing themselves.93 Plaintiffs have not alleged particular facts

showing that the director defendants were even aware of any misstatements or

omissions. Instead, plaintiffs conclusorily assert that the members of the ARM

Committee, as financial experts, knew the relevant accounting standards, knew or

should have known the extent of the Company’s exposure to the subprime

mortgage market, and are therefore responsible for alleged false statements or

omissions in Citigroup’s financial statements.94 Instead of providing factual

allegations regarding the knowledge or bad faith of the individual director

93See Pfeffer, _ A.2d _, 2009 WL 188887, at *6 (“When pleading a breach of fiduciary duty

based on the . . . Directors’ knowledge, [the plaintiff] must, at a minimum, offer ‘well-pleaded facts from which it can be reasonably inferred that this ‘something’ was knowable and that the defendant was in a position to know it.’”) (quoting IOTEX Commc’ns, Inc. v. Defries, C.A. No. 15817, 1998 WL 914265, at *4 (Del. Ch. Dec. 21, 1998)). 94 Compl. ¶ 191.

47

defendants, the Complaint makes broad group allegations about the director

defendants or the members of the ARM Committee.95 A determination of whether

the alleged misleading statements or omissions were made with knowledge or in

bad faith requires an analysis of the state of mind of the individual director

defendants, and plaintiffs have not made specific factual allegations that would

allow for such an inquiry. Plaintiffs’ alleged “red flags,” which amount to nothing

more than indications of worsening economic conditions, do not support a

reasonable inference that the director defendants approved or disseminated the

financial disclosures knowingly or in bad faith. Merely alleging that there were

signs of problems in the subprime mortgage market is not sufficient to show that

the director defendants knew that Citigroup’s disclosures were false or misleading.

The allegations are not sufficiently specific to Citigroup or to the director

defendants to meet the strict pleading requirements of Rule 23.1.

Although the members of the ARM Committee were charged with reviewing

and ensuring the accuracy of Citigroup’s financial statements under the ARM

Committee charter, director liability is not measured by the aspirational standard

established by the internal documents detailing a company’s oversight system.

Under our law, to establish liability for misstatements when the board is not

95See AIG, 2009 WL 366613 at *21 (“Although these allegations are varied and far reaching, . . .

these allegations are supported by the pled facts. For starters, the Complaint is not laden with such accusations against the D & O Defendants as a group; these group accusations are used sparingly.”).

48

seeking shareholder action, shareholder plaintiffs must show that the misstatement

was made knowingly or in bad faith. Additionally, even board members who are

experts are fully protected under § 141(e) in relying in good faith on the opinions

and statements of the corporation’s officers and employees who were responsible

for preparing the company’s financial statements. Plaintiffs’ allegations that the

members of the ARM Committee were financial experts and were aware of the

“red flags” alleged in the Complaint do not support a reasonable inference that the

director defendants’ reliance on the officers and experts who prepared the financial

statements was not in good faith.

Even accepting plaintiffs’ allegations as true, the Complaint fails to plead

with particularity facts that would lead to the reasonable inference that the director

defendants made or allowed to be made any false statements or material omissions

with knowledge or in bad faith. Accordingly, plaintiffs have failed to plead with

particularity facts creating a reasonable doubt that the director defendants face a

threat of personal liability that would render them incapable of exercising

independent and disinterested business judgment in responding to a demand.

Plaintiffs’ disclosure claims are therefore dismissed pursuant to Rule 23.1

C. Demand Futility Allegations Regarding Plaintiffs’ Waste Claims

Count III of the Complaint alleges that certain of the defendants are liable

for waste for (1) approving the Letter Agreement dated November 4, 2007 between

49

Citigroup and defendant Prince; (2) allowing the Company to purchase over $2.7

billion in subprime loans from Accredited Home Lenders at one of its “fire sales”

in March 2007 and from Ameriquest Home Mortgage in September 2007; (3)

approving the buyback of over $645 million worth of the Company’s shares at

artificially inflated prices pursuant to a repurchase program in early 2007; and (4)

allowing the Company to invest in SIVs that were unable to pay off maturing

debt.96

96 Plaintiffs do not adequately plead that the asset purchases or the investments in SIVs were the result of board action rather than inaction. To establish demand futility in the absence of director action the Complaint would have to plead facts sufficient to create a reasonable doubt that the director defendants could exercise disinterested and independent business judgment in responding to a demand. It is not clear to the Court on exactly what theory plaintiffs believe that demand is excused for these allegations. Pls.’ Answering Br. at 56 nn.45-46. In any event, the Complaint does not properly allege demand futility as to these claims because it does not create a reasonable doubt that the director defendants would be unable to exercise disinterested and independent business judgment in responding to a demand. First, because plaintiffs have failed to adequately plead that the challenged asset purchases or investments in SIVs were the result of board action, the director defendants cannot possibly face a substantial likelihood of personal liability for these transactions. See Highland Legacy Ltd. v. Singer, C.A. No. 1566-N, 2006 WL 741939, at *7 (Del. Ch. Mar. 17, 2006) (“To excuse demand on the grounds of waste, the complaint must allege particularized facts sufficient to create a reasonable doubt that the board

authorized action on the corporation’s behalf on terms that no person of ordinary, sound business judgment could conclude represents a fair exchange.”) (emphasis added).

Second, and in the alternative, the director defendants do not face a substantial likelihood of personal liability for these claims because the Complaint is devoid of any allegation that would lead to the conclusion that allowing the Company to purchase these assets or invest in the SIVs constituted bad faith conduct by the director defendants. For similar reasons as I explained with regard to the Caremark claims, the alleged “red flags” are not sufficient to support an inference that the director defendants did not act in good faith by not preventing those charged with making business decisions for the Company from purchasing subprime assets or investing in the SIVs. That these investments turned out poorly for the Company is not evidence of bad faith conduct. The decision to purchase certain investment assets, or to allow others in the Company to purchase certain investment assets, is the essence of the business judgment of directors and officers. Additionally, the Complaint makes no factual allegation that the decision to invest in the subprime assets or the SIVs was of no value to the Company. As I have said numerous times now, judges are in no position to second guess well-informed business decisions

50

Demand futility is analyzed under Aronson when plaintiffs have challenged

board action or approval of a transaction. With regard to the claims based on the

approval of the Letter Agreement and the repurchase of Citigroup stock, plaintiffs

do not argue that a majority of the director defendants were not disinterested and

independent. Rather, plaintiffs argue that demand is excused under the second

prong of the Aronson analysis, which requires that the plaintiffs plead

particularized factual allegations that raise a reasonable doubt at to whether “the

challenged transaction was otherwise the product of a valid exercise of business

judgment.”97

Delaware law provides stringent requirements for a plaintiff to state a claim

for corporate waste, and to excuse demand on grounds of waste the Complaint

must allege particularized facts that lead to a reasonable inference that the director

defendants authorized “an exchange that is so one sided that no business person of

ordinary, sound judgment could conclude that the corporation has received

adequate consideration.”98 The test to show corporate waste is difficult for any

plaintiff to meet; indeed, “[t]o prevail on a waste claim . . . the plaintiff must

overcome the general presumption of good faith by showing that the board’s

made in good faith, and the allegations in the Complaint are not sufficient to suggest that the directors knowingly or in bad faith disregarded their duty to monitor. Accordingly, the claims for waste for the asset purchases and the investments in SIVs fail to properly plead demand futility pursuant to Rule 23.1. 97

Aronson, 473 A.2d at 814.98

Brehm, 746 A.2d at 263 (quoting In re The Walt Disney Co. Derivative Litig., 731 A.2d 342, 362 (Del. Ch. 1998); see Highland, 2006 WL 741939, at *7.

51

decision was so egregious or irrational that it could not have been based on a valid

assessment of the corporation’s best interests.”99

1. Approval of the Stock Repurchase Program

Plaintiffs’ claim for waste for the board’s approval of the stock repurchase

program falls far short of satisfying the standard for demand futility. Plaintiffs

allege that “in spite of its prior buybacks below $50 per share and in spite of the

Company’s expanding losses and declining stock price, Citigroup repurchased 12.1

million shares during the first quarter of 2007 at an average price of $53.37.”100

Plaintiffs then claim that at the time the buyback of Citigroup stock was halted, the

stock was trading at $46 per share. Plaintiffs conclude that the director defendants

“authorized and did not suspend the Company’s share repurchase program, which

resulted in the Company’s buying back over $645 million worth of the Company’s

shares at artificially inflated prices.”101

Specifically, plaintiffs argue the following:

As set forth in the Complaint, the Director Defendants recklessly failed to consider and account for the subprime lending crisis, the Company’s exposure to falling CDO values by virtue of its liquidity puts, and the collective impact on the Company’s billions in warehoused subprime loans. Consequently, the Director Defendants are not entitled to the presumption of business judgment and are liable for waste for approving the buyback of over $645 million worth of the Company’s shares at artificially inflated prices pursuant to the

99White v. Panic, 783 A.2d 543, 554 n.36 (Del. 2001).

100 Pls.’ Answering Br. at 61.101

Id.

52

repurchase program. Under the circumstances, the repurchase program should have been suspended, and would have saved the Company hundreds of millions of dollars. The magnitude of the Director Defendants’ utter failure to properly inform themselves of the Company’s dire straits has only been highlighted by the Company’s recent historically low share prices.102

To say the least, this argument demonstrates that the Complaint utterly fails to state

a claim for waste for the board’s approval of the stock repurchase. Plaintiffs seem

to completely ignore the standard governing corporate waste under Delaware

law—a standard that requires that plaintiffs plead facts overcoming the

presumption of good faith by showing “an exchange that is so one sided that no

business person of ordinary, sound judgment could conclude that the corporation

has received adequate consideration.”103 Plaintiffs attempted to meet this standard

by alleging that the director defendants approved a repurchase of Citigroup stock

at the market price. Other than a conclusory allegation, plaintiffs have alleged

nothing that would explain how buying stock at the market price—the price at

which presumably ordinary and rational businesspeople were trading the stock—

could possibly be so one sided that no reasonable and ordinary business person

would consider it adequate consideration. Again, plaintiffs merely allege “red

flags” and then conclude that the board is liable for waste because Citigroup

repurchased its stock before the stock dropped in price as a result of Citigroup’s

102Id. (citation omitted).

103Brehm, 746 A.2d at 263 (quoting Disney, 731 A.2d at 362).

53

losses from exposure to the subprime market. In short, the Complaint states no

particularized facts that would lead to any inference that the board’s approval of

the stock repurchase constituted corporate waste. Accordingly, plaintiffs have not

adequately alleged demand futility as to this claim pursuant to Rule 23.1.

2. Approval of the Letter Agreement

Plaintiffs allege that the board’s approval of the November 4, 2007 letter

agreement constituted corporate waste. Because approval of the letter was board

action, demand is evaluated under the Aronson standard. Plaintiffs claim that

demand is excused under the second prong of Aronson because the particularized

factual allegations in the Complaint raise a reasonable doubt as to whether the

approval was “the product of a valid exercise of business judgment.”104

The directors of a Delaware corporation have the authority and broad

discretion to make executive compensation decisions. The standard under which

the Court evaluates a waste claim is whether there was “an exchange of corporate

assets for consideration so disproportionately small as to lie beyond the range at

which any reasonable person might be willing to trade.”105 It is also well settled in

our law, however, that the discretion of directors in setting executive compensation

is not unlimited. Indeed, the Delaware Supreme Court was clear when it stated

that “there is an outer limit” to the board’s discretion to set executive

104Aronson, 473 A.2d at 814.

105Brehm, 746 A.2d at 263.

54

compensation, “at which point a decision of the directors on executive

compensation is so disproportionately large as to be unconscionable and constitute

waste.”106

According to plaintiffs’ allegations, the November 4, 2007 letter agreement

provides that Prince will receive $68 million upon his departure from Citigroup,

including bonus, salary, and accumulated stockholdings.107 Additionally, the letter

agreement provides that Prince will receive from Citigroup an office, an

administrative assistant, and a car and driver for the lesser of five years or until he

commences full time employment with another employer.108 Plaintiffs allege that

this compensation package constituted waste and met the “so one sided” standard

because, in part, the Company paid the multi-million dollar compensation package

to a departing CEO whose failures as CEO were allegedly responsible, in part, for

billions of dollars of losses at Citigroup. In exchange for the multi-million dollar

benefits and perquisites package provided for in the letter agreement, the letter

agreement contemplated that Prince would sign a non-compete agreement, a non-

disparagement agreement, a non-solicitation agreement, and a release of claims

106Id. at 262 n.56 (citing Saxe v. Brady, 184 A.2d 602, 610 (Del. Ch. 1962)); see Grimes v.

Donald, 673 A.2d 1207, 1215 (Del. 1996). 107 Compl. ¶ 122; Pls.’ Answering Br. at 57-58.108 Compl. ¶ 124.

55

against the Company.109 Even considering the text of the letter agreement, I am

left with very little information regarding (1) how much additional compensation

Prince actually received as a result of the letter agreement and (2) the real value, if

any, of the various promises given by Prince. Without more information and

taking, as I am required, plaintiffs’ well pleaded allegations as true, there is a

reasonable doubt as to whether the letter agreement meets the admittedly stringent

“so one sided” standard or whether the letter agreement awarded compensation that

is beyond the “outer limit” described by the Delaware Supreme Court.

Accordingly, the Complaint has adequately alleged, pursuant to Rule 23.1, that

demand is excused with regard to the waste claim based on the board’s approval of

Prince’s compensation under the letter agreement.

D. The Motion to Dismiss under Rule 12(b)(6)

The only claim as to which plaintiffs adequately pleaded demand futility is

the claim for corporate waste for the board’s approval of the letter agreement

granting a multi-million dollar compensation package to Prince upon his departure

as Citigroup’s CEO. When considering a motion to dismiss for failure to state a

claim under Rule 12(b)(6), the Court is required to accept as true all well-pleaded

factual allegations in the complaint and make all reasonable inferences that

109 The Court takes judicial notice of the letter agreement, a publicly available document that was integral to plaintiffs’ waste claim and incorporated into the Complaint. See Vanderbilt Income &

Growth Assocs., L.L.C. v. Arvida/JMB Managers, Inc., 691 A.2d 609, 613 (Del. 1996).

56

logically flow from the face of the complaint in the plaintiff’s favor.110 The Court

can only dismiss the complaint if it “determines with ‘reasonable certainty’ that the

plaintiff could prevail on no set of facts that may be inferred from the well-pleaded

allegations in the complaint.”111

The standard for pleading demand futility under Rule 23.1 is more stringent

than the standard under Rule 12(b)(6), and “a complaint that survives a motion to

dismiss pursuant to Rule 23.1 will also survive a 12(b)(6) motion to dismiss,

assuming that it otherwise contains sufficient facts to state a cognizable claim.”112

Accordingly, for the same reasons stated in the demand futility analysis, the

Complaint contains well-pleaded factual allegations regarding the claim for waste

for the approval of the Prince letter agreement that make it impossible for me to

conclude with reasonable certainty that the plaintiff could prevail on no set of facts

that could be reasonably inferred from the allegations in the Complaint.113

IV. CONCLUSION

Citigroup has suffered staggering losses, in part, as a result of the recent

problems in the United States economy, particularly those in the subprime

110See Malpiede v. Townson, 780 A.2d 1075, 1082-83 (Del. 2001).

111Id.

112McPadden v. Sidhu, C.A. No. 3310-CC, 2008 WL 4017052, at *7 (Del. Ch. Aug. 29, 2008).

113 I am also not convinced that defendants would be exculpated under Citigroup’s certificate for committing waste. See In re Walt Disney Co. Derivative Litig., 907 A.2d 693, 749 (Del. Ch. 2005) (“The Delaware Supreme Court has implicitly held that committing waste is an act of bad faith.”) (citing White v. Panic, 783 A.2d 543, 553-55 (Del. 2001)).

57

mortgage market. It is understandable that investors, and others, want to find

someone to hold responsible for these losses, and it is often difficult to distinguish

between a desire to blame someone and a desire to force those responsible to

account for their wrongdoing. Our law, fortunately, provides guidance for

precisely these situations in the form of doctrines governing the duties owed by

officers and directors of Delaware corporations. This law has been refined over

hundreds of years, which no doubt included many crises, and we must not let our

desire to blame someone for our losses make us lose sight of the purpose of our

law. Ultimately, the discretion granted directors and managers allows them to

maximize shareholder value in the long term by taking risks without the

debilitating fear that they will be held personally liable if the company experiences

losses. This doctrine also means, however, that when the company suffers losses,

shareholders may not be able to hold the directors personally liable.

For the foregoing reasons, the motion to dismiss or stay in favor of the New

York Action is denied. Defendants’ motion to dismiss is denied as to the claim in

Count III of the Complaint for waste for approval of the November 4, 2007 Prince

letter agreement. All other claims in the complaint are dismissed for failure to

adequately plead demand futility pursuant to Court of Chancery Rule 23.1.

An Order has been entered consistent with this Opinion.

58

Documents

ROFESSOR OAN AC EOD EMINWAY - americanbar.org · PROFESSOR JOAN MACLEOD HEMINWAY is the College of Law Distinguished Professor of ... School. Professor Karmel's area of expertise