Upload
phamthu
View
219
Download
2
Embed Size (px)
Citation preview
����������
�
����������� ���� ����������� ��
�����������
����� ������������������ �!�"����#���$���������%&�'�������(���� )*�
�
�
�������#+�!���,+� �
PROFESSOR JOAN MACLEOD HEMINWAY is the College of Law Distinguished Professor of Law at The University of Tennessee College of Law and a Fellow of The University of Tennessee Corporate Governance Center, The University of Tennessee Center for Business and Economic Research, and The University of Tennessee Center for the Study of Social Justice. Professor Heminway’s scholarship focuses on securities disclosure law and policy and related matters (especially under Rule 10b-5) and corporate governance issues under federal and state law. She regularly teaches business law courses in The University of Tennessee College of Law’s James L. Clayton Center for Entrepreneurial Law. Before starting her teaching career in 2000, Professor Heminway spent fifteen years practicing mergers and acquisitions and securities law in the Boston office of Skadden, Arps, Slate, Meagher & Flom LLP. She has served as an expert witness and consultant on corporate finance and securities law matters and is a frequent continuing legal education presenter on business law issues. She serves on the Executive Committee of the Business Law Section of the Tennessee Bar Association. Professor Heminway also is a member of the American Law Institute and the Hamilton Burnett Chapter of the American Inns of Court.
PROFESSOR ROBERTA S. KARMEL is Centennial Professor of Law at Brooklyn Law School. Professor Karmel's area of expertise is international and domestic securities regulation. She is widely called upon to teach and lecture all over the world on this subject. She is a former Commissioner of the Securities and Exchange Commission, a Public Director of the New York Stock Exchange, and was in private practice for 30 years. She was also a Fulbright Scholar studying the harmonization of the securities laws in the European Union. Professor Karmel is the author of Regulation by Prosecution: The Securities and Exchange Commission Versus Corporate America, and has widely published articles on securities regulation and international securities law in dozens of law reviews and journals. She also authors a monthly column, "Securities Regulation," that appears in the New York Law Journal. Professor Karmel is a trustee of the Practising Law Institute, a member of the American Law Institute, and a Fellow of the American Bar Foundation. She also serves on the ABA's Presidential Task Force on Financial Markets Regulatory Reform. She previously served as a director of the New York Chapter of the National Association of Corporate Directors and was the Vice-Chair of the International Coordinating Committee of the American Bar Association Business Law Section. �
“Wake Up Calls or Snooze Alarms” Speaker Biographies Page 2 of 2
�
�
VINCENT I. POLLEY is President of KnowConnect PLLC (www.knowconnect.com), providing consulting services on information policy and knowledge management processes. Earlier, Polley was a partner at Dickinson Wright PLLC chairing the Information Technology & Security Law practice group, and the Deputy General Counsel of Schlumberger Limited. Polley is Chair of the ABA’s Standing Committee on Technology & Information Systems. He was co-chair of the ABA Commission on Second Season of Service, and served on the Advisory Commission for the ABA World Justice Project, the Council of the ABA’s Section of Business Law, and the Standing Committee on Law & National Security. He is the past chair of the ABA’s Cyberspace Law Committee, and the co-author of the book “Employee Use of the Internet and E-Mail” (ABA Press, 2002). Since 1997 Polley has published MIRLN, a monthly e-newsletter on IT related legal news. Mr. Polley was a founding member of the Internet Law & Policy Forum, and is a Life Fellow of the American Bar Foundation, an arbitrator on the AAA’s Commercial Panel, and a member of the American Law Institute. A graduate of Harvard College (mathematics), Mr. Polley received his law degree from the University of Michigan. �
HARVEY RISHIKOF is chair of the ABA Standing Committee on Law and National Security, www.abnet.org/natsecurity. Rishikof is a professor of law and national security, and former chair of the department of National Security Strategy at the National War College in Washington, DC. He was a tutor in Social Studies at Harvard University, a federal law clerk in the Third Circuit, an associate at Hale and Dorr, a Supreme Court Judicial Fellow, AA to the Chief Justice of the United States, legal counsel to the Deputy Director of the FBI, and Dean of a law school. He has been a consultant for the World Bank, USAID, and national intelligence. Rishikof has written numerous law review articles, chapters and monographs. His latest forthcoming co-edited book with Georgetown press is, Navigating the Labyrinth - the National Security Enterprise. Rishikof is a member of the Council on Foreign Relations, the American Law Institute and is on the Advisory Board for Harvard�s National Security Law Journal. �
ROLAND L. TROPE is a partner in the New York offices of Trope and Schramm LLP and an Adjunct Professor in the Department of Law, United States Military Academy at West Point. Mr. Trope�s expertise is in cross-border legal transactions representing governments and multi-national corporate clients. He advises on government procurements, regulatory compliance in cross-border transactions, licensing of technology and intellectual property, cyberspace law, and ethical issues in the use of digital technologies. He is the co-author of two books published by the American Bar Association – a treatise, CHECKPOINTS IN CYBERSPACE: BEST PRACTICES FOR AVERTING
LIABILITY IN CROSS-BORDER TRANSACTIONS; and SAILING IN DANGEROUS WATERS: A
DIRECTOR�S GUIDE TO DATA GOVERNANCE – and numerous articles in professional journals and magazines. He serves on the Supervisory Board of IEEE Security & Privacy magazine. He earned a J.D. from the Yale Law School, a B.A. and M.A. from Oxford University (where he was a Marshall Scholar and Danforth Fellow), and a B.A. from the University of Southern California. He is currently co-authoring a book on the professional ethical challenges of Web 2.0 and cloud computing.
1�
�
OUTLINE FOR PANEL ON WAKE UP CALLS OR SNOOZE ALARMS: Are Recent
CyberSecurity Regulations Giving Birth to Cyber-Fiduciary Duties?
BY ROBERTA S. KARMEL, CENTENNIAL PROFESSOR, BROOKLYN LAW SCHOOL
AND IRENE TAN, RESEARCH ASSISTANT TO PROF. KARMEL
This Outline analyzes the developing duties of the board of directors of public companies and
financial institutions with regard to cyber security. In particular, this outline focuses on federal laws
and regulations applicable to financial institutions and public corporations, specifically, the Gramm-
Leach-Bliley Act and Sarbanes-Oxley Act, which require the board of directors or senior executives to
certify to or approve of security programs, as well as state law where courts have held that the board of
directors has a fiduciary duty to ensure the corporation has adequate security programs. Lastly, this
outline briefly discusses industry support from high-level groups like the Business Roundtable and the
Corporate Governance Task Force for top-level review of information security programs.
I. Relevant Statutes
A. Gramm-Leach-Bliley Act (15 U.S.C. § 6801-6809 (1999))
The Gramm-Leach-Bliley Act (“GLBA”) is the federal statute that governs a financial
institution’s1 retention, use, and disclosure of customers’ personal financial information.2 Section 6801
imposes a financial institution’s privacy obligations to its customers, and requires financial institutions
��������������������������������������������������������1 Financial institution is broadly defined, and includes banks, securities firms, insurance companies, and companies that provide other financial services to consumers. 15 U.S.C. § 6801 2 See 15 U.S.C. § 6801-6809.
2�
�
to establish appropriate standards to safeguard such information.3 Section 6802 imposes obligations
concerning the disclosures of customers’ personal financial information.4 Section 6803 relates to the
disclosure of institutional privacy policy.5 Section 6804 delegates rulemaking authority to the Federal
banking agencies, the National Credit Union Administration, the Secretary of the Treasury, the
Securities and Exchange Commission, and the Federal Trade Commission.6 Section 6805 entrusts
enforcement of GLBA privacy rules to the Federal Trade Commission.7
While the GBLA requires financial institutions to safeguard customer information, it does not
specify guidelines for securing customers’ personal financial information. Therefore, pursuant to
Section 501 of the GBLA, member agencies of the Federal Financial Institutions Examination Council
(“FFIEC”)8 published the Interagency Guidelines Establishing Information Security Standards
(“Guidelines”).9 The Guidelines establish standards for safeguarding customer information for
financial institutions “subject to their respective jurisdictions relating to administrative, technical, and
physical safeguards for customer records and information.”10
The Guidelines require that all institutions covered under the GLB establish an information
security program that: “(1) identif[ies] and assess[es] the risks that may threaten customer information;
(2) develop[s] a written plan containing policies and procedures to manage and control these risks; (3)
implement[s] and test[s] the plan; and (4) adjust[s] the plan on a continuing basis to account for
��������������������������������������������������������3 15 U.S.C. § 6801. 4 15 U.S.C. § 6802. 5 15 U.S.C. § 6803. 6 15 U.S.C. § 6804. 7 15 U.S.C. § 6805. 8 The FFIEC agencies consist of the following: Board of Governors of the Federal Reserve System (Federal Reserve Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS). Federal Financial Institutions Examination Council (FFIEC), Information Security: IT Examination Handbook, (July 2006). 9 Federal Financial Institutions Examination Council (FFIEC), Information Security: IT Examination Handbook, (July 2006). 10 12 C.F.R. § 30 (2005).
3�
�
changes in technology, the sensitivity of customer information, and internal or external threats to
information security.”11 Significantly, pursuant to the Guidelines, the board of directors of a financial
institution is required to be involved in the governance of information security by: “(1) approv[ing] the
[institution’s] written information security program; and (2) oversee[ing] the development,
implementation, and maintenance of the bank’s information security program, including assigning
specific responsibility for its implementation and reviewing reports from management.”12 Although
financial institutions must obtain board approval of its security program,13 the Guidelines permit the
board to delegate specific implementation responsibilities to a committee or an individual.14
Accordingly, the term “oversee” is meant to convey a board’s supervisory responsibilities, and not
day-to-day monitoring of any aspect of an information security program.15
In assessing risks that may threaten customer information, a financial institution must (1)
identify reasonably foreseeable internal and external threats that could result in unauthorized
disclosure, misuse, alteration, or destruction of customer information or customer information systems;
(2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity
of customer information; and (3) assess the sufficiency of policies procedures, customer information
systems, and other arrangements in place to control risks.16 After the institution has assessed the risks
posed to customer information, it must take steps to manage and control risks by: (1) designing its
information security program to control the identified risks; (2) training staff to implement the
institution’s information security program; (3) regularly test the key controls, systems and procedures
of the information security program; and (4) developing, implementing, and maintaining as part of its
��������������������������������������������������������11 Id. 12 Id. 13 Id. 14 12 C.F.R. § 30 (2005). 15 Id. 16 Id.
4�
�
program appropriate measures to properly dispose of customer information.17 In addition, the
institution must continually adjust the program when circumstances change.18 Lastly, the financial
institution must annually report to its board the status of the institution’s information security program
and its compliance with the Guidelines.19
B. Sarbanes-Oxley Act (Pub. L. No. 107-204, 116 Stat. 745 (2002))
The Sarbanes-Oxley Act (“SOX”) requires that management have certain controls in place for
proper financial reporting.20 In particular, section 404 of SOX requires that entities establish adequate
internal controls and auditing procedures that are certified by management regarding the financial
statements of an entity. While SOX does not address information security directly, the requirement that
management have certain controls requires an adequate information security system.21 In 2007, the
Securities and Exchange Commission (“SEC”) published a report, Commission Guidance Regarding
Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of
the Securities Exchange Act of 1934, which explained how section 404 should be interpreted.22
According to the report, SOX addresses information security in two ways: (1) by requiring the
establishment of information security processes and audit procedures to protect corporate information;
and (2) through accurately reflecting the diminished value of intangible assets because of a security
failure or breach, which would include breaches involving private information.23 While the focus of the
��������������������������������������������������������17 Id. 18 Id. 19 Id. 20 The Sarbanes-Oxley Act, Pub. L. No. 107-204, 116 Stat. 745 (2002). 21 John B. Kennedy, A Primer on Key Information Security Laws in the United States, 934 PLI/Pat 117, 172, Practising Law Institute (June-July 2008). 22 Securities and Exchange Commission, Commission Guidance Regarding Management’s Report on Internal Control Over
Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06 (June 20, 2007). 23 Jeffrey Taft, Privacy and Data Security in Service Provider Arrangements: Recent Developments, 935 PLI/Pat 485, 498,
5�
�
SOX requirements is on data security as it affects financial statements, it is possible that a security
breach involving private information could lead to a conclusion that adequate security and internal
controls have not been established.24
C. FTC Enforcement Actions
Under section 5(a) of the FTC Act, a “fail[ure] to employ reasonable and appropriate security
measures to protect [consumer] information” is an unfair practice.”25 “The FTC has repeatedly cited
four to five specific types of lax information security in their filed complaints,” which are: (1) “[e]asy
network access – failing to limit wireless access to their networks, and/or failing to limit their
networked computers’ access to each other and the Internet”; (2) “[n]o breach detection – failing to
employ sufficient measures to detect unauthorized access to personal information or to conduct
security investigations”; (3) [u]nnecessary storage – creating unnecessary risks to the information by
storing it, often when they no longer had a business need to keep the information”; (4) [w]eak
encryption/passwords – storing and/or transmitting information in an unencrypted format, or using
weak/commonly known user IDs and passwords, to protect information stored on their networks”; and
(5) [i]nadequate defense to known attacks – failing to adequately assess the vulnerability of [their]
computer network to commonly known or reasonably foreseeable attacks, including ‘Structured Query
Language,’ injection attacks, and not implement[ing] low-cost, and readily available defenses to such
attacks.”26 In security breach cases, the FTC’s consent agreements require alleged violators to take
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Practising Law Institute (June-July 2008); see also Securities and Exchange Commission, Commission Guidance
Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the
Securities Exchange Act of 1934, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06 (June 20, 2007). 24 Id. 25 Jeffrey Taft, Privacy and Data Security in Service Provider Arrangements: Recent Developments, 935 PLI/Pat 485, 498, Practising Law Institute (June-July 2008) (citing Analysis of Proposed Consent Order to Aid Public Comment, DSW Inc., 70 Fed. Reg. 73474 (2005)). 26 Jeffrey Taft, Privacy and Data Security in Service Provider Arrangements: Recent Developments, 935 PLI/Pat 485, 499, Practising Law Institute (June-July 2008) (internal citations removed).
6�
�
three types of action: (1) security program; (2) auditing and assessment; and (3) compliance and
reporting.27
II. Relevant Case Law
A. General fiduciary duty
1. Caremark International – This case involved the approval of a settlement of a
derivative action by shareholders alleging that members of the corporation’s board
of directors breached their fiduciary duty of care to the corporation when Caremark
employees allegedly violated federal and state laws and regulations applicable to
health care providers.28 The Delaware Supreme Court held that the board of
directors had a fiduciary duty to ensure that the corporation has an adequate
information system.29 Boards must assure themselves that information and reporting
systems exist in the organization that are reasonably designed to provide to senior
management and to the board itself timely, accurate information sufficient to allow
management and the board to reach informed judgments concerning both the
corporation’s compliance with the law and its business performance.
2. Stone v. Ritter – This case was an appeal from the dismissal of a derivative action
by shareholders of AmSouth Bancorporation for failure to make demand. When
AmSouth disclosed that it had paid $50 million in fines and civil penalties for
��������������������������������������������������������27 Id. (internal citations removed). 28 In re Caremark Int'l Deriv. Litig., 698 A.2d 959, 960 (Del. Ch. 1996). “It is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may
satisfy its responsibility.” Id. at 970. 29 “[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” In re Caremark Int'l Deriv. Litig., 698 A.2d 959, 978 (Del. Ch. 1996).
7�
�
violating the federal Bank Secrecy Act.30 AmSouth shareholders alleged that the
directors breached their fiduciary duty by failing to implement any statutorily
required monitoring, reporting, or information controls that would have enabled
them to learn of the problems beforehand.31 AmSouth had a provision in its
certificate of incorporation exculpating directors for breach of the duty of care. But
according to the Delaware Supreme Court this provision could not exculpate
directors from conduct not in good faith or a breach of the duty of loyalty. The court
interpreted Caremark as establishing liability for lack of director oversight if: (a) the
directors utterly failed to implement any reporting or information system or
controls; or (b) having implemented such a system or controls, they consciously
failed to monitor or oversee it s operations.32 The court affirmed the dismissal of the
complaint because AmSouth had a compliance program designed to permit the
directors to periodically monitor compliance and the board did so.
3. Guin v. Brazos Higher Education Service – Plaintiff Guin alleged that defendant
Brazos High Education Service breached its fiduciary duty imposed by the GBLA
by (1) “providing Wright with [personal information] that he did not need for the
task at hand,” (2) “permitting Wright to continue keeping [personal information] in
an unattended, insecure personal residence,” and (3) “allowing Wright to keep
[personal information] on his laptop unencrypted.”33 The court held that the duty to
provide reasonable security had been satisfied where the defendant had
implemented the proper safeguards as required by GLBA, including “written
��������������������������������������������������������30 Stone v. Ritter, 911 A.2d 362, 362 (Del. Ch. 2006). 31 Id. at 364. 32 Id. at 365. 33 Guin v. Brazos Higher Education Service, 2006 U.S. Dist. Lexis 4846, at 10 (D. Minn. 2006) (citing Mem. in Opp’n at 10.)
8�
�
security policies, current risk assessment reports, and proper safeguards for its
customers” personal information as required by the GLB Act.”34
B. Other cases of possible interest
1. Kahle v. Litton Loan Servicing L.P. – Plaintiff Kahle alleged that defendant Litton
Loan Servicing L.P. was negligent in its duty in protection of personal information.35
While it was clear that the defendant breached its duty of care to the plaintiff,36 the
court held that the cost of enrolling in a credit protection program due to a fear of
identity theft did not constitute a sufficient damage to support a negligence claim
arising from a data breach incident.37
2. Pisciotta v. Old Nat’l Bancorp – Plaintiffs Pisciotta and Mills alleged that defendant
Old Nat’l Bancorp failed to adequately protect customers’ personal financial
information.38 While Indiana legislature passed a statute, I.C. § 24-4.9 et seq., which
“creates certain duties when a database in which personal data, electronically stored by
private entities or state agencies, potentially has been accessed by unauthorized third
parties,” this was not in effect at the time plaintiffs brought their claim.39 The court
affirmed the lower court’s decision, which granted defendant’s motion for judgment on
the pleadings, reasoning that costs for credit monitoring, to guard against some future,
anticipated harm, are not compensable injuries under Indiana law.40
3. Bell v. Mich. Council 25 – Plaintiffs were employees of the City of Detroit, and
��������������������������������������������������������34 Guin v. Brazos Higher Education Service, 2006 U.S. Dist. Lexis 4846, at 10-11 (D. Minn. 2006). 35 Kahle v. Litton Loan Servicing L.P., 486 F.Supp.2d 705, 706 (S.D. Ohio 2007). 36 Id. at 708. 37 Id. at 713. 38 Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 631 (7th Cir. 2007). 39 Id. at 636. 40 Id. at 639-640.
9�
�
they all suffered from identity theft.41 The plaintiffs filed suit against defendants
Michigan Council 25, alleging that the Union was liable for not safeguarding their
personnel information and that this negligence facilitated the identity theft
perpetrated by a third party.42 The Michigan appeals court found that a fiduciary
duty exists in a union-union member relationship.43 In addition, the court held that
the Union had a duty to protect an information system from reasonably foreseeable
breaches, and that the union was negligent in not doing so.44
III. Industry Support
High-level groups such as Business Roundtable and the Corporate Governance Task Force of
the National Cyber Security Partnership advocate CEO attention and board review on the issue of
cyber security.45 Business Roundtable is an association of 160 CEOs of the nation’s leading
companies.46 In 2005, Business Roundtable published a guide,47 Committed to Protecting America:
CEO Guide to Security Challenges, which specifically addressed the topic of cyber security, and
“focuse[d] on assisting the CEO in managing the strategic risks that arise from dependency on IT
systems and networks.”48 In its guide, the Business Roundtable recommended the following seven
principles for securing cyberspace:
(1) Information security requires CEO attention in their individual companies and as business leaders seeking collectively to promote the
��������������������������������������������������������41 Bell v. Mich. Council 25, 2005 Mich. App. Lexis 353, at 1 (Dec. 28, 2005). This is an unpublished opinion. In accordance with Michigan Court of Appeals rules, unpublished opinions are not precedentially binding under the rules of stare decisis. 42 Id. 43 Id. at 16. 44 Id. at 11. 45 Business Roundtable, Committed to Protecting America: CEO Guide to Security Challenges (Feb. 2005). “To better secure its information systems and strengthen America’s homeland security, the private sector should incorporate information security into its corporate governance efforts.” The Corporate Governance Task Force, Information Security
Governance: A Call to Action (April 2004). 46 Business Roundtable, Press Releases, http://www.businessroundtable.org/node/2803 (last visited June 22, 2010). 47 The guide is a “compilation of best management practices and key security lessons learned by CEOs who are facing new and evolving security threats.” 48 Business Roundtable, Committed to Protecting America: CEO Guide to Security Challenges (Feb. 2005)..
10�
�
development of standards for secure technology; (2) Boards of directors should consider information security an essential element of corporate governance and a top priority for board review; (3) IT suppliers and end-users of these products and services have a shared responsibility for improving cyberspace security; (4) The federal government plays an important collaborative role in information security and can assist the private sector response by sharing information about threats and vulnerabilities, helping companies overcome legal barriers, and encouraging appropriate corporate actions; (5) Public policy initiatives on cyber security should take a balanced and comprehensive approach that reflects the shared responsibility of end-users and IT suppliers; (6) Market solutions to cyber security are to be preferred over statutory and regulatory mandates; and (7) Public disclosure of corporate information security practices should be voluntary, not mandatory.49
The Corporate Governance Task Force of the National Cyber Security Partnership50 was
“formed in December 2003 to develop and promote a coherent governance framework to drive
implementation of effective information security programs.” 51 In 2004, the Corporate Governance
Task Force Report published a report recommending a “comprehensive governance framework to
guide implementation of effective information security programs,” and a “call to action to industry,
non-profits and educational institutions, challenging them to integrate effective information security
governance (ISG) programs into their corporate governance processes.”52 The report recommends to
CEOs and the board of directors, and the government the following: (1) “[o]rganizations should adopt
the [Corporate Governance Task Force Report] information security governance framework . . . to
embed cyber security into their corporate governance process”; (2) “[o]rganizations should signal their
commitment to information security governance by stating on their Web site that they intend to use the
tools developed by the Corporate Governance Task Force to assess their performance and report the
��������������������������������������������������������49 Business Roundtable, Committed to Protecting America: CEO Guide to Security Challenges (Feb. 2005) (citing Business Roundtable, Securing Cyberspace: Business Roundtable’s Framework for the Future (May 2005)). 50 “The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts.” National Cyber Security Partnership (NCSP), Overview, http://www.cyberpartnership.org/about-overview.html. 51 The Corporate Governance Task Force, Information Security Governance: A Call to Action (April 2004). 52 The National Cyber Security Partnership, Press Releases, Corporate Governance Task Force of the National Cyber
Security Partnership Releases Industry Framework (April 12, 2004).
11�
�
results to their board of directors”; (3) “[a]ll organizations represented on the Corporate Governance
Task Force should signal their commitment to information security governance by voluntarily posting
a statement on their website . . . .”; (4) [t]he Department of Homeland Security should endorse the
information security governance framework and core set of principles outlined in this report, and
encourage the private sector to make cyber security part of its corporate governance efforts”; (5) “[t]he
Committee of Sponsoring Organizations of the Treadway Commission (COSO)53 should revise the
Internal Controls-Integrated Framework so that it explicitly addresses information security
governance”.54
��������������������������������������������������������53 “COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative which studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.” Commission of Sponsoring Organizations of the Treadway Commission, About Us, http://www.coso.org/aboutus.htm (last visited June 22, 2010). The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Id. 54 The Corporate Governance Task Force, Information Security Governance: A Call to Action (April 2004).
Outline for Panel on
Wake Up Call or Snooze Alarms: Are the Emerging Regulations for Cyber Security Giving Birth to a Cyber Fiduciary Duty? †
By Roland L. Trope1
This outline will describe two developments that are relevant to a board of director’s
evolving duty with respect to their company’s cyber security. First, we consider the emerging
threats to the cyber security of companies whose major assets are increasingly concentrated in
sensitive information that is created, processed, stored and transmitted in digital form. By being
stored on computers such data becomes increasingly vulnerable to unauthorized access,
contamination, corruption, and misuse as the nature of cyber threats continues to evolve and
exceeds the abilities of companies to avert such risks. With the advent of cloud computing, the
companies that make the transition from data processed and stored on their own premises to
data outsourced to a cloud for processing and storage will likely face additional threats to the
cyber security of their sensitive data.
Second, we will review examples of federal laws and regulations that set standards for a
subject company’s cyber security. The regulations apply to financial institutions, health care
companies, defense and aerospace firms, and nuclear power plants. Our interest will be in the
varying extents that such regulations require companies to develop enhanced cyber security
and the extent to which compliance with such regulations expressly requires involvement by the
regulated company’s Board of Directors.
I. Emerging Threats to Corporate Cyber Security. A decade ago, most cyber threats
took the form of viruses that hackers developed and released into the “wild” and that infected
��������������������������������������������������������† © Copyright 2010 Roland L. Trope. All rights reserved.
Disclaimer: The views expressed in this outline are solely those of the author and have not been approved by, and should not be attributed to, the United States Military Academy at West Point, the U.S. Department of Defense, or the U.S. Government. 1 Partner in the New York offices of Trope and Schramm LLP and Adjunct Professor, Department of Law, United
States Military Academy at West Point. He can be contacted at ��������������� ��.
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 2 of 9
and damaged computers when a user opened an email attachment containing the malware.
The risk was random. Hackers were predominantly operating independently. Since then, cyber
risks have evolved:
“Over the past 10 years, the cyber threat has grown increasingly serious… A decade ago, a cyber attack typically meant that Web pages were defaced. Today, botnet attacks can disrupt the operation of government ministries and shut down financial institutions.”2
The risk is now much more focused. Governments and companies tend to be high
profile targets. Political and corporate espionage rely increasingly on cyber-attacks to obtain
targeted information. Instead of independent hackers releasing viruses for random effect, the
attacks are organized and controlled by highly trained teams of government personnel,
government-sponsored “patriotic hackers”, and corporate cyber teams. The attacks are often,
and they take place continuously. In a recent issue, The Economist described of the emerging
cyber risks as follows:
“[T]he spread of digital technology comes at a cost: it exposes armies and societies to digital attack. The threat is complex, multifaceted and potentially very dangerous. Modern societies are ever more reliant on computer systems linked to the internet, giving enemies more avenues of attacks. If power stations, refineries, banks and air-traffic-control systems were brought down, people would lose their lives. … [M]ost [experts] agree that infiltrating networks is pretty easy for those who have the will, means and the time to spare. Governments know this because they are such enthusiastic hackers themselves. Spies frequently break into computer systems to steal information by the warehouse load, whether it s from Google or defence contractors. Penetrating networks to damage them is not much harder.”3 Financial losses to cyber crime in the United States now reportedly exceed $1 trillion
annually.4 Nonetheless, the United States and U.S. companies increasingly rely on the Internet
and on storing and processing data that can be accessed wirelessly via the Internet in third
party operated cloud-computing servers. As a result, as the cyber threats become more potent,
��������������������������������������������������������2 William Matthews, “General: Cybersecurity Equals U.S. National Security,” DEFENSENEWS, June 28, 2010, p. 40.
3 “Cyberwar: The threat from the Internet,” THE ECONOMIST, July 1, 2010, accessed at
������������ �������� ����������������. 4 William Matthews, “Cyber Conflict Embroils U.S. Industry, Government,” DEFENSENEWS, May 31, 2010, p. 11.
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 3 of 9
U.S. companies may be at risk of becoming more vulnerable through their increased reliance on
Internet and cloud based communications.
In addition, the most cyber-sophisticated companies repeatedly experience data
breaches that would seem to suggest that cyber-security remains a challenge for companies.
Recent examples include the following:
• In June 2009, Research In Motion (“RIM”), the manufacturer of the BlackBerry,
sent out a warning to subscribers in the United Arab Emirates to remove a software
“upgrade” that many had downloaded and installed on the instructions of the UAE’s
largest telecommunications operator, Etisalat. Etisalat had instructed its 145,000
BlackBerry customers to upgrade their BlackBerry software by downloading a “patch”
that the company represented would improve the device’s performance. However, the
“patch” included a spyware file that had been designed to enable Etisalat to capture,
read and store a customer’s e-mails, despite the encryption of such e-mails by the
BlackBerry. As one investigator explained:
“This spyware was specially designed to intercept e-mails sent by BlackBerries … BlackBerry e-mails are encrypted and sent via its own servers, but this spyware gets ahead of this encryption and sends the e-mails to a server.”
RIM found it necessary to warn its customers and to provide them instructions on how to
remove the spyware.5
• In late 2009, attackers breached the computer network of Google. The attackers
gained access to Google’s computer code for the software that authenticates users of
Google’s email, calendar and some of Google’s other cloud-based programs. Google
disclosed that the exploit resulted in a theft of some of Google’s intellectual property and
expressed the belief that the attack originated in China.6 Among other security
��������������������������������������������������������5 Robin Wigglesworth, Paul Taylor, and Joseph Menn, “BlackBerry rogue software leaves sour taste in UAE,”
FINANCIAL TIMES, July 25/26, 2009, p 3. 6 Ben Worthen and Jessica E. Vascellaro, “Google Attackers Got Access to Code,” THE WALL STREET JOURNAL, April
20, 2010, p. B-1.
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 4 of 9
measures implemented in response to the attack, Google decided to phase out use of
Microsoft’s Windows operating system due to its vulnerability to attacks. Reportedly, if
an employee thereafter wants a new Windows machine the employee must obtain
approval from Google’s Chief Information Officer.7
• In April 2010, a group at the University of Toronto published a study that
documented a “complex ecosystem of cyber espionage that systematically compromised
government, business, academic, and other computer network systems in India, the
Offices of the Dalai Lama, the United Nations, and several other countries.”8
• In early June 2010, a group of computer experts (who refer to themselves as
Goatse Security) exploited a security hole in AT&T’s website and gained access to
numbers that identify iPads connected to AT&T’s mobile network. Using those numbers,
the group was able to learn 114,000 email addresses for iPad customers. The
customers included prominent corporate officers, government officials (such as White
House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg) and
military officers.9
The widespread reportage of these and other incidents has probably increased the urgency with
which company Boards of Directors are considering ways in which to improve the cyber security
of their companies.
II. Recent Regulations that Require Enhanced Cyber Security. While attempting to
avert the risks from increased cyber threats, companies in several industries are also attempting
to ensure that they comply with laws, rules, and regulations that require that such companies
��������������������������������������������������������7 David Gelles and Richard Waters, “Google phases out Windows for employees over security concerns,” FINANCIAL
TIMES, June 1, 2010, p. 1. 8 Ron Deibert and Rafal Rohozinski, “Shadows in the Cloud: Investigating Cyber Espionage 2.0,” April 2010, p. i,
accessed at ����������������������������������������� ������� . 9 Spencer E. Ante, “AT&T Says IPad Owners’ Email Data Was Breached,” THE WALL STREET JOURNAL, June 10, 2010,
p. B-1.
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 5 of 9
achieve enhanced cyber security with respect to certain kinds of sensitive data. Earlier
examples of such requirements included:
• The Interagency Guidelines Establishing Information Security Standards
(“Guidelines”) issued by member agencies of the Federal Financial Institutions
Examination Council (“FFIEC”) pursuant to Section 39 of the Federal Deposit Insurance
Act, 12 U.S.C. 1831 and Sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b) of the
Gramm-Leach-Bliley Act of 1999 (“GLBA”). The Guidelines address standards for
developing and implementing administrative, technical, and physical safeguards to
protect the security, confidentiality, and integrity of customer information for financial
institutions.10 The Guidelines require a financial institution’s Board to approve the
institution’s written information security program and to oversee the development,
implementation, and maintenance of the institution’s information security program. To
supplement the agencies’ GLBA 501(b) expectations, the FFIEC issued Information
Security IT Examination Handbook, dated July 2006, which observes:
“Information security is a significant business risk that demand engagement of the Board of Directors and senior business management. … Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for
� Central oversight and coordination,
� Assignment of responsibility,
� Risk assessment and measurement,
� Monitoring and testing,
� Reporting, and
� Acceptable residual risk.
The board should approve written information security policies and the written report on the effectiveness of the information security program at least annually. A written report to the board should describe the overall status of the information
��������������������������������������������������������10
See discussion of the Guidelines in Outline for Panel on Wake Up Calls or Snooze Alarms by Professor Roberta S. Karmel.
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 6 of 9
security program. At a minimum, the report should address the results of the risk assessment process; risk management and control decisions; service provider arrangements; results of security monitoring and testing; security breaches or violations and management’s responses; and recommendations for changes to the information security program. The annual approval should audit activity related to information security, third-0party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls.”11
• The Safeguards Rule, issued by the Federal Trade Commission, as required by
section 501(b) of the GLBA, to establish standards relating to
“administrative, technical and physical information safeguards for financial institutions subject to the Commission’s jurisdiction. As required by section 501(b), the standards are intended to: Ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.”12
• The Security Rule, issued by the Department of Health and Human Services,
pursuant to and to implement some of the requirements of the Administrative
Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996
(“HIPAA”). The Security Rule requires that each covered entity engaged in the
electronic maintenance or transmission of health information pertaining to individuals
“assess potential risks and vulnerabilities to such information in its possession in electronic form, and develop, implement, and maintain appropriate security measures to protect that information.”13 Unlike the Privacy Rule that applies to protected health information in any form,
the Security Rule is narrower in that it applies only to health information in
electronic form. The Security Rule sets forth general rules for security as well as
administrative, physical and technical safeguards.
��������������������������������������������������������11
FFIEC, INFORMATION SECURITY IT EXAMINATION HANDBOOK, July 2006, pp. 5 – 6. 12
Federal Trade Commission, “Standards for Safeguarding Customer Information,” FEDERAL REGISTER, Vol. 67, No. 100, May 23, 2002, at p. 36484. 13
Department of Health and Human Services, “Health Insurance Reform: Security Standards,” FEDERAL REGISTER, Vol. 68, No. 34, February 20, 2003, at pp. 8334 – 9010.
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 7 of 9
Since January 1, 2009, additional examples of such laws, regulations and rules have been
issued or proposed that include the following:
• The Health Information Technology for Economic and Clinical Health (“HITECH”)
Act, enacted as part of the American Recovery and Reinvestment Act of 2009, signed
into law on February 17, 2009, to promote the adoption and meaningful use of health
information technology. Subtitle D of the HITECH Act addresses the privacy and
security concerns associated with the electronic transmission of health information, in
part, through several provisions that strengthen the civil and criminal enforcement of the
HIPAA rules.
• Changes to the Defense Federal Acquisition Regulation Supplement (“DFARS”)
proposed by the Department of Defense in March 2010 that would take the form of the
addition of a new subpart and associated contract clauses for the safeguard, proper
handling, and cyber intrusion reporting of unclassified DoD information within industry.
The proposed changes would establish basic safeguarding requirements that would
apply to any unclassified DoD information that has not been cleared for public release
and that would require that the Government and its contractors and subcontractors
provide adequate security to safeguard such information on their unclassified information
systems from unauthorized access and disclosure. Contractors would be required to
report to the Government certain cyber intrusion events that affect DoD information
resident or transiting on contractor unclassified information system. The proposed
contract clauses would require contractors to protect DoD information from unauthrozied
disclosure, loss, or exfiltration by employing basic information technology security
measures and would require enhanced information technology security measures
applicable to encryption of data for storage and transmission, network protection and
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 8 of 9
intrusion detection, and cyber intrusion reporting.14 Contractors would also be required
to establish an information security program that complied with the NIST security
controls.15 Indicative of the enhanced protections that would need to be implemented,
contractors would be required to report to the Government “reportable events” that
include, among others, “a cyber intrusion event appearing to be an advanced persistent
threat.” The proposed changes define an “advanced persistent threat” as “an extremely
proficient, patient, determined, and capable adversary, including such adversaries
working together.” The proposed changes, however, provide no guidance on how a
contractor would identify such an adversary or what would constitute the criteria that
contractors could consistently apply to identify such an adversary in order to know that a
reportable event had occurred. At least one comment received on the proposed rule
expressed the concern that “the government should strongly consider the direct and
indirect liability issues that a contractor would be exposed to by this mandatory reporting
requirement …”16
• The Power Reactor Security Requirements that constitute amendments by the
Nuclear Regulatory Commission (“NRC”) to its security regulations and that add new
security requirements pertaining to nuclear power reactors. The rule, issued effective
May 26, 2010 and requiring compliance by March 31, 2010, established and updated
generically applicable security requirements similar to those previously imposed by the
NRC orders after the terrorist attacks of September 11, 2001. Most interestingly, the
new rule implements cyber security requirements that are codified as a new, separate
section 73.54 to the NRC’s regulations and that are designed to “provide high assurance
that digital computer and communications systems and networks are adequately
��������������������������������������������������������14
Department of Defense, “Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified Information (DFARS Case 2008-D028),” FEDERAL REGISTER, Vol. 75, No. 41, March 3, 2010, at pp. 9563 – 9568. 15
NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations. 16
Alan Chvotkin, Executive Vice President and Counsel, Professional Services Council, comments on the advanced notice of proposed rule making, May 3, 2010.
Outline for CLE Panel on “Wake Up Calls or Snooze Alarms” Page 9 of 9
protected against cyber attacks up to and including the design basis threat …”17 which
includes a “cyber attack.”18 The NRC explained that the new rule’s requirements are set
forth in a separate stand-alone section “to enable the cyber security requirements to be
made applicable to other types of facilities and applications through future
rulemakings.”19 The new rule requires currently operating licensees to submit a cyber
security plan to the NRTC for review and approval by way of license amendment and
requires applicants for a new license to similarly amend their application to include a
cyber security plan. In contrast to many earlier regulations issued by other agencies, the
NRC’s cyber security rules provide much more detained and rigorous requirements that
suggest a standard intended to do more than require reasonable precautions, and
instead, to require safeguards that will substantially reduce the likelihood of unauthorized
access that could compromise safety of a nuclear power plant. As the NRC stated in its
explanation of the cyber security requirements,
“The cyber security program must be designed to implement security controls for protected digital assets; apply and maintain defense-in-depth protetive strategies to ensure the capability to detect, respond, and recover from cyber attacks; and ensure the functions of protected digital assets are not adversely impacted due to cyber attacks. … Defense-in-depth is achieved when (1) a layered defensive model exists that allows for detection and containment of non-authorized activities occurring within each layer, (2) each defensive layer is protected from adjacent layers, (3) protection mechanisms used for isolation between layers employ diverse technologies to mitigate common cause failures, (4) the design and configuration of the security architecture and associated countermeasures creates the capability to sufficiently delay the advance of an adversary in order for preplanned response actions to occur, (5) no single points of failure exist within the security strategy or design that would render the entire security solution invalid or ineffective, and (6) effective disaster recovery capabilities exist for protected systems.”20
��������������������������������������������������������17
Nuclear Regulatory Commission, “Power Reactor Security Requirements; Final Rule,” Federal Register, March 27, 2009, at pp. 13926 – 13993. 18
See § 73.1(a)(1)(E)(v). 19
Ibid, at p. 13928. 20
Ibid, at p. 13959.
Digital Protection Editors: Michael Lesk, [email protected] R. Stytz, [email protected] L. Trope, [email protected]
information assets, including theemerging trend toward imposing lia-bility where digital protections areseverely deficient or digital securityhas been breached. We also willfocus on obstacles created by dispari-ties in the knowledge and expertiseof professionals who are responsiblefor corporate assets and who risklegal liability if their efforts are insuf-ficient or ineffective. We addressthese disparities to bridge the gap be-tween executive personnel responsi-ble for corporate governance andtechnical personnel responsible forcorporate digital security.
Entrusted datamust be safeguardedCorporate directors must rely ontechnical personnel to guarantee theintegrity of sensitive data on com-pany computers. However, evolvingcase law suggests that persons en-trusted with fiduciary duties mustmeet high standards regarding an or-ganization’s digital protection sys-tems and the extent to which thosesystems can reliably protect the in-tegrity of sensitive information as-sets. The logic of this case law sug-gests that corporate officers’ anddirectors’ supervisory responsibili-ties will extend from safeguardingcorporate financial data accuracy tosafeguarding the integrity of all
stored data. To protect entrusted as-sets now requires the protection ofthe computer systems that storerecords of those assets and provideinternal controls for their reporting.The recent cases involved govern-ment officials as fiduciaries whofailed to remediate discernible defi-ciencies in digital protection andsecurity of computer systems. Cor-porate directors, being fiduciaries,should expect to be held to thesame standard for their companies’digital security.
Accounts the USgovernment cannotbalance or reconcileDuring the second half of the 19thcentury, the US government seizedland from Native American tribesand allotted it to individual tribalmembers (to extinguish tribal sov-ereignty). The Dawes Act of 1887vested beneficial title of the re-maining allotted lands in the federalgovernment as trustee for individ-ual Native Americans.1 Between1887 and 1934, the government re-moved approximately 90 millionacres from Native American own-ership. Subsequent legislation ter-minated allotment of tribal lands,extended indefinitely the federalgovernment’s trusteeship of suchlands, and authorized the US De-
partment of the Interior (hereafterInterior) to manage the lands andrelated revenues, which would beheld and invested for Native Amer-ican beneficiaries in Individual In-dian Money (IIM) accounts.2 Theentrusted funds reportedly exceedUS$3 billion, and the governmentpays the beneficiaries over US$500million annually.3
On 10 June 1996, IIM accountsbeneficiaries filed a class action suitagainst Interior Secretary GaleNorton and other federal officialsserving as IIM trustees, allegingmultiple breaches of fiduciaryduty.1 In 1999, the US DistrictCourt found the federal govern-ment and its officials derelict intheir duties, observing that Interiordid not know the precise number ofIIM accounts and their proper bal-ances and lacked sufficient recordsto determine such values.1
The court held that the govern-ment owed statutory trust obliga-tions to the IIM beneficiaries (in-cluding a duty to account), thatInterior had failed to “ retrieve andretain all information concerningthe IIM trust … necessary to renderan accurate accounting”1 and thatgovernment performance of its fidu-ciary duties had been unlawfullywithheld and unreasonably delayed.
On appeal, the US Circuit Courtof Appeals affirmed, noting: “Therecords upon which the governmentmust rely to fulfill its trust duties arewoefully deficient. … Interior …does not have complete or accurateinformation on the identities orwhereabouts of all trust beneficia-ries, nor … complete land titlerecords,”2 and “Interior … does nothave computer systems in place ca-
ROLAND L.TROPE
Trope andSchramm LLP
In this inaugural article of the Digital Protection depart-
ment, we will explore the potential legal and technical
risks inherent in attempts to implement digital protec-
tion. Specifically, we will consider how liability might
arise for those who have fiduciary responsibility for sensitive
Directors’ Digital Fiduciary Duties
78 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY
© 2005 IEEE. Reprinted, with permission.
Digital Protection
pable of tracking trust resources andrelevant data.”2
The US District Court of Ap-peals interpreted Interior’s fiduciaryduty to require a fair and accurate ac-counting of all funds held in trust bythe US for the benefit of a tribe or anindividual Native American and aduty to “maintain and complete ex-isting records … and … to ensurethat all aspects of the accountingprocess are carried out. … [T]hismay well include an obligation todevelop or obtain computer softwarecapable of tracking and reconcilingfund data.”2 The government’s fail-ure to implement a computer systemdid not breach its fiduciary duty, butevidenced the government’s failureto discharge its fiduciary obligationsin a reasonably prompt manner,which did constitute such a breach.
Two months later, in April2001, the Chief Information Offi-cer of Interior’s Bureau of IndianAffairs (BIA) admitted: “For allpractical purposes, we have no se-curity, we have no infrastructure.… Our entire network has no fire-walls on it. I don’t like running anetwork that can be breached by ahigh school kid.”4
Judicial scrutiny of digital securityOn 14 November 2001, a SpecialMaster (whom the court had ap-pointed in 1999) submitted a reportto the court regarding his investiga-tion of the integrity of Interior’s sys-tems, and which chronicled Interior’s
failure to safeguard and secure IIMtrust data. (A Special Master is an of-ficial of the US District Court ap-pointed for assigned duties and whohas authority to regulate proceedingsand take appropriate measures to per-form those duties fairly and effi-ciently.)5 The Special Master found“no firewalls, … no … solution formonitoring network activity includ-ing … hacking, virus and worm no-tification …,”6 and recommended“the Court intervene and assume di-rect oversight of those systems hous-ing Indian trust data … [otherwise]the threat to records crucial to thewelfare of hundreds of thousands ofIIM beneficiaries will continueunchecked.”6
On 5 December 2001, the courtentered a temporary restraining ordermandating that Interior “immedi-ately disconnect from the Internet allinformation technology systems thathouse or provide access to individualIndian trust data.”7 In response, thegovernment agreed to enter into aconsent decree that included a man-date that “Interior shall not recon-nect any information technology sys-tem to the Internet without theconcurrence of the Special Master asherein provided.”8 The draconiannature of this court-ordered remedymakes abundantly plain the gravity ofjudicial concern for digital protec-tion (as a process) and digital security(as an objective) where assets cannotbe adequately safeguarded withoutsafeguarding data.
The Special Master ultimately
allowed Interior to reconnect 95percent of its computers. However,his continuing concern for dataprotection led him, between March2002 and July 2003, to direct a secu-rity assistance group (SAG) to testInterior’s reconnected computers.SAG’s investigations “identified nu-merous vulnerabilities exposing in-dividual Indian trust data to unin-vited review and manipulation.”9
When SAG conducted penetrationtests, Interior’s system administra-tors made no effort to “restrict,block, or deny access from thesource of the attacks,”10 implyingthat SAG’s penetration activitieswent undetected. When SAG con-ducted a Nessus security scanningtest (www.nessus.org) on an Inte-rior server, it identified a vulnera-bility that would “allow remoteunauthorized users to grab copiesof files from … the server.”11 In re-sponse to such disclosures, the gov-ernment effectively hampered theSpecial Master’s further efforts toverify the security status of Inte-rior’s computers. In May 2003, thegovernment asked the court to dis-qualify the Special Master after helearned that an Interior official had“appraised oil and gas easementsrunning across Indian lands foramounts considerably less than theappraised value of identical interestsheld by non-Indians” and then “de-stroyed the evidence of his 20-yearpractice of doing so.”12 Govern-ment pressure eventually caused theSpecial Master to resign, thereby re-
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 79
This issue of IEEE Security & Privacy inaugurates a new
department: Digital Protection. Its mission is to provide an
open and responsive forum for discussing the technological,
commercial, and legal aspects of protecting valuable digitized
property.
In the 21st century, we’ll increasingly measure wealth in bits,
not bullion. As a result, topics such as digital rights man-
agement, software piracy, reverse engineering, intellectual
property law, liability management, and trusted computing
platforms are increasingly becoming relevant to the general
computing profession. This department’s goal is to keep readers
abreast of the latest technical developments and informed
about the corresponding legal, policy, social, and commercial
issues.
We welcome reader involvement through contributions and
critical feedback.
New department’s mission
Digital Protection
moving from the litigation the per-son who probably had the besttechnical (and objective) under-standing of Interior’s digital security
deficiencies and its efforts to trivial-ize those it could not disguise.
The plaintiffs seekdigital protectionsIn response to such developments,plaintiffs filed a motion seeking apreliminary injunction to compelprotection of individual NativeAmerican trust data. After a hearing,the court issued an opinion, observ-ing that Interior had adopted a “re-strictive interpretation of the Con-sent Decree, namely, that once theInterior Department computer sys-tems have been reconnected to theInternet, no further testing of thosesystems is either necessary or permis-sible.”11 This was not the under-standing of the Special Master or ofthe court, which noted that, “Itwould certainly seem to be irrationalto interpret the Consent Order to …mean that, once the computer sys-tems had been reconnected, no pro-cedure would be in place to verify …that the reconnected systems …continue to be secure from unautho-rized Internet access.”11
The court placed the highest pri-ority on safeguarding data and ensur-ing accurate and reliable accounting.(Directors seeking to comply withthe Sarbanes–Oxley Act will find thecourt’s concern instructive, becausethey and their companies’ officershave legal obligations—under Sec-tion 404 of that act—to assess theircompanies’ internal controls for fi-nancial reporting and, therefore, the
digital protection that is now an inte-gral part such controls.) The courtmade clear the increasing inseparabil-ity of assets and the data that repre-
sents those assets, and found itessential, in protecting the former:“[to prevent] undetectable unautho-rized persons to access, alter, or de-stroy individual Indian trust data viaan Internet connection. The alter-ation or destruction of any of thetrust data would further prevent thebeneficiaries of the individual Indianmoney … from receiving the pay-ments to which they are entitled, inthe correct amount. … [and] would… render any accounting of the indi-vidual Indian trust inaccurate andimprecise, and therefore inade-quate.”11
Plaintiffs proved irreparableharm that justified issuance of a pre-liminary injunction to prevent thecontinued operation of Interior’scomputer systems that “… have notbeen demonstrated to be securefrom Internet access by unautho-rized persons. … Without any evi-dence that the systems are secure, itwould be an act of folly for thisCourt simply to permit” [suchcomputers] to remain connected”to the Internet.11 The court con-cluded that Interior’s system couldnot guarantee the security of thedata in question, and made clear thatsuch integrity must be guaranteed.But such a guarantee might be in-feasible, particularly with any com-puter connected to the Internet. Weknow of no digital protection thatcan guarantee invulnerability insoftware that is inherently vulnera-ble to hacking or malicious code.
On reviewing evidence of Inte-rior’s digital protection system, inMarch 2004, the court concludedthat it could not “conceive of anymeans by which Interior could beallowed to monitor itself and besolely responsible, without externalmonitoring, for the security of in-dividual Indian trust data.”5 With-out a hearing, the court issued apreliminary injunction that againrequired disconnection.
Judicialmisconceptions of digital security Interior appealed, asserting the in-junction lacked “any legal founda-tion or factual predicate.”13 On 3December 2004, the US CircuitCourt of Appeals found both con-tentions “unpersuasive,” recalled“Interior’s past gross computer se-curity failures,” insisted its actionsmust be judged by “the most exact-ing fiduciary standards,” and foundits officials as trustees had “egre-giously breached their fiduciary du-ties.” However, the court vacatedthe injunction for procedural rea-sons, including failure “to hold anevidentiary hearing prior to enter-ing the injunction” and that the USDistrict Court had erroneously re-lieved the plaintiffs of their burdento demonstrate the “necessity of theIT injunction to safeguard againstimminent and irreparable harm.”13
Such a holding clearly misun-derstands the Internet and itsthreats. “Imminent” injury shouldbe provable by showing a severevulnerability to the Internet, asevidenced by daily security inci-dents or deficient defenses againstInternet threats. The US CircuitCourt of Appeals apparently re-quired plaintiffs to demonstratethat a specified malicious codeposed an imminent threat to Inte-rior’s computers. Because anysuch threat could inflict its damagein a matter of minutes, it is unreal-istic to require plaintiffs to post-pone seeking injunctive relief until
80 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2005
‘Without any evidence that the systems aresecure, it would be an act of folly for thisCourt simply to permit’ [such computers]‘to remain connected’ to the Internet.
Digital Protection
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 81
such threat materializes. The US Circuit Court of Ap-
peals based its holding on the factthat “there was no evidence thatanyone other than the Special Mas-ter’s contractor had ‘hacked’ intoany Interior computer system hous-ing or accessing IITD [individualIndian trust data].”13 Its logic over-looks the obvious: by the time ahacker made such an attack, itwould be too late to protect anydata. Moreover, because its intru-sion detection systems had failed todetect any of the SAG penetrationtests, Interior could not confirm ordisconfirm any hacker attack. Onremand, the US District Court willbe hard pressed to address the mis-conceptions in the technologicalexpertise reflected in the US CircuitCourt of Appeals’ opinion.
Emerging duty for digital securitySignificantly, the US Circuit Courtof Appeals also held that the US Dis-trict Court’s “jurisdiction properlyextends to security of Interior’s infor-mation technology systems … hous-ing or accessing [trust data], because[Interior] … as a fiduciary, is requiredto maintain and preserve”13 suchdata. The court further acknowl-edged that Interior “has current andprospective trust management dutiesthat necessitate maintaining secureIT systems in order to render accu-rate accountings now and in the fu-ture,”13 implying a fiduciary duty fordigital protection and security.
The US District Court of Ap-peals thereby suggested a judicialwillingness to hold executive per-sonnel responsible for highly tech-nical knowledge where those withfiduciary duties also oversee the im-plementation and maintenance ofdigital security. By relying on a defi-cient digital protection system, suchpersonnel could be at increasing riskof incurring legal liability forbreaching a fiduciary duty of care insafeguarding information assetswhose digital integrity is essential to
safeguarding financial assets. In the case of Interior’s fiduciary
duties, safeguarding funds entrustedto its care was impossible withoutadequate safeguards on the integrityof the account data on which distri-bution of such funds depended.Thus, the digital asset has becomeinseparable from the physical asset.And fiduciary law has always im-posed a high duty of care on thoseresponsible for safeguarding third-party assets.
F or the foreseeable future, mali-cious code releases will be suffi-
ciently frequent and far-reachingthat courts must consider recalibrat-ing requirements for injunctive re-lief: an imminent security breachshould be a rebuttable presumptionwhen digital protections are insuffi-cient or ineffective. As US FederalTrade Commission CommissionerOrson Swindle recently cautioned,“There can be law violations with-out a known breach of security. …Particularly when explicit promisesare made, companies have a legalobligation to take reasonable steps toguard against threats before a com-promise occurs.”14
Directors are arguably obligatedto take such steps as part of theirfiduciary duty to their company,particularly where failure to remedi-ate could cause irreparable damageto financial or other sensitive recordsthat are integral to the protection ofthe assets they represent. Deficient
digital protection requires immedi-ate remediation (arguably the re-sponsibility of those who have afiduciary duty for protection of the
underlying assets).You do not have to see rabbit
tracks in your garden to know thatyou should find and fix the holes inthe fence. If a company’s intrusiondetection system fails to detect hos-tile probes, there will not even be anyrabbit tracks to find.
AcknowledgmentThe views expressed here are solely the au-thor’s and do not reflect official policy or posi-tion of the US Department of the Army, USDepartment of Defense, or US government.)
References1. Cobell v. Babbitt, Fed. Supp. 2d, vol.
91, p. 1, Wash. DC, District Ct.,1999; www.indiantrust.com/_pdfs/99.12.21-memorandum_opinion.pdf.
2. Cobell v. Norton, Fed. Supp. 3d, vol.240, p. 1081, (Wash. DC, CircuitCt., 2001); http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=dc&navby=case&no=005081A.
3. J. Files, “No. 2 at Interior Dept.Resigns,” New York Times, 8 Dec.2004, Sec. A, p. 28.
4. K.M. Peters, “Trail of Troubles,”GovExec.com, 1 Apr. 2001, p. 100;www.govexec.com/fpp/fpp01/bureau_of_indian_affairs.htm.
5. US Code, Title 28, Federal Rules ofCivil Procedure, Rule 53 (Masters).
6. Report and Recommendation of theSpecial Master Regarding the Securityof Trust Data at the Department of theInterior, 14 Nov. 2001, p. 141,quoted in Cobell v. Norton, Fed.
Supp. 2d, vol. 310, p. 77, Wash.DC District Ct., 2004; www.indiant r u s t . com/_pdf s/20040315DisconnectITSystems.pdf.
In relying on a deficient digital protectionsystem, such personnel could be atincreasing risk of incurring legal liabilityfor breaching a fiduciary duty of care … .
Digital Protection
7. Order of US District Court JudgeRoyce C. Lamberth, Cobell v. Nor-ton, Civil Action Case No.1:96CV01285, 5 Dec. 2001; www.indiantrust.com/_pdfs/2001.12.05_TRO.pdf.
8. Consent Order Regarding InformationTechnology Security, 17 Dec. 2001,quoted in in Cobell v. Norton, Fed.Supp. 2d, vol. 310, p. 77, Wash.DC, District Ct., 2004; www.indiantrust.com/_pdfs/20040315DisconnectITSystems.pdf.
9. Cobell v. Norton, Fed. Supp. 2d, vol.310, p. 77, Wash. DC, District, Ct.,2004; www.indiantrust.com/_pdfs/20040315DisconnectITSystems.pdf.
10. Security Assistance Group, InternetAssessment of Department of Interior,Bureau of Land Management, 27 Mar.2003, p. 1, quoted in Cobell v. Nor-
ton, Fed. Supp. 2d, vol. 310, p. 77,Wash. DC, District Ct., 2004;www.indiantrust.com/_pdfs/20040315DisconnectITSystems.pdf.
11. Cobell v. Norton, Civil Action CaseNo. 1:96CV01285, Wash. DC,District Ct., 2003; www.indiant r u s t . com/_pdf s/20030728MemorandumOpinion.pdf.
12. A.L. Balaran, Special Master’s Letterof Resignation to Judge Royce C. Lam-berth, 5 Apr. 2004, p. 2.
13. Cobell v. Norton, Slip Opinion,Wash. DC, Circuit Ct., 2004;www.indiantrust.com/_pdfs/20041203ITSecPIDenied.pdf.
14. O. Swindle, “Cybersecurity andConsumer Data: What’s at Risk forthe Consumer?,” prepared state-ment, US Federal Trade Commis-sion before Commerce, Trade, &Consumer Protection Subcommit-
tee, Committee on Energy andCommerce, US House of Repre-sentatives; www.ftc.gov/os/2003/11/031119swindletest.htm.
Roland L. Trope is a partner in the lawfirm of Trope and Schramm LLP, and anadjunct professor in the Department ofLaw, US Military Academy. His researchinterests are cyberlaw, cross-border trans-actions, defense procurements, exportcontrols, intellectual property, privacy,and management of information secu-rity. Trope has a JD from Yale Law School,a BA and an MA in English language andliterature from Oxford University and aBA in political science from the Universityof Southern California. He is a member ofthe American Bar Association’s Cyber-space Law Committee, the Association ofthe Bar of the City of New York’s Infor-mation Technology Committee, andcoauthor of the treatise Checkpoints inCyberspace (to be published by the ABAin 2005). Contact him at [email protected].
82 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2005
Mid Atlantic (product/recruitment)Dawn BeckerPhone: +1 732 772 0160Fax: +1 732 772 0161Email: [email protected]
New England (product)Jody EstabrookPhone: +1 978 244 0192Fax: +1 978 244 0103Email: [email protected]
New England (recruitment)Robert ZwickPhone: +1 212 419 7765Fax: +1 212 419 7570Email: [email protected]
Connecticut (product)Stan GreenfieldPhone: +1 203 938 2418Fax: +1 203 938 3211Email: [email protected]
Midwest (product)Dave JonesPhone: +1 708 442 5633Fax: +1 708 442 7620Email: [email protected]
Will HamiltonPhone: +1 269 381 2156Fax: +1 269 381 2556Email: [email protected]
Joe DiNardoPhone: +1 440 248 2456Fax: +1 440 248 2594Email: [email protected]
Southeast (recruitment)Thomas M. FlynnPhone: +1 770 645 2944Fax: +1 770 993 4423Email: [email protected]
Southeast (product)Bob DoranPhone: +1 770 587 9421Fax: +1 770 587 9501Email: [email protected]
Midwest/Southwest (recruitment)Darcy GiovingoPhone: +1 847 498-4520Fax: +1 847 498-5911Email: [email protected]
Southwest (product)Josh MayerPhone: +1 972 423 5507Fax: +1 972 423 6858Email: [email protected]
Northwest (product)Peter D. ScottPhone: +1 415 421-7950Fax: +1 415 398-4156Email: [email protected]
Southern CA (product)Marshall RubinPhone: +1 818 888 2407Fax: +1 818 888 4907Email: [email protected]
Northwest/Southern CA (recruitment)Tim MattesonPhone: +1 310 836 4064Fax: +1 310 836 4067Email: [email protected]
JapanTim MattesonPhone: +1 310 836 4064Fax: +1 310 836 4067Email: [email protected]
Europe (product/recruitment) Hilary TurnbullPhone: +44 1875 825700Fax: +44 1875 825701Email: [email protected]
A D V E R T I S E R / P R O D U C T I N D E X J A N / F E B 2 0 0 5
Enterprise Security Expo 2005 Cover 2
InfoSec World 2005 Cover 3
RSA Conference 2005 Cover 4
Advertising PersonnelAdvertiser Page Number
Marion DelaneyIEEE Media, Advertising DirectorPhone: +1 212 419 7766Fax: +1 212 419 7589Email: [email protected] AndersonAdvertising CoordinatorPhone: +1 714 821 8380Fax: +1 714 821 4010Email: [email protected]
Sandy BrownIEEE Computer Society,Business Development ManagerPhone: +1 714 821 8380Fax: +1 714 821 4010Email: [email protected]
Advertising Sales Representatives
Digital ProtectionEditors: Michael Lesk, [email protected] R. Stytz, [email protected] L. Trope, [email protected]
72 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/08/$25.00 © 2008 IEEE ■ IEEE SECURITY & PRIVACY
Hardening the Target
ROLAND L. TROPE
Trope and Schramm, LLP
MONIQUE WITT
WILLIAM J. ADAMS
US Military Academy, West Point
As enterprises have become increasingly de-
pendent on digitized data and have sought
commercial opportunities from accelerated
digital access and transmission, senior man-
agement and boards of directors have not sufficiently updated
their enterprises’ security protec-
tions on digitally stored infor-
mation. Consequently, new and
increasingly frequent attacks have
occurred against their digital in-
formation assets. As CERT cau-
tioned in November 2007,
“Physical break-ins and other
unauthorized entries into criti-
cal infrastructure locations,
such as electrical power sub-
stations, have historically been
viewed as traditional property
crimes where trespass, theft,
and vandalism were the mo-
tives. However, the current
trend of using computer net-
works to remotely monitor and
control unmanned facilities has
… increased the possibility that
these physical property crimes
could be used to conceal less
discernible cyber crimes. …
Those investigating a physi-
cal security breach should be
aware that a cyber related inci-
dent may also have occurred.”1
To the extent that an enter-
prise’s commercial health depends
on its digitized data and its abil-
ity rapidly to access, process, and
transmit such data, that enterprise
will increasingly be targeted for
cyberattacks, digital theft, mis-
appropriation, depredation, and
commercial espionage. Such at-
tacks have been growing recently:
“The number of attacks on
credit- and debit-card pro-
cessing systems has more than
doubled from 2006 to 2007,
and that trend appears to be
continuing into 2008. These
costs are likely to escalate as, in
an increasing trend, corpora-
tions are also being pummeled
with civil litigation related to
data breaches.”2
Consequently, digital security
has become a boardroom issue and
an implicit fiduciary obligation.
Here, we look at the risks man-
agement and directors take when
they fail adequately to protect
their enterprises’ digital property.
Evaluating risks to iconic targetsTo be shielded from liability in the
event of an attack, an enterprise’s
managers or board of directors
must demonstrate that they have
taken adequate precautions against
known or reasonably foreseeable
risks to the enterprise’s digital as-
sets. One recent court decision
strongly suggests that liability for
cyberattacks will increasingly apply
to a company’s senior management.
Although this case did not expressly
involve digital security, we believe
its language is sufficiently broad to
include data protection issues, par-
ticularly when senior executives
or directors knew or should have
known that their enterprise’s digital
security was deficient. We believe
this case indicates the broad param-
eters of the duty of care that offi-
cers and directors will ultimately
be assigned in the context of digital
security. The trend is clear: “Data
security is no longer a ‘second-tier
risk assessment’ but a task for direc-
tors themselves to address. ‘It’s now
at boardroom level.’”3
Management, officers, and
board members must therefore
evaluate the risk of the enterprise
of being targeted in a political
as well as an economic context.
Many major economic enter-
prises are identified (through their
branding) with national entities.
These include banks ( JP Mor-
gan and Deutsche Bank), defense
contractors (Boeing, BAE, and
Thales), entertainment enterprises
(Disney and Pixar), retailers (Wal-
Mart), software makers (Microsoft
or Google) and real property hold-
ings (London’s Canary Wharf and
The Gherkin or New York’s Em-
pire State Building). Such entities
present attractive (and vulnerable)
targets for crimes that have politi-
cal or economic objectives.
These enterprises become tar-
gets owing to their iconic status.
They act as proxies for political
“hot-button” issues, and their size
guarantees publicity for an attacker’s
political or social agenda. Targeting
such an enterprise both damages
Digital Protection
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 73
the balance sheet “good will”—that
is, the established reputation of the
enterprise and that has a quantifi-
able value—and increases the pub-
lic profile of the protesting group.
Managers, officers, and board
members have legally enforceable
fiduciary duties to protect their
enterprise’s assets, both its physi-
cal premises and personnel and its
intellectual property and digitized
information. Duties with respect
to the latter arguably “extend from
safeguarding corporate financial
data accuracy to safeguarding the
integrity of all stored data.”4
To fulfill these duties, en-
terprises often commission and
oversee assessments of their vul-
nerabilities and probable risks. A
board that does not ensure that the
enterprise conducts such assess-
ments will be poorly positioned,
in the event of attack, to defend
itself against allegations that it ne-
glected its fiduciary duty. With a
national brand, iconic enterprise,
or critical infrastructure provider,
the risk and the potential for col-
lateral harm will be commensu-
rately greater and will increase the
enterprise’s duty to be vigilant.
Senior management should
thus take particular care when
considering what safeguards to
implement in response to any risk
assessments, particularly those that
identify or quantify specific risks
and vulnerabilities. We will look
at what happens when manage-
ment or directors fail to protect
their enterprises, despite warnings
of highly probable risks.
1993 World Trade Center bombingNash v. the Port Authority5 offers
guidance on management’s duty to
protect an enterprise from foreseen
(and foreseeable) risks. That case,
decided in April 2008 by New
York’s Appellate Division, involved
the 1993 bombing of the World
Trade Center (WTC) and focused
on the Port Authority’s proprietary
duty (as the landlord) to secure the
premises, its occupants, and invit-
ed guests from harm. The Appel-
late Division’s reasoning is directly
relevant to executives’ fiduciary
duties in protecting an enterprise’s
digitized data.
We believe, moreover, that the
court’s reasoning is relevant re-
gardless of whether an enterprise’s
senior personnel have been neg-
ligent. The decision articulates
relevant criteria for when such per-
sonnel have a duty to adopt “target-
hardening” measures, namely those
which would avert or substantially
reduce the targeted enterprise’s
vulnerability to risks known—or
that should have been known—by
its management, officers, or board
members. Although no rule so
far automatically finds negligence
where executive personnel have
failed to adequately safeguard the
enterprise’s data, the law is clearly
moving rapidly toward a “should
have known” standard (that is, that
such personnel will be liable if they
should have known that a risk ex-
isted), particularly where risks to
comparable enterprises have re-
ceived public attention.
Case factsIn 1984, the Port Authority’s then
executive director decided, in view
of the WTC’s “iconic nature” and
“its consequent attraction as a tar-
get for terrorists,” to seek Scotland
Yard’s advice on the building’s se-
curity. Scotland Yard was “appalled
to hear we had transient [public]
parking directly underneath the
towers.”5 The Port Authority sub-
sequently received several warnings
from internal security officers and
outside consultants stating that,5
the WTC’s “parking lots … are
highly susceptible to car bomb-
ings”;
an attempt to bomb the WTC
was “probable”;
terrorists could “create havoc
without being seriously deterred
by the current security mea-
sures”; and
“The car bomb is fast becoming
the weapon of choice for Euro-
pean terrorists” and “the fact that
parking an explosives laden ve-
hicle provides substantial escape
time for the driver is ample jus-
tification to take decisive target
hardening measures in this area.”
These reports recommended that
the Port Authority
eliminate the WTC’s subgrade
public parking,
install barriers to the access
ramps, and
conduct vehicle searches.5
Between 1984 and 1993, other
iconic buildings “hardened their
defenses against car bombs.”
However, the Port Authority
failed to adopt any of the recom-
mended safeguards.5
The plaintiffs alleged that the
Port Authority had breached its
proprietary obligation by failing to
safeguard the WTC and its business
tenants against foreseeable criminal
intrusion. The jury returned a ver-
dict for the plaintiffs, found Port
Authority negligent, and allocated
to it 68 percent of the fault for the
bombing. The Port Authority’s
petition to set aside the verdict was
denied, and it appealed.
Appellate Division decisionThe Appellate Division affirmed
the jury’s verdict, noting that a
landlord has a proprietary duty
to “act as a reasonable [person] in
maintaining … [its] property in
reasonably safe condition in view
of all the circumstances, including
the likelihood of injury to others,
the seriousness of the injury, and
the burden of avoiding the risk.”5
Given the post-9/11 security cli-
mate, the “likelihood of injury”
standard is broad enough to create
a proactive duty on management’s
part without a specific finding
that it failed to address potential
risks that were actually brought
Digital Protection
74 IEEE SECURITY & PRIVACY ■ SEPTEMBER/OCTOBER 2008
to its attention. The Appellate
Division went further, however.
It reasoned that the Port Author-
ity had a heightened duty to take
steps to secure the property due
to the following factors: it had re-
ceived express warnings; the fore-
seen risks were characterized as
not merely possible but probable;
the enterprise had “iconic” status;
and it had few defenses against the
emerging weapon of choice—the
car bomb. In words that reach be-
yond a landlord’s proprietary ob-
ligation, the Appellate Division
emphasized that
“there are circumstances in
which the nature and likeli-
hood of a foreseeable security
breach and its consequences
will require heightened pre-
cautions.”5
This language—the likelihood
of foreseeable risk—suggests the
direction in which the emerging
fiduciary obligation is developing.
The Port Authority’s duty was
further heightened because the
potential risk was so grave:
“As this case so vividly illus-
trates, the blameworthiness of
[defendant’s] negligence … may
actually be increased by the
heinousness of the wrongdoing
it directly and forseeably facili-
tates. … [Here] the intentional
act was forseeably responsive
to and exploitative of the neg-
ligence and, causally, did little
more than bring the incipient
catastrophic potential of the
negligence to terrible fruition.”5
The Port Authority’s duty was
particularly compelling in light
of the inconsequential cost of
implementing the target-harden-
ing measures.5
The clear implication of this
decision is that the Port Author-
ity had a duty to adopt the target-
hardening recommendations and
to secure the premises given the
magnitude of the risk, the clear
vulnerability, and the attractive-
ness of the enterprise as a target.
Lessons learnedThe current security climate sug-
gests strongly that other juris-
dictions will adopt this line of
reasoning when analyzing manage-
ment and board members’ fiduciary
duties to secure an enterprise’s ma-
terial and immaterial assets. This
reasoning should prompt such per-
sonnel to reevaluate any risk assess-
ment recommendations they have
received and any identified risks
to comparable enterprises. Where
the risk is high and probable, and
where the costs of safeguards are
not prohibitive, enterprises must
seriously consider adopting target-
hardening measures. Failure to do
so could increasingly be viewed as
actionable negligence or failure to
fulfill a duty of care.
Recommendations for managementWhen an enterprise’s executives
or directors deliberate on whether
and to what extent to adopt recom-
mended digital security safeguards,
they can improve the quality of
their decisions and the record of
such deliberations by familiariz-
ing themselves with the case law
regarding their emerging duty of
care. This will better position them
to argue that the measures they
have taken are protected within the
scope of their business judgment
and are reasonable, should a serious
security breach occur. The board
will also have evidentiary support
that it “acted independently, with
due care, in good faith, and in the
honest belief that its actions were
in the shareholders’ best interests,”6
the standard customarily applied to
decisions within the business judg-
ment rule.
Basic recommendationsWe suggest the following guide-
lines when reviewing recom-
mended digital safeguards:
Deliberations on recommended
safeguards that include the rea-
sons for rejecting or adopting
each recommendation should be
recorded and retained.
Internal security rules should
reflect and track known, iden-
tified, or anticipated security
vulnerabilities. As a Federal Dis-
trict Court recently explained,
“When a danger exists and the
company knows or should know
of it, the company must reckon
with the possibility that the very
failure to make rules may be
used against it.”7
Security must be updated as risks
surface, and management should
oversee and review maintenance
of security measures regularly.
These measures should ensure
that, if an intrusion occurs, the
enterprise will have evidence of
network activity that can help
identify the intruders and their
objectives—that is, computer logs
that document times and identi-
ties of users accessing or chang-
ing data, patch applications, and
other network activities. (See the
sidebar for a good illustration of
why this is important.)
Management and board mem-
bers should weigh the costs of
implementing digital security
safeguards against the potential
for long-term economic harm
and personal liability for breach
of fiduciary duty.
Management and board members
should be mindful of how courts
evaluate an enterprise’s decisions
on whether and the extent to
which it adopts safeguards. They
should anticipate being held neg-
ligent and liable for catastrophic
loss from a digital security breach
if a court, on reviewing their fail-
ure to adopt safeguards, finds that
the burden of taking adequate
precautions was less than the
gravity of injury or damage mul-
tiplied by the probability of the
breach occurring. (This formula
has been applied in various cases
and provides a useful analogy in
Digital Protection
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 75
the context of an enterprise’s dig-
ital security.8)
The duty to implement such
safeguards rises sharply, however,
when an enterprise’s management
knows or should know that their
company, its buildings, or its net-
works of computers have become a
probable target for terrorists or its
country’s military adversaries. As
the Appellate Division cautioned,
“A risk of such extraordinary
magnitude must, if it is to be
dealt with prudently, be man-
aged differently from the sig-
nificantly less dire risks …No
reasonably prudent … [owner],
aware of the value of his or her
structure as a terrorist target …
would await a terrorist attack
… directed at basic structural
elements, before undertaking,
to the extent reasonably pos-
sible, to minimize the risk.”
As such enterprises become in-
creasingly dependent on off-prem-
ises computing such as “cloud”
technologies, management will
need to consider safeguards against
the accompanying additional tech-
nical risks.
Recommended safeguards against additional technical risksAs cloud computing has caused
enterprises to depend more on
wireless access to software applica-
tions and offsite data storage, new
security issues have arisen and will
continue to surface as enterprises
increasingly rely on the security
regimes of third-party offsite op-
erators (regimes they cannot ef-
fectively police). A significant risk
occurs not merely to the integrity
of the data stored offsite but to un-
interrupted access to it. Because
numerous and varied enterprises’
commercial viability depends on
immediate and uninterrupted ac-
cess to sensitive digital informa-
tion, any breakdown in digital
communication with offsite pro-
viders will have immediate and
long-term commercial conse-
quences. Losing Internet access is
the simplest example, as 9/11 and
its repercussions suggested, given
that during the attack and the days
afterwards, with cell phone com-
munications down, enterprises
used their fax machine’s handsets
to place calls to emergency ser-
vices and to keep their businesses
running. (Note that VoIP users
do not have this option, and in-
stead lose everything when their
Internet connection is severed.)
To address the risk of losing access
due to an Internet crash, an onsite
legacy system or other redundant
computing capability deserves se-
rious consideration, and senior
management should also allow
for contingency communications
through other means.
On 10 June 2008, the US De-
partment of Homeland Security
(DHS) issued a warning to certain
government and private-sector
officials concerning the cybertar-
geting of US corporate and gov-
ernment personnel when traveling
abroad.9 The DHS warning em-
phasized the following risks:10
“Foreign governments routinely
target the computers and other
electronic devices and media
carried by U.S. corporate and
government personnel travel-
ing abroad ... Theft of sensi-
tive information can occur in a
foreign country at any point …
and can continue after return-
ing home without the victim
being aware ...”
“Travelers should assume that
they cannot protect electroni-
cally stored data and should not
transmit sensitive … information
on the Internet or through tele-
communications equipment.”
“Devices carried overseas should
be screened thoroughly upon
return for the presence of mali-
cious software.”
“The best strategy to protect
electronic devices when travel-
ing is to leave them at home. If
this is impossible, alternatives
include … using a designated
‘travel’ laptop that contains
minimal sensitive information
… however, travelers should as-
sume that all communications
are monitored.”
Recent consent decrees from
the US Federal Trade Commis-
sion (some involving several mil-
lion in civil penalties11) suggest the
extent of commercial enterprises’
obligations to secure their valuable
assets. In these, defendant compa-
nies were charged with failing to
provide reasonable and appropriate
security for digitized personal or
financial information. In response,
defendants agreed to implement
comprehensive information secu-
rity programs, including:
“identification of material inter-
nal and external risks to the secu-
rity, confidentiality, and integrity
of personal information … and
assessment of any safeguards in
place to control these risks”;
“design and implementation of
reasonable safeguards to control
the risks identified through risk
assessment”;
“regular testing or monitoring
of the effectiveness of the safe-
guards’ key controls, systems,
and procedures”; and
“evaluation and adjustments of
respondent’s information securi-
ty program in light of the results
of the testing and monitoring.”12
A ll enterprises that rely on
digital data run the risk that
their data will be misappropriated
or corrupted. Enterprises with
a higher iconic or critical infra-
structure profile incur a height-
ened duty to harden the enterprise
and its digitized assets. We believe
best practices for such high-pro-
file enterprises will become the
Digital Protection
76 IEEE SECURITY & PRIVACY ■ SEPTEMBER/OCTOBER 2008
standard for the security measures
that must be implemented by all
major enterprises and their man-
agement, officers and directors.
Enterprises should understand
that their commercial viability de-
pends increasingly on protecting
the integrity of their stored digi-
tal data and on ensuring uninter-
rupted access to it. In the event of
a multi-enterprise security breach,
moreover, the enterprise that
maintains uninterrupted opera-
tions (or that is restored the most
quickly to effective functioning)
will gain a significant commercial
advantage. Securing an enterprise’s
digital data, proactive prevention
of security breaches, and rapid
mitigation of and recovery from
any such breach must be part of
a comprehensive digital security
regime for any enterprise whose
commercial viability depends on
the integrity of its digital informa-
tion assets.
AcknowledgmentsThe authors gratefully acknowledge
the research and editorial contribu-
tions of David Rosenblum, Michael
Lesk, and Charles P. Pfleeger. The
views expressed here are solely the au-
thors’ and have not been approved by,
and should not be attributed to, the US
Military Academy, the Department of
Defense, or the US government.
ReferencesUS Computer Emergency Re-1.
sponse Team (CERT), “Cyber
Security Response to Physical Se-
curity Breaches,” 28 Nov. 2007;
www.us-cert.gov/reading_room/
cssp_cyberresponse0712.pdf.
J. Walden, A.H. Southwell, and 2.
A. Goodman, “Data Breaches:
Expect A Rise in Litigation,” New
York Law J., 12 May 2008, p. S4.
M. Peel and K. Allison, “Devil in 3.
the Details: Why Personal Data
are Ever More Open to Loss and
Abuse,” Financial Times, 25–26
Dec. 2008, p. 5.
E.M. Power and R.L. Trope, 4. Sail-
ing in Dangerous Waters: A Director’s
Guide to Data Governance, Ameri-
can Bar Association, 2005.
Nash v. The Port Authority of New 5.
York and New Jersey, New York Law
J., 2 May 2008, pp. 26, 34–35
(New York Appellate Division,
First Department).
C.M. Godfrey, “In re The Walt 6.
Disney Company Derivative Liti-
gation,” Business Law Today, July/
Aug. 2008, p. 47.
“In the Matter of the Complaint of 7.
The City of New York as Owner
and Operator of the M/V Andrew
J. Barberi,” memorandum and or-
der 03-CV-6049, 26 Feb. 2007;
http://63.72.236.16/pub/rulings/
cv/2003/03cv6049mo22607.pdf.
United States v. Carroll Towing Co.8. ,
Federal Reporter, 2nd Series, vol.
159, 1947, p. 173 (US Court of
Appeals for the Second Circuit).
S. Gorman, “US Fears Threat 9.
of Cyberspying at Olympics,”
Wall Street J., 17 July 2008, p. 16;
http://online.wsj.com/article/SB
121625646058760485.html.
Department of Homeland Secu-10.
rity, Office of Intelligence and
Analysis, (U) Foreign Travel Threat
Assessment: Electronic Communica-
tions Vulnerabilities, Homeland Se-
curity Assessment, 10 June 2008;
http://online.wsj.com/public/
resources/documents/cyber-threat
assessment-07172008.pdf.
United States v. Valueclick, Inc.11. , case
no. CV08-01711, 27 Mar. 2008,
p. 8 (consent decree for defendant
to pay civil penalty of US$2.9
million); www.ftc.gov/os/caselist/
0723111/index.shtm.
In the Matter of The TJX Compa-12.
nies, Inc., file no. 072 3055, agree-
ment containing consent order, 27
March 2008, p. 3; www.ftc.gov/
os/caselist/0723055/index.shtm.
Roland L. Trope is a partner in the New
York City office of Trope and Schramm,
LLP, and an adjunct professor in the
Department of Law at the US Military
Academy. Trope has a Juris Doctor from
Yale Law School. He co-authored the
treatise Checkpoints in Cyberspace:
Best Practices for Averting Liability in
Cross-Border Transactions (American
Bar Association, 2005). Contact him at
Monique Witt is a lawyer in New York
City. She has a Juris Doctor and Doctor
of Philosophy degrees from Yale Universi-
ty. Contact her at [email protected].
William J. Adams is an assistant profes-
sor of computer science and a senior re-
search scientist in information assurance
at the US Military Academy, West Point
as well as a lieutenant colonel in the US
Army. Adams has a PhD in computer
engineering from the Virginia Polytech-
nic Institute and State University. He is a
senior member of the IEEE. Contact him
T he importance of logging access to and
intrusions into an enterprise’s comput-
ers was illustrated when illegally implanted
software in four of Vodafone’s Greek
switches created a parallel path for digitized
voices and thus enabled such intruders to
tap into roughly 100 cell phones belonging
to senior officials in the Greek government
(such as the prime minister and ministers
of defense, foreign affairs, and justice). Its
discovery did not enable Vodafone or Greek
law enforcement authorities to identify the
intruders or their motives because Vodafone
allowed its IT staff to perform maintenance
and upgrades that destroyed the relevant
digital data. When Vodafone upgraded
servers used for accessing the exchange
management system, for example, it “wiped
out the access logs, and, contrary to com-
pany policy, no backups were retained.”1
By depriving itself of data on who carried
out the intrusion, Vodafone left itself at
increased risk of suffering a similar intrusion
in the future.
Reference
V. Prevelakis and D. Spinellis, “The Athens Af-1.
fair,” IEEE Spectrum, July 2007, p. 32.
Maintaining security logs
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 1 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
COURT OF CHANCERY OF DELAWARE, NEW CASTLE
IN RE CAREMARK INTERNATIONAL INC. DERIVATIVE LITIGATION
CONSOLIDATED CIVIL ACTION NO. 13670
698 A.2d 959
August 16, 1996, DATE SUBMITTED
September 25, 1996, DATE DECIDED
COUNSEL: Joseph A. Rosenthal, Esquire, of ROSENTHAL, MONHAIT, GROSS & GODDESS, P.A.,
Wilmington, Delaware; OF COUNSEL: LOWEY DANNENBERG BEMPORAD & SELINGER, P.C., White
Plains, New York; GOODKIND LABATON RUDOFF & SUCHAROW, L.L.P., New York, New York;
Attorneys for Plaintiffs.
Kevin G. Abrams, Esquire, Thomas A. Beck, Esquire and Richard I.G. Jones, Jr., Esquire, of
RICHARDS, LAYTON & FINGER, Wilmington, Delaware; OF COUNSEL: Howard M. Pearl, Esquire,
Timothy J. Rivelli, Esquire and Julie A. Bauer, Esquire, of WINSTON & STRAWN, Chicago, Illinois;
Attorneys for Caremark International, Inc.
Kenneth J. Nachbar, Esquire, of MORRIS, NICHOLS, ARSHT & TUNNELL, Wilmington, Delaware; OF
COUNSEL: William J. Linklater, Esquire, of BAKER & McKENZIE, Chicago, Illinois; Attorneys for
Individual Defendants.
JUDGES: ALLEN, CHANCELLOR
OPINIONBY: ALLEN
OPINION: MEMORANDUM OPINION
ALLEN, CHANCELLOR
Pending is a motion pursuant to Chancery Rule 23.1 to approve as fair and reasonable a proposed
settlement of a consolidated derivative action on behalf of Caremark International, Inc.
("Caremark"). The suit involves claims that the members of Caremark's board of directors (the
"Board") breached their fiduciary duty of care to Caremark in connection with alleged violations by
Caremark employees of federal and state laws and regulations applicable to health care providers. As
a result of the alleged violations, Caremark was subject to an extensive four year investigation by
the United States Department of Health and Human Services and the Department of Justice. In 1994
Caremark was charged in an indictment with multiple felonies. It thereafter entered into a number of
agreements with the Department of Justice and others. Those agreements included a plea
agreement in which Caremark pleaded guilty to a single felony of mail fraud and agreed to pay civil
and criminal fines. Subsequently, Caremark agreed to make reimbursements to various private and
public parties. In all, the payments that Caremark has been required to make total approximately $
250 million.
This suit was filed in 1994, purporting to seek on behalf of the company recovery of these losses
from the individual defendants who constitute the board of directors of Caremark. n1 The parties
now propose that it be settled and, after notice to Caremark shareholders, a hearing on the fairness
of the proposal was held on August 16, 1996.
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 2 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n1 Thirteen of the Directors have been members of the Board since November 30, 1992. Nancy
Brinker joined the Board in October 1993.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - -
A motion of this type requires the court to assess the strengths and weaknesses of the claims
asserted in light of the discovery record and to evaluate the fairness and adequacy of the
consideration offered to the corporation in exchange for the release of all claims made or arising
from the facts alleged. The ultimate issue then is whether the proposed settlement appears to be
fair to the corporation and its absent shareholders. In this effort the court does not determine
contested facts, but evaluates the claims and defenses on the discovery record to achieve a sense of
the relative strengths of the parties' positions. Polk v. Good, Del.Supr., 507 A.2d 531, 536 (1986). In
doing this, in most instances, the court is constrained by the absence of a truly adversarial process,
since inevitably both sides support the settlement and legally assisted objectors are rare. Thus, the
facts stated hereafter represent the court's effort to understand the context of the motion from the
discovery record, but do not deserve the respect that judicial findings after trial are customarily
accorded.
Legally, evaluation of the central claim made entails consideration of the legal standard governing a
board of directors' obligation to supervise or monitor corporate performance. For the reasons set
forth below I conclude, in light of the discovery record, that there is a very low probability that it
would be determined that the directors of Caremark breached any duty to appropriately monitor and
supervise the enterprise. Indeed the record tends to show an active consideration by Caremark
management and its Board of the Caremark structures and programs that ultimately led to the
company's indictment and to the large financial losses incurred in the settlement of those claims. It
does not tend to show knowing or intentional violation of law. Neither the fact that the Board,
although advised by lawyers and accountants, did not accurately predict the severe consequences to
the company that would ultimately follow from the deployment by the company of the strategies
and practices that ultimately led to this liability, nor the scale of the liability, gives rise to an
inference of breach of any duty imposed by corporation law upon the directors of Caremark.
I. BACKGROUND
For these purposes I regard the following facts, suggested by the discovery record, as material.
Caremark, a Delaware corporation with its headquarters in Northbrook, Illinois, was created in
November 1992 when it was spun-off from Baxter International, Inc. ("Baxter") and became a
publicly held company listed on the New York Stock Exchange. The business practices that created
the problem pre-dated the spin-off. During the relevant period Caremark was involved in two main
health care business segments, providing patient care and managed care services. As part of its
patient care business, which accounted for the majority of Caremark's revenues, Caremark provided
alternative site health care services, including infusion therapy, growth hormone therapy, HIV/AIDS-
related treatments and hemophilia therapy. Caremark's managed care services included prescription
drug programs and the operation of multi-specialty group practices.
A. Events Prior to the Government Investigation
A substantial part of the revenues generated by Caremark's businesses is derived from third party
payments, insurers, and Medicare and Medicaid reimbursement programs. The latter source of
payments are subject to the terms of the Anti-Referral Payments Law ("ARPL") which prohibits
health care providers from paying any form of remuneration to induce the referral of Medicare or
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 3 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
Medicaid patients. From its inception, Caremark entered into a variety of agreements with hospitals,
physicians, and health care providers for advice and services, as well as distribution agreements with
drug manufacturers, as had its predecessor prior to 1992. Specifically, Caremark did have a practice
of entering into contracts for services (e.g., consultation agreements and research grants) with
physicians at least some of whom prescribed or recommended services or products that Caremark
provided to Medicare recipients and other patients. Such contracts were not prohibited by the ARPL
but they obviously raised a possibility of unlawful "kickbacks."
As early as 1989, Caremark's predecessor issued an internal "Guide to Contractual Relationships"
("Guide") to govern its employees in entering into contracts with physicians and hospitals. The Guide
tended to be reviewed annually by lawyers and updated. Each version of the Guide stated as
Caremark's and its predecessor's policy that no payments would be made in exchange for or to
induce patient referrals. But what one might deem a prohibited quid pro quo was not always clear.
Due to a scarcity of court decisions interpreting the ARPL, however, Caremark repeatedly publicly
stated that there was uncertainty concerning Caremark's interpretation of the law.
To clarify the scope of the ARPL, the United States Department of Health and Human Services
("HHS") issued "safe harbor" regulations in July 1991 stating conditions under which financial
relationships between health care service providers and patient referral sources, such as physicians,
would not violate the ARPL. Caremark contends that the narrowly drawn regulations gave limited
guidance as to the legality of many of the agreements used by Caremark that did not fall within the
safe-harbor. Caremark's predecessor, however, amended many of its standard forms of agreement
with health care providers and revised the Guide in an apparent attempt to comply with the new
regulations.
B. Government Investigation and Related Litigation
In August 1991, the HHS Office of the Inspector General ("OIG") initiated an investigation of
Caremark's predecessor. Caremark's predecessor was served with a subpoena requiring the
production of documents, including contracts between Caremark's predecessor and physicians
(Quality Service Agreements ("QSAs")). Under the QSAs, Caremark's predecessor appears to have
paid physicians fees for monitoring patients under Caremark's predecessor's care, including Medicare
and Medicaid recipients. Sometimes apparently those monitoring patients were referring physicians,
which raised ARPL concerns.
In March 1992, the Department of Justice ("DOJ") joined the OIG investigation and separate
investigations were commenced by several additional federal and state agencies. n2
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n2 In addition to investigating whether Caremark's financial relationships with health care providers
were intended to induce patient referrals, inquiries were made concerning Caremark's billing
practices, activities which might lead to excessive and medically unnecessary treatments for patients,
potentially improper waivers of patient co-payment obligations, and the adequacy of records kept at
Caremark pharmacies.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
C. Caremark's Response to the Investigation
During the relevant period, Caremark had approximately 7,000 employees and ninety branch
operations. It had a decentralized management structure. By May 1991, however, Caremark asserts
that it had begun making attempts to centralize its management structure in order to increase
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 4 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
supervision over its branch operations.
The first action taken by management, as a result of the initiation of the OIG investigation, was an
announcement that as of October 1, 1991, Caremark's predecessor would no longer pay
management fees to physicians for services to Medicare and Medicaid patients. Despite this decision,
Caremark asserts that its management, pursuant to advice, did not believe that such payments were
illegal under the existing laws and regulations.
During this period, Caremark's Board took several additional steps consistent with an effort to assure
compliance with company policies concerning the ARPL and the contractual forms in the Guide. In
April 1992, Caremark published a fourth revised version of its Guide apparently designed to assure
that its agreements either complied with the ARPL and regulations or excluded Medicare and
Medicaid patients altogether. In addition, in September 1992, Caremark instituted a policy requiring
its regional officers, Zone Presidents, to approve each contractual relationship entered into by
Caremark with a physician.
Although there is evidence that inside and outside counsel had advised Caremark's directors that
their contracts were in accord with the law, Caremark recognized that some uncertainty respecting
the correct interpretation of the law existed. In its 1992 annual report, Caremark disclosed the
ongoing government investigations, acknowledged that if penalties were imposed on the company
they could have a material adverse effect on Caremark's business, and stated that no assurance
could be given that its interpretation of the ARPL would prevail if challenged.
Throughout the period of the government investigations, Caremark had an internal audit plan
designed to assure compliance with business and ethics policies. In addition, Caremark employed
Price Waterhouse as its outside auditor. On February 8, 1993, the Ethics Committee of Caremark's
Board received and reviewed an outside auditors report by Price Waterhouse which concluded that
there were no material weaknesses in Caremark's control structure. n3 Despite the positive findings
of Price Waterhouse, however, on April 20, 1993, the Audit & Ethics Committee adopted a new
internal audit charter requiring a comprehensive review of compliance policies and the compilation of
an employee ethics handbook concerning such policies. n4
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n3 At that time, Price Waterhouse viewed the outcome of the OIG Investigation as uncertain. After
further audits, however, on February 7, 1995, Price Waterhouse informed the Audit & Ethics
Committee that it had not become aware of any irregularities or illegal acts in relation to the OIG
investigation.
n4 Price Waterhouse worked in conjunction with the Internal Audit Department.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Board appears to have been informed about this project and other efforts to assure compliance
with the law. For example, Caremark's management reported to the Board that Caremark's sales
force was receiving an ongoing education regarding the ARPL and the proper use of Caremark's form
contracts which had been approved by in-house counsel. On July 27, 1993, the new ethics manual,
expressly prohibiting payments in exchange for referrals and requiring employees to report all illegal
conduct to a toll free confidential ethics hotline, was approved and allegedly disseminated. n5 The
record suggests that Caremark continued these policies in subsequent years, causing employees to
be given revised versions of the ethics manual and requiring them to participate in training sessions
concerning compliance with the law.
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 5 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n5 Prior to the distribution of the new ethics manual, on March 12, 1993, Caremark's president had
sent a letter to all senior, district, and branch managers restating Caremark's policies that no
physician be paid for referrals, that the standard contract forms in the Guide were not to be
modified, and that deviation from such policies would result in the immediate termination of
employment.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
During 1993, Caremark took several additional steps which appear to have been aimed at increasing
management supervision. These steps included new policies requiring local branch managers to
secure home office approval for all disbursements under agreements with health care providers and
to certify compliance with the ethics program. In addition, the chief financial officer was appointed
to serve as Caremark's compliance officer. In 1994, a fifth revised Guide was published.
D. Federal Indictments Against Caremark and Officers
On August 4, 1994, a federal grand jury in Minnesota issued a 47 page indictment charging
Caremark, two of its officers (not the firm's chief officer), an individual who had been a sales
employee of Genentech, Inc., and David R. Brown, a physician practicing in Minneapolis, with
violating the ARPL over a lengthy period. According to the indictment, over $ 1.1 million had been
paid to Brown to induce him to distribute Protropin, a human growth hormone drug marketed by
Caremark. n6 The substantial payments involved started, according to the allegations of the
indictment, in 1986 and continued through 1993. Some payments were "in the guise of research
grants", Ind. P20, and others were "consulting agreements", Ind. P19. The indictment charged, for
example, that Dr. Brown performed virtually none of the consulting functions described in his 1991
agreement with Caremark, but was nevertheless neither required to return the money he had
received nor precluded from receiving future funding from Caremark. In addition the indictment
charged that Brown received from Caremark payments of staff and office expenses, including
telephone answering services and fax rental expenses.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n6 In addition to prescribing Protropin, Dr. Brown had been receiving research grants from Caremark
as well as payments for services under a consulting agreement for several years before and after the
investigation. According to an undated document from an unknown source, Dr. Brown and six other
researchers had been providing patient referrals to Caremark valued at $ 6.55 for each $ 1 of
research money they received.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In reaction to the Minnesota Indictment and the subsequent filing of this and other derivative actions
in 1994, the Board met and was informed by management that the investigation had resulted in an
indictment; Caremark denied any wrongdoing relating to the indictment and believed that the OIG
investigation would have a favorable outcome. Management reiterated the grounds for its view that
the contracts were in compliance with law.
Subsequently, five stockholder derivative actions were filed in this court and consolidated into this
action. The original complaint, dated August 5, 1994, alleged, in relevant part, that Caremark's
directors breached their duty of care by failing adequately to supervise the conduct of Caremark
employees, or institute corrective measures, thereby exposing Caremark to fines and liability. n7
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 6 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n7 Caremark moved to dismiss this complaint on September 14, 1994. Prior to that motion, another
stockholder derivative action had been filed in the United States District Court for the Northern
District of Illinois, complaining of similar misconduct on the part of Caremark, its Directors, and
three employees, as well as several other claims including RICO violations. Brumberg v. Mieszala,
No. 94 C 4798 (N.D. Ill.). The federal court entered a stay of all proceedings pending resolution of
this case.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
On September 21, 1994, a federal grand jury in Columbus, Ohio issued another indictment alleging
that an Ohio physician had defrauded the Medicare program by requesting and receiving $ 134,600
in exchange for referrals of patients whose medical costs were in part reimbursed by Medicare in
violation of the ARPL. Although unidentified at that time, Caremark was the health care provider who
allegedly made such payments. The indictment also charged that the physician, Elliot Neufeld, D.O.,
was provided with the services of a registered nurse to work in his office at the expense of the
infusion company, in addition to free office equipment.
An October 28, 1994 amended complaint in this action added allegations concerning the Ohio
indictment as well as new allegations of over billing and inappropriate referral payments in
connection with an action brought in Atlanta, Booth v. Rankin. Following a newspaper article report
that federal investigators were expanding their inquiry to look at Caremark's referral practices in
Michigan as well as allegations of fraudulent billing of insurers, a second amended complaint was
filed in this action. The third, and final, amended complaint was filed on April 11, 1995, adding
allegations that the federal indictments had caused Caremark to incur significant legal fees and
forced it to sell its home infusion business at a loss. n8
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n8 On January 29, 1995, Caremark entered into a definitive agreement to sell its home infusion
business to Coram Health Care Company for approximately $ 310 million. Baxter purchased the
home infusion business in 1987 for $ 586 million.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
After each complaint was filed, defendants filed a motion to dismiss. According to defendants, if a
settlement had not been reached in this action, the case would have been dismissed on two
grounds. First, they contend that the complaints fail to allege particularized facts sufficient to excuse
the demand requirement under Delaware Chancery Court Rule 23.1. Second, defendants assert that
plaintiffs had failed to state a cause of action due to the fact that Caremark's charter eliminates
directors' personal liability for money damages, to the extent permitted by law.
Settlement Negotiations
In September, following the announcement of the Ohio indictment, Caremark publicly announced
that as of January 1, 1995, it would terminate all remaining financial relationships with physicians in
its home infusion, hemophilia, and growth hormone lines of business. n9 In addition, Caremark
asserts that it extended its restrictive policies to all of its contractual relationships with physicians,
rather than just those involving Medicare and Medicaid patients, and terminated its research grant
program which had always involved some recipients who referred patients to Caremark.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 7 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
n9 On June 1, 1993, Caremark had stopped entering into new contractual agreements in those
business segments.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Caremark began settlement negotiations with federal and state government entities in May 1995. In
return for a guilty plea to a single count of mail fraud by the corporation, the payment of a criminal
fine, the payment of substantial civil damages, and cooperation with further federal investigations on
matters relating to the OIG investigation, the government entities agreed to negotiate a settlement
that would permit Caremark to continue participating in Medicare and Medicaid programs. On June
15, 1995, the Board approved a settlement ("Government Settlement Agreement") with the DOJ,
OIG, U.S. Veterans Administration, U.S. Federal Employee Health Benefits Program, federal Civilian
Health and Medical Program of the Uniformed Services, and related state agencies in all fifty states
and the District of Columbia. n10 No senior officers or directors were charged with wrongdoing in the
Government Settlement Agreement or in any of the prior indictments. In fact, as part of the
sentencing in the Ohio action on June 19, 1995, the United States stipulated that no senior
executive of Caremark participated in, condoned, or was willfully ignorant of wrongdoing in
connection with the home infusion business practices. n11
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n10 The agreement, covering allegations since 1986, required a Caremark subsidiary to enter a
guilty plea to two counts of mail fraud, and required Caremark to pay $ 29 million in criminal fines,
$ 129.9 million relating to civil claims concerning payment practices, $ 3.5 million for alleged
violations of the Controlled Substances Act, and $ 2 million, in the form of a donation, to a grant
program set up by the Ryan White Comprehensive AIDS Resources Emergency Act. Caremark also
agreed to enter into a compliance agreement with the HHS.
n11 On July 25, 1995, another shareholder derivative complaint was filed against Caremark and
seven of its Directors, asserting allegations related to the Minnesota indictment and the terms of the
Government Settlement Agreement. Lenzen v. Piccolo, No. 95 CH 7118 (Circuit Court of Cook
County, Illinois).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The federal settlement included certain provisions in a "Corporate Integrity Agreement" designed to
enhance future compliance with law. The parties have not discussed this agreement, except to say
that the negotiated provisions of the settlement of this claim are not redundant of those in that
agreement.
Settlement negotiations between the parties in this action commenced in May 1995 as well, based
upon a letter proposal of the plaintiffs, dated May 16, 1995. n12 These negotiations resulted in a
memorandum of understanding ("MOU"), dated June 7, 1995, and the execution of the Stipulation
and Agreement of Compromise and Settlement on June 28, 1995, which is the subject of this action.
n13 The MOU, approved by the Board on June 15, 1995, required the Board to adopt several
resolutions, discussed below, and to create a new compliance committee. The Compliance and Ethics
Committee has been reporting to the Board in accord with its newly specified duties.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n12 No government entities were involved in these separate, but concurrent negotiations.
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 8 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
n13 Plaintiff's initial proposal had both a monetary component, requiring Caremark's director-officers
to relinquish stock options, and a remedial component, requiring management to adopt and
implement several compliance related measures. The monetary component was subsequently
eliminated.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
After negotiating these settlements, Caremark learned in December 1995 that several private
insurance company payors ("Private Payors") believed that Caremark was liable for damages to them
for allegedly improper business practices related to those at issue in the OIG investigation. As a
result of intensive negotiations with the Private Payors and the Board's extensive consideration of
the alternatives for dealing with such claims, the Board approved a $ 98.5 million settlement
agreement with the Private Payors on March 18, 1996. In its public disclosure statement, Caremark
asserted that the settlement did not involve current business practices and contained an express
denial of any wrongdoing by Caremark. After further discovery in this action, the plaintiffs decided to
continue seeking approval of the proposed settlement agreement.
F. The Proposed Settlement of this Litigation
In relevant part the terms upon which these claims asserted are proposed to be settled are as
follows:
1. That Caremark, undertakes that it and its employees, and agents not pay any form of
compensation to a third party in exchange for the referral of a patient to a Caremark
facility or service or the prescription of drugs marketed or distributed by Caremark for
which reimbursement may be sought from Medicare, Medicaid, or a similar state
reimbursement program;
2. That Caremark, undertakes for itself and its employees, and agents not to pay to or
split fees with physicians, joint ventures, any business combination in which Caremark
maintains a direct financial interest, or other health care providers with whom Caremark
has a financial relationship or interest, in exchange for the referral of a patient to a
Caremark facility or service or the prescription of drugs marketed or distributed by
Caremark for which reimbursement may be sought from Medicare, Medicaid, or a similar
state reimbursement program;
3. That the full Board shall discuss all relevant material changes in government health
care regulations and their effect on relationships with health care providers on a semi-
annual basis;
4. That Caremark's officers will remove all personnel from health care facilities or
hospitals who have been placed in such facility for the purpose of providing remuneration
in exchange for a patient referral for which reimbursement may be sought from
Medicare, Medicaid, or a similar state reimbursement program;
5. That every patient will receive written disclosure of any financial relationship between
Caremark and the health care professional or provider who made the referral;
6. That the Board will establish a Compliance and Ethics Committee of four directors, two
of which will be non-management directors, to meet at least four times a year to
effectuate these policies and monitor business segment compliance with the ARPL, and
to report to the Board semi-annually concerning compliance by each business segment;
and
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 9 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
7. That corporate officers responsible for business segments shall serve as compliance
officers who must report semi-annually to the Compliance and Ethics Committee and,
with the assistance of outside counsel, review existing contracts and get advanced
approval of any new contract forms.
II. LEGAL PRINCIPLES
A. Principles Governing Settlements of Derivative Claims
As noted at the outset of this opinion, this Court is now required to exercise an informed judgment
whether the proposed settlement is fair and reasonable in the light of all relevant factors. Polk v.
Good, Del.Supr., 507 A.2d 531 (1986). On an application of this kind, this Court attempts to protect
the best interests of the corporation and its absent shareholders all of whom will be barred from
future litigation on these claims if the settlement is approved. The parties proposing the settlement
bear the burden of persuading the court that it is in fact fair and reasonable. Fins v. Pearlman,
Del.Supr., 424 A.2d 305 (1980).
B. Directors' Duties To Monitor Corporate Operations
The complaint charges the director defendants with breach of their duty of attention or care in
connection with the on-going operation of the corporation's business. The claim is that the directors
allowed a situation to develop and continue which exposed the corporation to enormous legal liability
and that in so doing they violated a duty to be active monitors of corporate performance. The
complaint thus does not charge either director self-dealing or the more difficult loyalty-type
problems arising from cases of suspect director motivation, such as entrenchment or sale of control
contexts. n14 The theory here advanced is possibly the most difficult theory in corporation law upon
which a plaintiff might hope to win a judgment. The good policy reasons why it is so difficult to
charge directors with responsibility for corporate losses for an alleged breach of care, where there is
no conflict of interest or no facts suggesting suspect motivation involved, were recently described in
Gagliardi v. TriFoods Int'l Inc., Del.Ch., 683 A.2d 1049 (1996) (1996 Del.Ch. LEXIS 87 at p.20).
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n14 See Weinberger v. UOP, Inc., Del.Supr., 457 A.2d 701, 711 (1983) (entire fairness test when
financial conflict of interest involved); Unitrin, Inc. v. American General Corp., Del.Supr., 651 A.2d
1361, 1372 (1995) (intermediate standard of review when "defensive" acts taken); QVC Network,
Inc. v. Paramount Communications, Inc., Del.Supr., 637 A.2d 34, 45 (1994) (intermediate test when
corporate control transferred).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
1. Potential liability for directoral decisions: Director liability for a breach of the duty to exercise
appropriate attention may, in theory, arise in two distinct contexts. First, such liability may be said
to follow from a board decision that results in a loss because that decision was ill advised or
"negligent". Second, liability to the corporation for a loss may be said to arise from an unconsidered
failure of the board to act in circumstances in which due attention would, arguably, have prevented
the loss. See generally Veasey & Seitz, The Business Judgment Rule in the Revised Model Act...63
TEXAS L. REV. 1483 (1985). The first class of cases will typically be subject to review under the
director-protective business judgment rule, assuming the decision made was the product of a
process that was either deliberately considered in good faith or was otherwise rational. See Aronson
v. Lewis, Del.Supr., 473 A.2d 805 (1984); Gagliardi v. TriFoods Int'l Inc., Del.Ch. 683 A.2d 1049
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 10 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
(1996). What should be understood, but may not widely be understood by courts or commentators
who are not often required to face such questions, n15 is that compliance with a director's duty of
care can never appropriately be judicially determined by reference to the content of the board
decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the
process employed. That is, whether a judge or jury considering the matter after the fact, believes a
decision substantively wrong, or degrees of wrong extending through "stupid" to "egregious" or
"irrational", provides no ground for director liability, so long as the court determines that the process
employed was either rational or employed in a good faith effort to advance corporate interests. To
employ a different rule -- one that permitted an "objective" evaluation of the decision -- would
expose directors to substantive second guessing by ill-equipped judges or juries, which would, in the
long-run, be injurious to investor interests. n16 Thus, the business judgment rule is process oriented
and informed by a deep respect for all good faith board decisions.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n15 See American Law Institute, Principles of Corporate Governance § 4.01(c) (to qualify for
business judgment treatment a director must "rationally" believe that the decision is in the best
interests of the corporation).
n16 The vocabulary of negligence while often employed, e.g., Aronson v. Lewis, Del. Supr., 473 A.2d
805 (1984) is not well-suited to judicial review of board attentiveness, see, e.g., Joy v. North, 692
F.2d 880, 885-6 (2d. Cir. 1982), especially if one attempts to look to the substance of the decision
as any evidence of possible "negligence." Where review of board functioning is involved, courts leave
behind as a relevant point of reference the decisions of the hypothetical "reasonable person", who
typically supplies the test for negligence liability. It is doubtful that we want business men and
women to be encouraged to make decisions as hypothetical persons of ordinary judgment and
prudence might. The corporate form gets its utility in large part from its ability to allow diversified
investors to accept greater investment risk. If those in charge of the corporation are to be adjudged
personally liable for losses on the basis of a substantive judgment based upon what an persons of
ordinary or average judgment and average risk assessment talent regard as "prudent" "sensible" or
even "rational", such persons will have a strong incentive at the margin to authorize less risky
investment projects.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Indeed, one wonders on what moral basis might shareholders attack a good faith business decision
of a director as "unreasonable" or "irrational". Where a director in fact exercises a good faith effort
to be informed and to exercise appropriate judgment, he or she should be deemed to satisfy fully
the duty of attention. If the shareholders thought themselves entitled to some other quality of
judgment than such a director produces in the good faith exercise of the powers of office, then the
shareholders should have elected other directors. Judge Learned Hand made the point rather better
than can I. In speaking of the passive director defendant Mr. Andrews in Barnes v. Andrews, Judge
Hand said:
True, he was not very suited by experience for the job he had undertaken, but I cannot
hold him on that account. After all it is the same corporation that chose him that now
seeks to charge him....Directors are not specialists like lawyers or doctors....They are the
general advisors of the business and if they faithfully give such ability as they have to
their charge, it would not be lawful to hold them liable. Must a director guarantee that
his judgment is good? Can a shareholder call him to account for deficiencies that their
votes assured him did not disqualify him for his office? While he may not have been the
Cromwell for that Civil War, Andrews did not engage to play any such role. n17
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 11 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
In this formulation Learned Hand correctly identifies, in my opinion, the core element of any
corporate law duty of care inquiry: whether there was good faith effort to be informed and exercise
judgment.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n17 208 App. Div. 856 (S.D.N.Y. 1924).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
2. Liability for failure to monitor: The second class of cases in which director liability for inattention
is theoretically possible entail circumstances in which a loss eventuates not from a decision but, from
unconsidered inaction. Most of the decisions that a corporation, acting through its human agents,
makes are, of course, not the subject of director attention. Legally, the board itself will be required
only to authorize the most significant corporate acts or transactions: mergers, changes in capital
structure, fundamental changes in business, appointment and compensation of the CEO, etc. As the
facts of this case graphically demonstrate, ordinary business decisions that are made by officers and
employees deeper in the interior of the organization can, however, vitally affect the welfare of the
corporation and its ability to achieve its various strategic and financial goals. If this case did not
prove the point itself, recent business history would. Recall for example the displacement of senior
management and much of the board of Salomon, Inc.; n18 the replacement of senior management
of Kidder, Peabody following the discovery of large trading losses resulting from phantom trades by a
highly compensated trader; n19 or the extensive financial loss and reputational injury suffered by
Prudential Insurance as a result its junior officers misrepresentations in connection with the
distribution of limited partnership interests. n20 Financial and organizational disasters such as these
raise the question, what is the board's responsibility with respect to the organization and monitoring
of the enterprise to assure that the corporation functions within the law to achieve its purposes?
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n18 See, e.g., Rotten at the Core, the Economist, August 17, 1991, at 69-70, The Judgment of
Salomon: An Anticlimax, Bus. Week, June 1, 1992, at 106.
n19 See Terence P. Pare, Jack Welch's Nightmare on Wall Street, Fortune, Sept. 5, 1994, at 40-48.
n20 Michael Schroeder and Leah Nathans Spiro, Is George Ball's Luck Running Out?, Bus. Week,
November 8, 1993, at 74-76; Joseph B. Treaster, Prudential To Pay Policyholders $ 410 Million, New
York Times, Sept 25, 1996, (at D-1).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Modernly this question has been given special importance by an increasing tendency, especially
under federal law, to employ the criminal law to assure corporate compliance with external legal
requirements, including environmental, financial, employee and product safety as well as assorted
other health and safety regulations. In 1991, pursuant to the Sentencing Reform Act of 1984, n21
the United States Sentencing Commission adopted Organizational Sentencing Guidelines which
impact importantly on the prospective effect these criminal sanctions might have on business
corporations. The Guidelines set forth a uniform sentencing structure for organizations to be
sentenced for violation of federal criminal statutes and provide for penalties that equal or often
massively exceed those previously imposed on corporations. n22 The Guidelines offer powerful
incentives for corporations today to have in place compliance programs to detect violations of law,
promptly to report violations to appropriate public officials when discovered, and to take prompt,
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 12 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
voluntary remedial efforts.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n21 See Sentencing Reform Act of 1984, Pub.L. 98-473, Title II, § 212 (a)(2) (1984); 18 USCA §§
3331-4120.
n22 See United States Sentencing Commission, Guidelines Manuel, Chapter 8 (U.S. Government
Printing Office November 1994).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In 1963, the Delaware Supreme Court in Graham v. Allis-Chalmers Mfg. Co., n23 addressed the
question of potential liability of board members for losses experienced by the corporation as a result
of the corporation having violated the anti-trust laws of the United States. There was no claim in
that case that the directors knew about the behavior of subordinate employees of the corporation
that had resulted in the liability. Rather, as in this case, the claim asserted was that the directors
ought to have known of it and if they had known they would have been under a duty to bring the
corporation into compliance with the law and thus save the corporation from the loss. The Delaware
Supreme Court concluded that, under the facts as they appeared, there was no basis to find that the
directors had breached a duty to be informed of the ongoing operations of the firm. In notably
colorful terms, the court stated that "absent cause for suspicion there is no duty upon the directors
to install and operate a corporate system of espionage to ferret out wrongdoing which they have no
reason to suspect exists." n24 The Court found that there were no grounds for suspicion in that case
and, thus, concluded that the directors were blamelessly unaware of the conduct leading to the
corporate liability. n25
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n23 41 Del. Ch. 78, 188 A.2d 125 (1963).
n24 Id. 188 A.2d at 130.
n25 Recently, the Graham standard was applied by the Delaware Chancery in a case involving
Baxter. In Re Baxter International, Inc. Shareholders Litig., Del.Ch., 654 A.2d 1268, 1270 (1995).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
How does one generalize this holding today? Can it be said today that, absent some ground giving
rise to suspicion of violation of law, that corporate directors have no duty to assure that a corporate
information gathering and reporting systems exists which represents a good faith attempt to provide
senior management and the Board with information respecting material acts, events or conditions
within the corporation, including compliance with applicable statutes and regulations? I certainly do
not believe so. I doubt that such a broad generalization of the Graham holding would have been
accepted by the Supreme Court in 1963. The case can be more narrowly interpreted as standing for
the proposition that, absent grounds to suspect deception, neither corporate boards nor senior
officers can be charged with wrongdoing simply for assuming the integrity of employees and the
honesty of their dealings on the company's behalf. See 188 A.2d at 130-31.
A broader interpretation of Graham v. Allis Chalmers -- that it means that a corporate board has no
responsibility to assure that appropriate information and reporting systems are established by
management -- would not, in any event, be accepted by the Delaware Supreme Court in 1996, in my
opinion. In stating the basis for this view, I start with the recognition that in recent years the
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 13 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
Delaware Supreme Court has made it clear -- especially in its jurisprudence concerning takeovers,
from Smith v. Van Gorkom through QVC v. Paramount Communications n26 -- the seriousness with
which the corporation law views the role of the corporate board. Secondly, I note the elementary
fact that relevant and timely information is an essential predicate for satisfaction of the board's
supervisory and monitoring role under Section 141 of the Delaware General Corporation Law. Thirdly,
I note the potential impact of the federal organizational sentencing guidelines on any business
organization. Any rational person attempting in good faith to meet an organizational governance
responsibility would be bound to take into account this development and the enhanced penalties and
the opportunities for reduced sanctions that it offers.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n26 E.g., Smith v. Van Gorkom, Del.Supr., 488 A.2d 858 (1985); Paramount Communications v.
QVC Network, Del. Supr., 637 A.2d 34 (1993).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In light of these developments, it would, in my opinion, be a mistake to conclude that our Supreme
Court's statement in Graham concerning "espionage" means that corporate boards may satisfy their
obligation to be reasonably informed concerning the corporation, without assuring themselves that
information and reporting systems exist in the organization that are reasonably designed to provide
to senior management and to the board itself timely, accurate information sufficient to allow
management and the board, each within its scope, to reach informed judgments concerning both
the corporation's compliance with law and its business performance.
Obviously the level of detail that is appropriate for such an information system is a question of
business judgment. And obviously too, no rationally designed information and reporting system will
remove the possibility that the corporation will violate laws or regulations, or that senior officers or
directors may nevertheless sometimes be misled or otherwise fail reasonably to detect acts material
to the corporation's compliance with the law. But it is important that the board exercise a good faith
judgment that the corporation's information and reporting system is in concept and design adequate
to assure the board that appropriate information will come to its attention in a timely manner as a
matter of ordinary operations, so that it may satisfy its responsibility.
Thus, I am of the view that a director's obligation includes a duty to attempt in good faith to assure
that a corporate information and reporting system, which the board concludes is adequate, exists,
and that failure to do so under some circumstances may, in theory at least, render a director liable
for losses caused by non-compliance with applicable legal standards n27. I now turn to an analysis
of the claims asserted with this concept of the directors duty of care, as a duty satisfied in part by
assurance of adequate information flows to the board, in mind.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n27 Any action seeking recover for losses would logically entail a judicial determination of proximate
cause, since, for reasons that I take to be obvious, it could never be assumed that an adequate
information system would be a system that would prevent all losses. I need not touch upon the
burden allocation with resect to a proximate cause issue in such a suit. See Cede & Co. v.
Technicolor, Inc., Del.Supr., 636 A.2d 956 (1994); Cinerama, Inc. v. Technicolor, Inc., Del.Ch., 663
A.2d 1134 (1994), aff'd., Del.Supr., 663 A.2d 1156 (1995). Moreover, questions of waiver of liability
under certificate provisions authorized by 8 Del.C. § 102(b)(7) may also be faced.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 14 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
III ANALYSIS OF THIRD AMENDED COMPLAINT AND SETTLEMENT
A. The Claims
On balance, after reviewing an extensive record in this case, including numerous documents and
three depositions, I conclude that this settlement is fair and reasonable. In light of the fact that the
Caremark Board already has a functioning committee charged with overseeing corporate compliance,
the changes in corporate practice that are presented as consideration for the settlement do not
impress one as very significant. Nonetheless, that consideration appears fully adequate to support
dismissal of the derivative claims of director fault asserted, because those claims find no substantial
evidentiary support in the record and quite likely were susceptible to a motion to dismiss in all
events. n28
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n28 See In Re Baxter International, Inc. Shareholders Litig., Del.Ch., 654 A.2d 1268, 1270 (1995). A
claim in some respects similar to that here made was dismissed. The court relied, in part, on the
fact that the Baxter certificate of incorporation contained a provision as authorized by Section
102(b)(7) of the Delaware General Corporation Law, waiving director liability for due care violations.
Id. at 1270. That fact was thought to require pre-suit demand on the board in that case.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - -
In order to Show that the Caremark directors breached their duty of care by failing adequately to
control Caremark's employees, plaintiffs would have to show either (1) that the directors knew or
(2) should have known that violations of law were occurring and, in either event, (3) that the
directors took no steps in a good faith effort to prevent or remedy that situation, and (4) that such
failure proximately resulted in the losses complained of, although under Cede & Co. v. Technicolor,
Inc., Del.Supr., 636 A.2d 956 (1994) this last element may be thought to constitute an affirmative
defense.
1. Knowing violation for statute: Concerning the possibility that the Caremark directors knew of
violations of law, none of the documents submitted for review, nor any of the deposition transcripts
appear to provide evidence of it. Certainly the Board understood that the company had entered into
a variety of contracts with physicians, researchers, and health care providers and it was understood
that some of these contracts were with persons who had prescribed treatments that Caremark
participated in providing. The board was informed that the company's reimbursement for patient care
was frequently from government funded sources and that such services were subject to the ARPL.
But the Board appears to have been informed by experts that the company's practices while
contestable, were lawful. There is no evidence that reliance on such reports was not reasonable.
Thus, this case presents no occasion to apply a principle to the effect that knowingly causing the
corporation to violate a criminal statute constitutes a breach of a director's fiduciary duty. See Roth
v. Robertson, N.Y.Sup.Ct., 64 Misc. 343, 118 N.Y.S. 351 (1909); Miller v. American Tel. & Tel Co.,
507 F.2d 759 (3rd Cir. 1974). It is not clear that the Board knew the detail found, for example, in
the indictments arising from the Company's payments. But, of course, the duty to act in good faith
to be informed cannot be thought to require directors to possess detailed information about all
aspects of the operation of the enterprise. Such a requirement would simple be inconsistent with the
scale and scope of efficient organization size in this technological age.
2. Failure to monitor: Since it does appears that the Board was to some extent unaware of the
activities that led to liability, I turn to a consideration of the other potential avenue to director
liability that the pleadings take: director inattention or "negligence". Generally where a claim of
directorial liability for corporate loss is predicated upon ignorance of liability creating activities within
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 15 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
the corporation, as in Graham or in this case, in my opinion only a sustained or systematic failure of
the board to exercise oversight -- such as an utter failure to attempt to assure a reasonable
information and reporting system exits -- will establish the lack of good faith that is a necessary
condition to liability. Such a test of liability -- lack of good faith as evidenced by sustained or
systematic failure of a director to exercise reasonable oversight -- is quite high. But, a demanding
test of liability in the oversight context is probably beneficial to corporate shareholders as a class, as
it is in the board decision context, since it makes board service by qualified persons more likely,
while continuing to act as a stimulus to good faith performance of duty by such directors.
Here the record supplies essentially no evidence that the director defendants were guilty of a
sustained failure to exercise their oversight function. To the contrary, insofar as I am able to tell on
this record, the corporation's information systems appear to have represented a good faith attempt
to be informed of relevant facts. If the directors did not know the specifics of the activities that lead
to the indictments, they cannot be faulted.
The liability that eventuated in this instance was huge. But the fact that it resulted from a violation
of criminal law alone does not create a breach of fiduciary duty by directors. The record at this stage
does not support the conclusion that the defendants either lacked good faith in the exercise of their
monitoring responsibilities or conscientiously permitted a known violation of law by the corporation to
occur. The claims asserted against them must be viewed at this stage as extremely weak.
B. The Consideration For Release of Claim
The proposed settlement provides very modest benefits. Under the settlement agreement, plaintiffs
have been given express assurances that Caremark will have a more centralized, active supervisory
system in the future. Specifically, the settlement mandates duties to be performed by the newly
named Compliance and Ethics Committee on an ongoing basis and increases the responsibility for
monitoring compliance with the law at the lower levels of management. In adopting the resolutions
required under the settlement, Care mark has further clarified its policies concerning the prohibition
of providing remuneration for referrals. These appear to be positive consequences of the settlement
of the claims brought by the plaintiffs, even if they are not highly significant. Nonetheless, given the
weakness of the plaintiffs' claims the proposed settlement appears to be an adequate, reasonable,
and beneficial outcome for all of the parties. Thus, the proposed settlement will be approved.
IV, ATTORNEYS' FEES
The various firms of lawyers involved for plaintiffs seek an award of $ 1,025,000 in attorneys' fees
and reimbursable expenses. n29 In awarding attorneys' fees, this Court considers an array of
relevant factors. E.g., In Re Beatrice Companies, Inc. Litigation, 1986 Del. Ch. LEXIS 414, C.A. No.
8248, Allen, C. (Apr. 16, 1986). Such factors include, most importantly, the financial value of the
benefit that the lawyers work produced; the strength of the claims (because substantial settlement
value may sometimes be produced even though the litigation added little value -- i.e., perhaps any
lawyer could have settled this claim for this substantial value or more); the amount of complexity of
the legal services; the fee customarily charged for such services; and the contingent nature of the
undertaking.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n29 Of the total requested amount, approximately $ 710,000 is designated as reimbursement for the
number of hours spent by the attorneys on the case, calculated at their normal billing rate, and $
53,000 for out-of-pocket expenses.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
6/15/10 11:59 PMGet a Document - by Citation - 698 A.2d 959
Page 16 of 16http://www.law.uh.edu/healthlaw/law/FederalMaterials/FederalCases/InreCaremark.htm
In this case no factor points to a substantial fee, other than the amount and sophistication of the
lawyer services required. There is only a modest substantive benefit produced; in the particular
circumstances of the government activity there was realistically a very slight contingency faced by
the attorneys at the time they expended time. The services rendered required a high degree of
sophistication and expertise. I am told that at normal hourly billing rates approximately $ 710,000 of
time was expended by the attorneys.
In these circumstances, I conclude that an award of a fee determined by reference to the time
expended at normal hourly rates plus a premium of 15% of that amount to reflect the limited degree
of real contingency in the undertaking, is fair. Thus I will award a fee of $ 816,000 plus $ 53,000 of
expenses advanced by counsel.
I am today entering an order consistent with the foregoing. n30
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n30 The court has been informed by letter of counsel that after the fairness of the proposed
settlement had been submitted to the court, Caremark was involved in a merger in which its stock
was canceled and the holders of its stock became entitled to shares of stock of the acquiring
corporation. No party to this suit, or the surviving corporation, has sought to dismiss this case
thereafter on the basis that plaintiffs' have loss standing to sue. As plaintiffs continue to have an
equity interest in the entity that owns the claims and more especially because no party has moved
for any modification of the procedural setting of the matter submitted, I conclude that any merger
that may have occurred is without effect on the decision of the motion or the judgment to be
entered.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
IN THE SUPREME COURT OF THE STATE OF DELAWARE WILLIAM STONE AND SANDRA § STONE, derivatively on behalf of § Nominal Defendant AmSOUTH § BANCORPORATION, § No. 93, 2006 § Plaintiffs Below, § Court Below – Court of Chancery Appellants, § of the State of Delaware, § in and for New Castle County v. § C.A. No. 1570-N § C. DOWD RITTER, RONALD L. § KUEHN, JR., CLAUDE B. NIELSEN,§ JAMES R. MALONE, EARNEST W. § DAVENPORT, JR., MARTHA R. § INGRAM, CHARLES D. § McCRARY, CLEOPHUS THOMAS, § JR., RODNEY C. GILBERT, § VICTORIA B. JACKSON, J. § HAROLD CHANDLER, JAMES E. § DALTON, ELMER B. HARRIS, § BENJAMIN F. PAYTON, and § JOHN N. PALMER, § § Defendants Below, § Appellees, § § and § § AmSOUTH BANCORPORATION, § § Nominal Defendant Below, § Appellee. § Submitted: October 5, 2006 Decided: November 6, 2006 Before STEELE, Chief Justice, HOLLAND, BERGER, JACOBS, and RIDGELY, Justices (constituting the Court en Banc).
2
Upon appeal from the Court of Chancery. AFFIRMED.
Brian D. Long, Esquire (argued) and Seth D. Rigrodsky, Esquire, of Rigrodsky & Long, P.A., Wilmington, Delaware, for appellants.
Jesse A. Finkelstein, Esquire, Raymond J. DiCamillo, Esquire, and Lisa Zwally Brown, Esquire, of Richards, Layton & Finger, Wilmington, Delaware, David B. Tulchin, Esquire (argued), L. Wiesel, Esquire, and Jacob F. M. Oslick, Esquire, of Sullivan & Cromwell LLP, New York, New York, for appellees.
HOLLAND, Justice:
3
This is an appeal from a final judgment of the Court of Chancery
dismissing a derivative complaint against fifteen present and former
directors of AmSouth Bancorporation (“AmSouth”), a Delaware
corporation. The plaintiffs-appellants, William and Sandra Stone, are
AmSouth shareholders and filed their derivative complaint without making a
pre-suit demand on AmSouth’s board of directors (the “Board”). The Court
of Chancery held that the plaintiffs had failed to adequately plead that such a
demand would have been futile. The Court, therefore, dismissed the
derivative complaint under Court of Chancery Rule 23.1.
The Court of Chancery characterized the allegations in the derivative
complaint as a “classic Caremark claim,” a claim that derives its name from
In re Caremark Int’l Deriv. Litig.1 In Caremark, the Court of Chancery
recognized that: “[g]enerally where a claim of directorial liability for
corporate loss is predicated upon ignorance of liability creating activities
within the corporation . . . only a sustained or systematic failure of the board
to exercise oversight–such as an utter failure to attempt to assure a
1 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996).
4
reasonable information and reporting system exists–will establish the lack of
good faith that is a necessary condition to liability.”2
In this appeal, the plaintiffs acknowledge that the directors neither
“knew [n]or should have known that violations of law were occurring,” i.e.,
that there were no “red flags” before the directors. Nevertheless, the
plaintiffs argue that the Court of Chancery erred by dismissing the derivative
complaint which alleged that “the defendants had utterly failed to implement
any sort of statutorily required monitoring, reporting or information controls
that would have enabled them to learn of problems requiring their attention.”
The defendants argue that the plaintiffs’ assertions are contradicted by the
derivative complaint itself and by the documents incorporated therein by
reference.
Consistent with our opinion in In re Walt Disney Co. Deriv Litig, we
hold that Caremark articulates the necessary conditions for assessing
director oversight liability.3 We also conclude that the Caremark standard
was properly applied to evaluate the derivative complaint in this case.
Accordingly, the judgment of the Court of Chancery must be affirmed.
2 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d at 971; see also David B. Shaev Profit
Sharing Acct. v. Armstrong, 2006 WL 391931, at *5 (Del. Ch.); Guttman v. Huang, 823 A.2d 492, 506 (Del. Ch. 2003). 3 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006).
5
Facts
This derivative action is brought on AmSouth’s behalf by William and
Sandra Stone, who allege that they owned AmSouth common stock “at all
relevant times.” The nominal defendant, AmSouth, is a Delaware
corporation with its principal executive offices in Birmingham, Alabama.
During the relevant period, AmSouth’s wholly-owned subsidiary, AmSouth
Bank, operated about 600 commercial banking branches in six states
throughout the southeastern United States and employed more than 11,600
people.
In 2004, AmSouth and Amsouth Bank paid $40 million in fines and
$10 million in civil penalties to resolve government and regulatory
investigations pertaining principally to the failure by bank employees to file
“Suspicious Activity Reports” (“SARs”), as required by the federal Bank
Secrecy Act (“BSA”)4 and various anti-money-laundering (“AML”)
regulations.5 Those investigations were conducted by the United States
4 31 U.S.C. § 5318 (2006) et seq. The Bank Secrecy Act and the regulations promulgated thereunder require banks to file with the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury known as “FinCEN,” a written “Suspicious Activity Report” (known as a “SAR”) whenever, inter alia, a banking transaction involves at least $5,000 “and the bank knows, suspects, or has reason to suspect” that, among other possibilities, the “transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities. . . .” 31 U.S.C. § 5318(g) (2006); 31 C.F.R. § 103.18(a)(2) (2006). 5 See, e.g., 31 C.F.R. § 103.18(a)(2) (2006).
6
Attorney’s Office for the Southern District of Mississippi (“USAO”), the
Federal Reserve, FinCEN and the Alabama Banking Department. No fines
or penalties were imposed on AmSouth’s directors, and no other regulatory
action was taken against them.
The government investigations arose originally from an unlawful
“Ponzi” scheme operated by Louis D. Hamric, II and Victor G. Nance. In
August 2000, Hamric, then a licensed attorney, and Nance, then a registered
investment advisor with Mutual of New York, contacted an AmSouth branch
bank in Tennessee to arrange for custodial trust accounts to be created for
“investors” in a “business venture.” That venture (Hamric and Nance
represented) involved the construction of medical clinics overseas. In
reality, Nance had convinced more than forty of his clients to invest in
promissory notes bearing high rates of return, by misrepresenting the nature
and the risk of that investment. Relying on similar misrepresentations by
Hamric and Nance, the AmSouth branch employees in Tennessee agreed to
provide custodial accounts for the investors and to distribute monthly
interest payments to each account upon receipt of a check from Hamric and
instructions from Nance.
The Hamric-Nance scheme was discovered in March 2002, when the
investors did not receive their monthly interest payments. Thereafter,
7
Hamric and Nance became the subject of several civil actions brought by the
defrauded investors in Tennessee and Mississippi (and in which AmSouth
also was named as a defendant), and also the subject of a federal grand jury
investigation in the Southern District of Mississippi. Hamric and Nance
were indicted on federal money-laundering charges, and both pled guilty.
The authorities examined AmSouth’s compliance with its reporting
and other obligations under the BSA. On November 17, 2003, the USAO
advised AmSouth that it was the subject of a criminal investigation. On
October 12, 2004, AmSouth and the USAO entered into a Deferred
Prosecution Agreement (“DPA”) in which AmSouth agreed: first, to the
filing by USAO of a one-count Information in the United States District
Court for the Southern District of Mississippi, charging AmSouth with
failing to file SARs; and second, to pay a $40 million fine. In conjunction
with the DPA, the USAO issued a “Statement of Facts,” which noted that
although in 2000 “at least one” AmSouth employee suspected that Hamric
was involved in a possibly illegal scheme, AmSouth failed to file SARs in a
timely manner. In neither the Statement of Facts nor anywhere else did the
USAO ascribe any blame to the Board or to any individual director.
On October 12, 2004, the Federal Reserve and the Alabama Banking
Department concurrently issued a Cease and Desist Order against AmSouth,
8
requiring it, for the first time, to improve its BSA/AML program. That
Cease and Desist Order required AmSouth to (among other things) engage
an independent consultant “to conduct a comprehensive review of the
Bank’s AML Compliance program and make recommendations, as
appropriate, for new policies and procedures to be implemented by the
Bank.” KPMG Forensic Services (“KPMG”) performed the role of
independent consultant and issued its report on December 10, 2004 (the
“KPMG Report”).
Also on October 12, 2004, FinCEN and the Federal Reserve jointly
assessed a $10 million civil penalty against AmSouth for operating an
inadequate anti-money-laundering program and for failing to file SARs. In
connection with that assessment, FinCEN issued a written Assessment of
Civil Money Penalty (the “Assessment”), which included detailed
“determinations” regarding AmSouth’s BSA compliance procedures.
FinCEN found that “AmSouth violated the suspicious activity reporting
requirements of the Bank Secrecy Act,” and that “[s]ince April 24, 2002,
AmSouth has been in violation of the anti-money-laundering program
requirements of the Bank Secrecy Act.” Among FinCEN’s specific
determinations were its conclusions that “AmSouth’s [AML compliance]
program lacked adequate board and management oversight,” and that
9
“reporting to management for the purposes of monitoring and oversight of
compliance activities was materially deficient.” AmSouth neither admitted
nor denied FinCEN’s determinations in this or any other forum.
Demand Futility and Director Independence
It is a fundamental principle of the Delaware General Corporation
Law that “[t]he business and affairs of every corporation organized under
this chapter shall be managed by or under the direction of a board of
directors . . . .”6 Thus, “by its very nature [a] derivative action impinges on
the managerial freedom of directors.”7 Therefore, the right of a stockholder
to prosecute a derivative suit is limited to situations where either the
stockholder has demanded the directors pursue a corporate claim and the
directors have wrongfully refused to do so, or where demand is excused
because the directors are incapable of making an impartial decision
regarding whether to institute such litigation.8 Court of Chancery Rule 23.1,
accordingly, requires that the complaint in a derivative action “allege with
particularity the efforts, if any, made by the plaintiff to obtain the action the
6 Del. Code Ann. tit. 8, § 141(a) (2006). See Rales v. Blasband, 634 A.2d 927, 932 (Del. 1993). 7 Pogostin v. Rice, 480 A.2d 619, 624 (Del. 1984). 8 Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984), overruled on other grounds by Brehm
v. Eisner, 746 A.2d 244 (Del. 2000).
10
plaintiff desires from the directors [or] the reasons for the plaintiff’s failure
to obtain the action or for not making the effort.”9
In this appeal, the plaintiffs concede that “[t]he standards for
determining demand futility in the absence of a business decision” are set
forth in Rales v. Blasband.10 To excuse demand under Rales, “a court must
determine whether or not the particularized factual allegations of a
derivative stockholder complaint create a reasonable doubt that, as of the
time the complaint is filed, the board of directors could have properly
exercised its independent and disinterested business judgment in responding
to a demand.”11 The plaintiffs attempt to satisfy the Rales test in this
proceeding by asserting that the incumbent defendant directors “face a
substantial likelihood of liability” that renders them “personally interested in
the outcome of the decision on whether to pursue the claims asserted in the
complaint,” and are therefore not disinterested or independent.12
9 Ch. Ct. R. 23.1. Allegations of demand futility under Rule 23.1 “must comply with
stringent requirements of factual particularity that differ substantially from the permissive notice pleadings governed solely by Chancery Rule 8(a).” Brehm v. Eisner, 746 A.2d at 254. 10 Rales v. Blasband, 634 A.2d 927 (Del. 1993). 11 Id. at 934. 12
The fifteen defendants include eight current and seven former directors. The
complaint concedes that seven of the eight current directors are outside directors who have never been employed by AmSouth. One board member, C. Dowd Ritter, the Chairman, is an officer or employee of AmSouth.
11
Critical to this demand excused argument is the fact that the directors’
potential personal liability depends upon whether or not their conduct can be
exculpated by the section 102(b)(7) provision contained in the AmSouth
certificate of incorporation.13 Such a provision can exculpate directors from
monetary liability for a breach of the duty of care, but not for conduct that is
not in good faith or a breach of the duty of loyalty.14 The standard for
assessing a director’s potential personal liability for failing to act in good
faith in discharging his or her oversight responsibilities has evolved
beginning with our decision in Graham v. Allis-Chalmers Manufacturing
Company,15 through the Court of Chancery’s Caremark decision to our most
recent decision in Disney.16 A brief discussion of that evolution will help
illuminate the standard that we adopt in this case.
Graham and Caremark
Graham was a derivative action brought against the directors of Allis-
Chalmers for failure to prevent violations of federal anti-trust laws by Allis-
Chalmers employees. There was no claim that the Allis-Chalmers directors
knew of the employees’ conduct that resulted in the corporation’s liability.
Rather, the plaintiffs claimed that the Allis-Chalmers directors should have
13 Del. Code Ann. tit. 8, § 102(b)(7) (2006). 14 Id.; see In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006). 15 Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125 (Del. 1963). 16 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006).
12
known of the illegal conduct by the corporation’s employees. In Graham,
this Court held that “absent cause for suspicion there is no duty upon the
directors to install and operate a corporate system of espionage to ferret out
wrongdoing which they have no reason to suspect exists.”17
In Caremark, the Court of Chancery reassessed the applicability of
our holding in Graham when called upon to approve a settlement of a
derivative lawsuit brought against the directors of Caremark International,
Inc. The plaintiffs claimed that the Caremark directors should have known
that certain officers and employees of Caremark were involved in violations
of the federal Anti-Referral Payments Law. That law prohibits health care
providers from paying any form of remuneration to induce the referral of
Medicare or Medicaid patients. The plaintiffs claimed that the Caremark
directors breached their fiduciary duty for having “allowed a situation to
develop and continue which exposed the corporation to enormous legal
liability and that in so doing they violated a duty to be active monitors of
corporate performance.”18
In evaluating whether to approve the proposed settlement agreement
in Caremark, the Court of Chancery narrowly construed our holding in
Graham “as standing for the proposition that, absent grounds to suspect
17
Graham v. Allis-Chalmers Mfg. Co., 188 A.2d at 130 (emphasis added). 18 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).
13
deception, neither corporate boards nor senior officers can be charged with
wrongdoing simply for assuming the integrity of employees and the honesty
of their dealings on the company’s behalf.”19 The Caremark Court opined it
would be a “mistake” to interpret this Court’s decision in Graham to mean
that:
corporate boards may satisfy their obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.20
To the contrary, the Caremark Court stated, “it is important that the
board exercise a good faith judgment that the corporation’s information and
reporting system is in concept and design adequate to assure the board that
appropriate information will come to its attention in a timely manner as a
matter of ordinary operations, so that it may satisfy its responsibility.”21 The
Caremark Court recognized, however, that “the duty to act in good faith to
be informed cannot be thought to require directors to possess detailed
19 Id. at 969. 20 Id. at 970. 21 Id.
14
information about all aspects of the operation of the enterprise.”22 The Court
of Chancery then formulated the following standard for assessing the
liability of directors where the directors are unaware of employee
misconduct that results in the corporation being held liable:
Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation, as in Graham or in this case, . . . only a sustained or systematic failure of the board to exercise oversight–such as an utter failure to attempt to assure a reasonable information and reporting system exists–will establish the lack of good faith that is a necessary condition to liability.23
Caremark Standard Approved
As evidenced by the language quoted above, the Caremark standard
for so-called “oversight” liability draws heavily upon the concept of director
failure to act in good faith. That is consistent with the definition(s) of bad
faith recently approved by this Court in its recent Disney24 decision, where
we held that a failure to act in good faith requires conduct that is
qualitatively different from, and more culpable than, the conduct giving rise
to a violation of the fiduciary duty of care (i.e., gross negligence).25 In
22 Id. at 971. 23 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d at 971. 24 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27 (Del. 2006). 25 Id. at 66.
15
Disney, we identified the following examples of conduct that would
establish a failure to act in good faith:
A failure to act in good faith may be shown, for instance, where the fiduciary intentionally acts with a purpose other than that of advancing the best interests of the corporation, where the fiduciary acts with the intent to violate applicable positive law, or where the fiduciary intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for his duties. There may be other examples of bad faith yet to be proven or alleged, but these three are the most salient.26
The third of these examples describes, and is fully consistent with, the
lack of good faith conduct that the Caremark court held was a “necessary
condition” for director oversight liability, i.e., “a sustained or systematic
failure of the board to exercise oversight–such as an utter failure to attempt
to assure a reasonable information and reporting system exists . . . .”27
Indeed, our opinion in Disney cited Caremark with approval for that
proposition.28 Accordingly, the Court of Chancery applied the correct
standard in assessing whether demand was excused in this case where failure
to exercise oversight was the basis or theory of the plaintiffs’ claim for
relief.
It is important, in this context, to clarify a doctrinal issue that is
critical to understanding fiduciary liability under Caremark as we construe
26 Id. at 67. 27 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 971 (Del. Ch. 1996). 28 In re Walt Disney Co. Deriv. Litig., 906 A.2d at 67 n.111.
16
that case. The phraseology used in Caremark and that we employ here—
describing the lack of good faith as a “necessary condition to liability”—is
deliberate. The purpose of that formulation is to communicate that a failure
to act in good faith is not conduct that results, ipso facto, in the direct
imposition of fiduciary liability.29 The failure to act in good faith may result
in liability because the requirement to act in good faith “is a subsidiary
element[,]” i.e., a condition, “of the fundamental duty of loyalty.”30 It
follows that because a showing of bad faith conduct, in the sense described
in Disney and Caremark, is essential to establish director oversight liability,
the fiduciary duty violated by that conduct is the duty of loyalty.
This view of a failure to act in good faith results in two additional
doctrinal consequences. First, although good faith may be described
colloquially as part of a “triad” of fiduciary duties that includes the duties of
care and loyalty,31 the obligation to act in good faith does not establish an
independent fiduciary duty that stands on the same footing as the duties of
care and loyalty. Only the latter two duties, where violated, may directly
result in liability, whereas a failure to act in good faith may do so, but
29 That issue, whether a violation of the duty to act in good faith is a basis for the direct imposition of liability, was expressly left open in Disney. 906 A.2d at 67 n.112. We address that issue here. 30 Guttman v. Huang, 823 A.2d 492, 506 n.34 (Del. Ch. 2003). 31 See Cede & Co. v. Technicolor, Inc., 634 A.2d 345, 361 (Del. 1993).
17
indirectly. The second doctrinal consequence is that the fiduciary duty of
loyalty is not limited to cases involving a financial or other cognizable
fiduciary conflict of interest. It also encompasses cases where the fiduciary
fails to act in good faith. As the Court of Chancery aptly put it in Guttman,
“[a] director cannot act loyally towards the corporation unless she acts in the
good faith belief that her actions are in the corporation’s best interest.”32
We hold that Caremark articulates the necessary conditions predicate
for director oversight liability: (a) the directors utterly failed to implement
any reporting or information system or controls; or (b) having implemented
such a system or controls, consciously failed to monitor or oversee its
operations thus disabling themselves from being informed of risks or
problems requiring their attention. In either case, imposition of liability
requires a showing that the directors knew that they were not discharging
their fiduciary obligations.33 Where directors fail to act in the face of a
known duty to act, thereby demonstrating a conscious disregard for their
responsibilities,34 they breach their duty of loyalty by failing to discharge
that fiduciary obligation in good faith.35
32 Guttman v. Huang, 823 A.2d 492, 506 n.34 (Del. Ch. 2003). 33 Id. at 506. 34 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27, 67 (Del. 2006). 35 See Guttman v. Haung, 823 A.2d at 506.
18
Chancery Court Decision
The plaintiffs contend that demand is excused under Rule 23.1
because AmSouth’s directors breached their oversight duty and, as a result,
face a “substantial likelihood of liability” as a result of their “utter failure” to
act in good faith to put into place policies and procedures to ensure
compliance with BSA and AML obligations. The Court of Chancery found
that the plaintiffs did not plead the existence of “red flags” – “facts showing
that the board ever was aware that AmSouth’s internal controls were
inadequate, that these inadequacies would result in illegal activity, and that
the board chose to do nothing about problems it allegedly knew existed.” In
dismissing the derivative complaint in this action, the Court of Chancery
concluded:
This case is not about a board’s failure to carefully consider a material corporate decision that was presented to the board. This is a case where information was not reaching the board because of ineffective internal controls. . . . With the benefit of hindsight, it is beyond question that AmSouth’s internal controls with respect to the Bank Secrecy Act and anti-money laundering regulations compliance were inadequate. Neither party disputes that the lack of internal controls resulted in a huge fine--$50 million, alleged to be the largest ever of its kind. The fact of those losses, however, is not alone enough for a court to conclude that a majority of the corporation’s board of directors is disqualified from considering demand that AmSouth bring suit against those responsible.36
36 Stone v. Ritter, C.A. No. 1570-N (Del. Ch. 2006) (Letter Opinion).
19
This Court reviews de novo a Court of Chancery’s decision to dismiss a
derivative suit under Rule 23.1.37
Reasonable Reporting System Existed
The KPMG Report evaluated the various components of AmSouth’s
longstanding BSA/AML compliance program. The KPMG Report reflects
that AmSouth’s Board dedicated considerable resources to the BSA/AML
compliance program and put into place numerous procedures and systems to
attempt to ensure compliance. According to KPMG, the program’s various
components exhibited between a low and high degree of compliance with
applicable laws and regulations.
The KPMG Report describes the numerous AmSouth employees,
departments and committees established by the Board to oversee AmSouth’s
compliance with the BSA and to report violations to management and the
Board:
BSA Officer. Since 1998, AmSouth has had a “BSA Officer” “responsible for all BSA/AML-related matters including employee training, general communications, CTR reporting and SAR reporting,” and “presenting AML policy and program changes to the Board of Directors, the managers at the various lines of business, and participants in the annual training of security and audit personnel[;]”
37 Beam ex rel. Martha Stewart Living Omnimedia Inc. v. Stewart, 845 A.2d 1040, 1048 (Del. 2004).
20
BSA/AML Compliance Department. AmSouth has had for years a BSA/AML Compliance Department, headed by the BSA Officer and comprised of nineteen professionals, including a BSA/AML Compliance Manager and a Compliance Reporting Manager; Corporate Security Department. AmSouth’s Corporate Security Department has been at all relevant times responsible for the detection and reporting of suspicious activity as it relates to fraudulent activity, and William Burch, the head of Corporate Security, has been with AmSouth since 1998 and served in the U.S. Secret Service from 1969 to 1998; and Suspicious Activity Oversight Committee. Since 2001, the “Suspicious Activity Oversight Committee” and its predecessor, the “AML Committee,” have actively overseen AmSouth’s BSA/AML compliance program. The Suspicious Activity Oversight Committee’s mission has for years been to “oversee the policy, procedure, and process issues affecting the Corporate Security and BSA/AML Compliance Programs, to ensure that an effective program exists at AmSouth to deter, detect, and report money laundering, suspicious activity and other fraudulent activity.”
The KPMG Report reflects that the directors not only discharged their
oversight responsibility to establish an information and reporting system, but
also proved that the system was designed to permit the directors to
periodically monitor AmSouth’s compliance with BSA and AML
regulations. For example, as KPMG noted in 2004, AmSouth’s designated
BSA Officer “has made annual high-level presentations to the Board of
Directors in each of the last five years.” Further, the Board’s Audit and
Community Responsibility Committee (the “Audit Committee”) oversaw
21
AmSouth’s BSA/AML compliance program on a quarterly basis. The
KPMG Report states that “the BSA Officer presents BSA/AML training to
the Board of Directors annually,” and the “Corporate Security training is
also presented to the Board of Directors.”
The KPMG Report shows that AmSouth’s Board at various times
enacted written policies and procedures designed to ensure compliance with
the BSA and AML regulations. For example, the Board adopted an
amended bank-wide “BSA/AML Policy” on July 17, 2003–four months
before AmSouth became aware that it was the target of a government
investigation. That policy was produced to plaintiffs in response to their
demand to inspect AmSouth’s books and records pursuant to section 22038
and is included in plaintiffs’ appendix. Among other things, the July 17,
2003, BSA/AML Policy directs all AmSouth employees to immediately
report suspicious transactions or activity to the BSA/AML Compliance
Department or Corporate Security.
Complaint Properly Dismissed
In this case, the adequacy of the plaintiffs’ assertion that demand is
excused depends on whether the complaint alleges facts sufficient to show
that the defendant directors are potentially personally liable for the failure of
38 Del. Code Ann. tit. 8, § 220 (2006).
22
non-director bank employees to file SARs. Delaware courts have recognized
that “[m]ost of the decisions that a corporation, acting through its human
agents, makes are, of course, not the subject of director attention.”39
Consequently, a claim that directors are subject to personal liability for
employee failures is “possibly the most difficult theory in corporation law
upon which a plaintiff might hope to win a judgment.”40
For the plaintiffs’ derivative complaint to withstand a motion to
dismiss, “only a sustained or systematic failure of the board to exercise
oversight–such as an utter failure to attempt to assure a reasonable
information and reporting system exists–will establish the lack of good faith
that is a necessary condition to liability.”41 As the Caremark decision noted:
Such a test of liability–lack of good faith as evidenced by sustained or systematic failure of a director to exercise reasonable oversight–is quite high. But, a demanding test of liability in the oversight context is probably beneficial to corporate shareholders as a class, as it is in the board decision context, since it makes board service by qualified persons more likely, while continuing to act as a stimulus to good faith
performance of duty by such directors.42
The KPMG Report–which the plaintiffs explicitly incorporated by
reference into their derivative complaint–refutes the assertion that the
39 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d at 968. 40 Id. at 967. 41 Id. at 971. 42 Id. (emphasis in original).
23
directors “never took the necessary steps . . . to ensure that a reasonable BSA
compliance and reporting system existed.” KPMG’s findings reflect that the
Board received and approved relevant policies and procedures, delegated to
certain employees and departments the responsibility for filing SARs and
monitoring compliance, and exercised oversight by relying on periodic
reports from them. Although there ultimately may have been failures by
employees to report deficiencies to the Board, there is no basis for an
oversight claim seeking to hold the directors personally liable for such
failures by the employees.
With the benefit of hindsight, the plaintiffs’ complaint seeks to equate
a bad outcome with bad faith. The lacuna in the plaintiffs’ argument is a
failure to recognize that the directors’ good faith exercise of oversight
responsibility may not invariably prevent employees from violating criminal
laws, or from causing the corporation to incur significant financial liability,
or both, as occurred in Graham, Caremark and this very case. In the
absence of red flags, good faith in the context of oversight must be measured
by the directors’ actions “to assure a reasonable information and reporting
system exists” and not by second-guessing after the occurrence of employee
conduct that results in an unintended adverse outcome.43 Accordingly, we
43
Id. at 967-68, 971.
24
hold that the Court of Chancery properly applied Caremark and dismissed
the plaintiffs’ derivative complaint for failure to excuse demand by alleging
particularized facts that created reason to doubt whether the directors had
acted in good faith in exercising their oversight responsibilities.
Conclusion
The judgment of the Court of Chancery is affirmed.
IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE
) IN RE CITIGROUP INC. SHAREHOLDER ) Civil Action No. 3338-CC DERIVATIVE LITIGATION )
)
OPINION
Date Submitted: January 28, 2009 Date Decided: February 24, 2009
Pamela S. Tikellis, Meghan A. Adams, and Tiffany J. Cramer, of CHIMICLES & TIKELLIS LLP, Wilmington, Delaware; OF COUNSEL: Marvin A. Miller, of MILLER LAW LLC, Chicago, Illinois; Daniel W. Krasner, Peter C. Harrar, and Matthew M. Guiney, of WOLF HALDENSTEIN ADLER FREEMAN & HERZ LLP, New York, New York, Attorneys for Plaintiffs.
Gregory P. Williams and John D. Hendershot, of RICHARDS, LAYTON & FINGER, P.A., Wilmington, Delaware, Attorneys for Defendants and Nominal Defendant Citigroup Inc.
Brad S. Karp, Richard A. Rosen, and Susanna M. Buergel, of PAUL, WEISS, RIFKIND, WHARTON & GARRISON LLP, New York, New York, Attorneys for Defendants Charles Prince, Winfried Bischoff, Robert E. Rubin, David C. Bushnell, John C. Gerspach, Lewis B. Kaden, Sallie L. Krawcheck, and Gary Crittenden.
Robert D. Joffe and Richard W. Clary, of CRAVATH, SWAINE & MOORE LLP, New York, New York, Attorneys for Defendants C. Michael Armstrong, Alain J.P. Belda, George David, Kenneth T. Derr, John M. Deutch, Roberto Hernández Ramirez, Andrew N. Liveris, Anne M. Mulcahy, Richard D. Parsons, Judith Rodin, Robert L. Ryan, Franklin A. Thomas, Ann Dibble Jordan, Klaus Kleinfeld, and Dudley C. Mecum.
EFiled: Feb 24 2009 3:05PM EST
Transaction ID 23919905
Case No. 3338-CC
Lawrence B. Pedowitz, George T. Conway III, Jonathan M. Moses, and John F. Lynch, of WACHTELL, LIPTON, ROSEN & KATZ, New York, New York, Attorneys for Nominal Defendant Citigroup Inc.
CHANDLER, Chancellor
This is a shareholder derivative action brought on behalf of Citigroup Inc.
(“Citigroup” or the “Company”), seeking to recover for the Company its losses
arising from exposure to the subprime lending market. Plaintiffs, shareholders of
Citigroup, brought this action against current and former directors and officers of
Citigroup, alleging, in essence, that the defendants breached their fiduciary duties
by failing to properly monitor and manage the risks the Company faced from
problems in the subprime lending market and for failing to properly disclose
Citigroup’s exposure to subprime assets. Plaintiffs allege that there were extensive
“red flags” that should have given defendants notice of the problems that were
brewing in the real estate and credit markets and that defendants ignored these
warnings in the pursuit of short term profits and at the expense of the Company’s
long term viability.
Plaintiffs further allege that certain defendants are liable to the Company for
corporate waste for (1) allowing the Company to purchase $2.7 billion in subprime
loans from Accredited Home Lenders in March 2007 and from Ameriquest Home
Mortgage in September 2007; (2) authorizing and not suspending the Company’s
share repurchase program in the first quarter of 2007, which allegedly resulted in
the Company buying its own shares at “artificially inflated prices;” (3) approving a
multi-million dollar payment and benefit package for defendant Charles Prince,
whom plaintiffs describe as largely responsible for Citigroup’s problems, upon his
1
retirement as Citigroup’s CEO in November 2007; and (4) allowing the Company
to invest in structured investment vehicles (“SIVs”) that were unable to pay off
maturing debt.
Pending before the Court is defendants’ motion (1) to dismiss or stay the
action in favor of an action pending in the Southern District of New York (the
“New York Action”) or (2) to dismiss the complaint for failure to state a claim
under Court of Chancery Rule 12(b)(6) and for failure to properly plead demand
futility under Court of Chancery Rule 23.1. For the reasons set forth below, the
motion to stay or dismiss in favor of the New York Action is denied. The motion to
dismiss is denied as to the claim in Count III for waste for approval of the
November 4, 2007 Prince letter agreement. All other claims are dismissed for
failure to adequately plead demand futility pursuant to Rule 23.1.
I. BACKGROUND
A. The Parties
Citigroup is a global financial services company whose businesses provide a
broad range of financial services to consumers and businesses. Citigroup was
incorporated in Delaware in 1988 and maintains its principal executive offices in
New York, New York.
Defendants in this action are current and former directors and officers of
Citigroup. The complaint names thirteen members of the Citigroup board of
2
directors on November 9, 2007, when the first of plaintiffs’ now-consolidated
derivative actions was filed.1 Plaintiffs allege that a majority of the director
defendants were members of the Audit and Risk Management Committee (“ARM
Committee”) in 2007 and were considered audit committee financial experts as
defined by the Securities and Exchange Commission.
Plaintiffs Montgomery County Employees’ Retirement Fund, City of New
Orleans Employees’ Retirement System, Sheldon M. Pekin Irrevocable
Descendants Trust Dated 10/01/01, and Carole Kops are all owners of shares of
Citigroup stock.
B. Citigroup’s Exposure to the Subprime Crisis
Plaintiffs allege that since as early as 2006, defendants have caused and
allowed Citigroup to engage in subprime lending2 that ultimately left the Company
exposed to massive losses by late 2007.3 Beginning in late 2005, house prices,
which many believe were artificially inflated by speculation and easily available
1 The director defendants are C. Michael Armstrong, Alain J.P. Belda, George David, Kenneth T. Derr, John M. Deutch, Andrew N. Liveris, Anne M. Mulcahy, Richard D. Parsons, Roberto Hernández Ramirez, Judith Rodin, Robert E. Rubin, Robert L. Ryan, and Franklin A. Thomas (collectively, the “director defendants”). Plaintiffs and defendants agree that the director defendants constitute the board for demand futility purposes. The complaint also names (1) former Citigroup directors Ann Dibble Jordan, Klaus Kleinfeld, and Dudley C. Mecum and (2) former and current officers and senior management of Citigroup Charles Prince, Winfried Bischoff, David C. Bushnell, Gary Crittenden, John C. Gerspach, Lewis B. Kaden, and Sallie L. Krawcheck.2 “Subprime” generally refers to borrowers who do not qualify for prime interest rates, typically due to weak credit histories, low credit scores, high debt-burden ratios, or high loan-to-value ratios.3 The facts are drawn from the complaint and taken as true for purposes of the motion to dismiss.
3
credit, began to plateau, and then deflate. Adjustable rate mortgages issued earlier
in the decade began to reset, leaving many homeowners with significantly
increased monthly payments. Defaults and foreclosures increased, and assets
backed by income from residential mortgages began to decrease in value. By
February 2007, subprime mortgage lenders began filing for bankruptcy and
subprime mortgages packaged into securities began experiencing increasing levels
of delinquency. In mid-2007, rating agencies downgraded bonds backed by
subprime mortgages.
Much of Citigroup’s exposure to the subprime lending market arose from its
involvement with collateralized debt obligations (“CDOs”)—repackaged pools of
lower rated securities that Citigroup created by acquiring asset-backed securities,
including residential mortgage backed securities (“RMBSs”),4 and then selling
rights to the cash flows from the securities in classes, or tranches, with different
levels of risk and return. Included with at least some of the CDOs created by
Citigroup was a “liquidity put”—an option that allowed the purchasers of the
CDOs to sell them back to Citigroup at original value.
According to plaintiffs, Citigroup’s alleged $55 billion subprime exposure
was in two areas of the Company’s Securities & Banking Unit. The first portion
totaled $11.7 billion and included securities tied to subprime loans that were being
4 RMBSs are securities whose cash flows come from residential debt such as mortgages.
4
held until they could be added to debt pools for investors. The second portion
included $43 billion of super-senior securities, which are portions of CDOs backed
in part by RMBS collateral.5
By late 2007, it was apparent that Citigroup faced significant losses on its
subprime-related assets, including the following as alleged by plaintiffs:
October 1, 2007: Citigroup announced it would write-down approximately $1.4 billion on funded and unfunded highly leveraged finance commitments.
October 15, 2007: Citigroup issued a press release reporting a net income of $2.38 billion, a 57% decline from the Company’s prior year results.
November 4, 2007: Citigroup announced significant declines on the fair value of the approximately $55 billion in the Company’s U.S. subprime-related direct exposures, and estimated that further write downs would be between $8 and $11 billion.
November 6, 2007: Citigroup disclosed that it provided $7.6 billion of emergency financing to the seven SIVs the Company operated after they were unable to repay maturing debt. The SIVs drew on the $10 billion of so-called committed liquidity provided by Citigroup. On December 13, 2007 Citigroup bailed out seven of its affiliated SIVs by bringing $49 billion in assets onto its balance sheet and taking full responsibility for the SIVs’ $49 billion worth of assets.
January 15, 2008: Citigroup announced it would take an additional $18.1 billion write-down for the fourth quarter 2007 and a quarterly loss of $9.83 billion. Citigroup also announced that the Company lowered its dividend to $0.32 per share, a 40% decline from the Company’s previous dividend disbursement.
5 Rights to cash flows from CDOs are divided into tranches rated by credit risk, whereby the senior tranches are paid before the junior tranches.
5
By March 2008, Citigroup shares traded below book value and the Company announced that it would lay off an additional 2,000 employees, bringing Citigroup’s total layoff since the beginning of the subprime market crisis to more than 6,000.
July 18, 2008: Citigroup announced it lost $2.5 billion in the second quarter, largely caused by $7.2 billion of write-downs of Citigroup’s investments in mortgages and other loans and by weakness in the consumer market.
Plaintiffs also allege that Citigroup was exposed to the subprime mortgage
market through its use of SIVs. Banks can create SIVs by borrowing cash (by
selling commercial paper) and using the proceeds to purchase loans; in other
words, the SIVs sell short term debt and buy longer-term, higher yielding assets.
According to plaintiffs, Citigroup’s SIVs invested in riskier assets, such as home
equity loans, rather than the low-risk assets traditionally used by SIVs.
The problems in the subprime market left Citigroup’s SIVs unable to pay
their investors. The SIVs held subprime mortgages that had decreased in value,
and the normally liquid commercial paper market became illiquid. Because the
SIVs could no longer meet their cash needs by attracting new investors, they had to
sell assets at allegedly “fire sale” prices. In November 2007, Citigroup disclosed
that it provided $7.6 billion of emergency financing to the seven SIVs the
Company operated after they were unable to repay maturing debt. Ultimately,
Citigroup was forced to bail out seven of its affiliated SIVs by bringing $49 billion
6
in assets onto its balance sheet, notwithstanding that Citigroup previously
represented that it would manage the SIVs on an arms-length basis.
C. Plaintiffs’ Claims
Plaintiffs allege that defendants are liable to the Company for breach of
fiduciary duty for (1) failing to adequately oversee and manage Citigroup’s
exposure to the problems in the subprime mortgage market, even in the face of
alleged “red flags” and (2) failing to ensure that the Company’s financial reporting
and other disclosures were thorough and accurate.6 As will be more fully
explained below, the “red flags” alleged in the eighty-six page Complaint are
generally statements from public documents that reflect worsening conditions in
the financial markets, including the subprime and credit markets, and the effects
6 Plaintiffs also assert a claim for “reckless and gross mismanagement.” Consol. Second Am. Derivative Compl. (hereinafter, “Compl.”) ¶¶ 219-25. Delaware law does not recognize an independent cause of action against corporate directors and officers for reckless and gross mismanagement; such claims are treated as claims for breach of fiduciary duty. Delaware fiduciary duties are based in common law and have been carefully crafted to define the responsibilities of directors and managers, as fiduciaries, to the corporation. In defining these duties, the courts balance specific policy considerations such as the need to keep directors and officers accountable to shareholders and the degree to which the threat of personal liability may discourage beneficial risk taking. These common law standards thus govern the duties that directors and officers owe the corporation as well as claims such as those for “reckless and gross mismanagement,” even if those claims are asserted separate and apart from claims of breach of fiduciary duty. See Metro Commc’n Corp. BVI v. Advanced Mobilecomm Techs. Inc., 854 A.2d 121, 155-57 (Del. Ch. 2004); Albert v. Alex. Brown Mgmt. Servs., Inc., 2004 WL 2050527, at *6 (Del. Super. Sept. 15, 2004) (“[A] claim that a corporate manager acted with gross negligence is the same as a claim that she breached her fiduciary duty of care.”). Plaintiffs seem to agree that Count IV’s claims for “reckless and gross mismanagement” do not assert a separate cause of action against defendants. In the two sentences of their answering brief on the motion to dismiss that address Count IV, plaintiffs equate Count IV to their Caremark claim in Count I. Because I find that Count I fails, it follows that Court IV also fails.
7
those worsening conditions had on market participants, including Citigroup’s
peers. By way of example only, plaintiffs’ “red flags” include the following:
May 27, 2005: Economist Paul Krugman of the New York Times saidhe saw “signs that America’s housing market, like the stock market at the end of the last decade, is approaching the final, feverish stages of a speculative bubble.”
May 2006: Ameriquest Mortgage, one of the United States’ leading wholesale subprime lenders, announced the closing of each of its 229 retail offices and reduction of 3,800 employees.
February 12, 2007: ResMae Mortgage, a subprime lender, filed for bankruptcy. According to Bloomberg, in its Chapter 11 filing, ResMae stated that “[t]he subprime mortgage market has recently been crippled and a number of companies stopped originating loans and United States housing sales have slowed and defaults by borrowers have risen.”
April 18, 2007: Freddie Mac announced plans to refinance up to $20 billion of loans held by subprime borrowers who would be unable to afford their adjustable-rate mortgages at the reset rate.
July 10, 2007: Standard and Poor’s and Moody’s downgraded bonds backed by subprime mortgages.
August 1, 2007: Two hedge funds managed by Bear Stearns that invested heavily in subprime mortgages declared bankruptcy.
August 9, 2007: American International Group, one of the largest United States mortgage lenders, warned that mortgage defaults were spreading beyond the subprime sector, with delinquencies becoming more common among borrowers in the category just above subprime.
October 18, 2007: Standard & Poor’s cut the credit ratings on $23.35 billion of securities backed by pools of home loans that were offered to borrowers during the first half of the year. The downgrades even
8
hit securities rated AAA, which was the highest of the ten investment-grade ratings and the rating of government debt.7
Plaintiffs also allege that the director defendants and certain other
defendants are liable to the Company for waste for: (1) allowing the Company to
purchase $2.7 billion in subprime loans from Accredited Home Lenders in March
2007 and from Ameriquest Home Mortgage in September 2007; (2) authorizing
and not suspending the Company’s share repurchase program in the first quarter of
2007, which allegedly resulted in the Company buying its own shares at
“artificially inflated prices;” (3) approving a multi-million dollar payment and
benefit package for defendant Prince upon his retirement as Citigroup’s CEO in
November 2007; and (4) allowing the Company to invest in SIVs that were unable
to pay off maturing debt.
D. The Procedural History
1. The New York Action
The first New York Action was filed on November 6, 2007 in the United
States District Court for the Southern District of New York. On August 22, 2008,
the five pending derivative actions were consolidated as In re Citigroup, Inc.
Shareholder Derivative Litigation, No 07 Civ. 9841, and on September 23, 2008,
the Court appointed lead counsel and lead plaintiffs. Plaintiffs filed a consolidated
7 Compl. ¶¶ 73-74. I have provided only a small sample of the numerous “red flags” alleged in the Complaint.
9
complaint on November 10, 2008, alleging: (1) violation of the Securities
Exchange Act of 1934 (“Exchange Act”) § 10(b) and Rule 10b-5 (derivatively on
behalf of Citigroup); (2) breach of fiduciary duties of care, loyalty, and good faith;
(3) breach of fiduciary duty for insider trading and misappropriation of
information; (4) breach of fiduciary duty of disclosure; (5) waste of corporate
assets; and (6) unjust enrichment. Defendants filed a motion to dismiss on
December 23, 2008, and pursuant to the schedule set by the Federal District Court,
the motion to dismiss the New York Action will be fully briefed by late February
2009.
2. The Delaware Action
This action was commenced on November 9, 2007, and the four pending
actions were consolidated on February 5, 2008. Defendants filed a motion to
dismiss the Consolidated Amended Derivative Complaint on April 21, 2008.
Plaintiffs responded by filing a Consolidated Second Amended Derivative
Complaint (the “Complaint”), which was accepted by the Court on September 15,
2008. Pending before the Court is defendants’ motion to dismiss or stay.
II. MOTION TO DISMISS OR STAY IN
FAVOR OF THE NEW YORK ACTION
A. Legal Standard
Defendants seek a stay of this action in favor of the New York Action.
Under McWane, this Court may, in the exercise of its discretion, stay an action
10
“when there is a prior action pending elsewhere, in a court capable of doing prompt
and complete justice, involving the same parties and the same issues.”8 Such
discretion allows the Court, for reasons of comity and the fair and orderly
administration of justice, to ensure that a plaintiff’s choice of forum is not defeated
and to properly confine litigation to the forum in which it is first commenced.9
Where, however, the actions are contemporaneously filed such that the action
pending elsewhere is not considered “first-filed,” the Court will consider the
motion “under the traditional forum non conveniens framework without regard to a
McWane-type preference of one action over the other.”10 Where, as here, the
actions were filed within the same general time frame, the Court considers the
actions simultaneously filed so as to avoid a “race to the courthouse.”11 Because
the actions were filed only a few days apart, I consider them contemporaneous.12
8McWane Cast Iron Pipe Corp. v. McDowell-Wellman Eng’g Co., 263 A.2d 281, 283 (Del.
1970).9
See id. 10
In re The Bear Stearns Cos. S’holder Litig., C.A. No. 3643-VCP, 2008 WL 959992, at *5 (Del. Ch. Apr. 9, 2008) (quoting Rapoport v. The Litig. Trust of MDIP Inc., C.A. No. 1035-N, 2005 WL 3277911, at *2 (Del. Ch. Nov. 23, 2005)); see County of York Employees Ret. Plan v.
Merrill Lynch & Co., C.A. No. 4066-VCN, 2008 WL 4824053, at *3 (Del. Ch. Oct. 28, 2008).11
Merrill Lynch, 2008 WL 4824053, at *3 (citing Texas Instruments Inc. v. Cyrix Corp., C.A. No. 13288, 1994 WL 96983, at *3-4 (Del. Ch. Mar. 22, 1994)). 12
Bear Stearns, 2008 WL 959992, at *5 (treating actions filed three days apart as contemporaneous). The parties agree that the New York Action was first commenced on November 6, 2007. Plaintiffs assert that this action was first commenced on November 7, 2007—meaning it was filed the day after the New York Action. The Court’s records, however, indicate that this action was first commenced on November 9, 2007. Even assuming the November 9, 2007 filing, however, I still consider the actions contemporaneously filed.
11
Additionally, even where there is a first filed derivative or class action, this
Court has recognized the difficulty presented by the McWane doctrine. A
shareholder plaintiff in a derivative suit alleges claims in the right of the
corporation rather than directly; thus, representative actions raise the concern that
the best interest of the class might diverge from the best interest of the
representative plaintiff’s attorneys. To avoid exacerbating this potential conflict,
the Court gives less weight to the first filed status of a lawsuit, and instead “will
examine more closely the relevant factors bearing on where the case should best
proceed, using something akin to a forum non conveniens analysis.”13 I turn now
to the forum non conveniens standard.
When assessing whether to stay or dismiss an action under the doctrine of
forum non conveniens this Court considers six factors:
1) the applicability of Delaware law in the action; 2) the relative ease of access to proof; 3) the availability of compulsory process for witnesses; 4) the pendency or non-pendency of any similar actions in other jurisdictions; 5) the possibility of a need to view the premises; and 6) all other practical considerations which would serve to make the trial easy, expeditious and inexpensive.14
13Biondi v. Scrushy, 820 A.2d 1148, 1159 & n.22 (Del. Ch. 2003) (“Where one person seeking
to act in a representative capacity chooses to litigate in Delaware and another in a different forum, there is little reason to accord decisive weight to the priority of filing, at least where no prejudicial delay has occurred. Other factors bearing on the convenience of the parties and the interests of Delaware in resolving the dispute will be more important.”). See Ryan v. Gifford,918 A.2d 341, 349 (Del. Ch. 2007). 14
In re Chambers Dev. Co. S’holders Litig., C.A. No. 12508, 1993 WL 179335, at *2 (Del. Ch. May 20, 1993).
12
A party is not entitled to a stay as a matter of right; rather, the granting of a motion
to stay rests with the sound discretion of the Court. This Court is rightfully
hesitant to grant motions to stay based on forum non conveniens, and the doctrine
is not a vehicle by which the Court should determine which forum would be most
convenient for the parties.15 Rather, a defendant bears the burden of showing
entitlement to a stay or dismissal on grounds of forum non conveniens: in a case
where a stay will likely have substantially the same effect as a dismissal, the
defendant must show that one or more of the factors, either separately or together,
would subject the defendant to sufficient hardship to warrant staying the
proceedings.16
15See Taylor v. LSI Logic Corp., 689 A.2d 1196, 1199 (Del. 1997) (“An action may not be
dismissed upon bare allegations of inconvenience without a particularized showing of the hardships relied upon.”).16
Bear Stearns, 2008 WL 959992, at *5 (“Motions to stay litigation on grounds of forum non
conveniens are granted only in the rare case.”); Aveta, Inc. v. Colon, 942 A.2d 603, 608 (Del. Ch. 2008) (“[T]o achieve a stay or dismissal for forum non conveniens, a defendant must demonstrate that litigating in the plaintiff’s chosen forum would present an overwhelming hardship.”); Ryan, 918 A.2d at 351 (citing Berger v. Intelident Solutions, Inc., 906 A.2d 134 (Del. 2006)). I am aware of the so-called debate as to whether there exists a different standard for staying, rather than dismissing, litigation on forum non conveniens grounds. See Kolber v.
Holyoke Shares, Inc., 213 A.2d 444, 446-47 (Del. 1965); Sprint Nextel Corp. v. iPCS, Inc., C.A. No. 3746-VCP, 2008 WL 4516645, at *2 n.8 (Del. Ch. Oct. 8, 2008); Bear Stearns, 2008 WL 959992, at *5 n.22; Brandin v. Deason, 941 A.2d 1020, 1024 n.13 (Del. Ch. 2007); HFTP Invs.
v. ARIAD Pharm., Inc., 752 A.2d 115, 121 (Del. Ch. 1999). I see no reason, however, to make such a distinction in a case in which a stay would likely have the same ultimate effect as a dismissal. This Court has clearly articulated the policy justifications for requiring a showing of overwhelming hardship in order to dismiss on grounds of forum non conveniens, for example, (1) the plaintiff’s interest in litigating in the chosen forum, (2) Delaware’s interest in deciding issues of Delaware law, and (3) Delaware’s interest in adjudicating disputes involving Delaware entities. See, e.g., In re Topps Co. S’holders Litig., 924 A.2d 951, 956-64 (Del. Ch. 2007). Those same policy justifications apply when the Court is considering a motion to stay on grounds of forum non conveniens that would have the same practical effect as dismissal.
13
B. Forum Non Conveniens Analysis
Although there may be some overlap with the New York Action, defendants
have failed to meet their burden of showing hardship that would entitle them to a
stay or dismissal in favor of the New York Action.17 First, Delaware law applies
to this action. Citigroup is incorporated in Delaware, and the fiduciary duties owed
by its officers and directors are governed by Delaware law. Defendants argue that
this case does not pose novel issues of Delaware law and only calls for application
of the established doctrines governing Caremark and waste claims to the facts in
this case. Of course, the contextual application of Delaware fiduciary duty law is
not novel. This case, however, raises important issues regarding the standards
governing directors and officers of Delaware corporations, and Delaware has an
ongoing interest in applying our law to director conduct in the context of current
While there are certainly significant procedural differences, in many cases the practical effect of staying litigation in favor of a lawsuit pending in another jurisdiction is the same as ordering dismissal. A stay in favor of another action results in the action in Delaware being put on hold until the resolution of the action in another jurisdiction, at which point principles of res
judicata would likely apply. In light of this practical consideration, this Court must defer to the doctrine of the Supreme Court of this State, and the policy considerations underlying such doctrine, and should be extremely chary about disposing of cases on grounds of forum non
conveniens, either by granting dismissal or a stay. See, e.g., Candlewood Timber Group, LLC v.
Pan Am. Energy, LLC, 859 A.2d 989, 998 (Del. 2004); Mar-Land Indus. Contractors, Inc. v.
Caribbean Petroleum Ref., L.P., 777 A.2d 774, 777-778 (Del. 2001). To do otherwise would allow and encourage defendants to move this Court for a stay, rather than a dismissal, and thereby achieve the same result without the showing of hardship articulated by the Supreme Court.17 Alternatively, even if the Court were to apply a preponderance of the evidence standard rather than requiring a showing of hardship, this case would still not warrant a stay. As in Merrill
Lynch, “nothing in the forum non conveniens analysis offers any persuasive reason for rejecting the Plaintiff’s choice of forum for the bringing of its claims.” Merrill Lynch, 2008 WL 4824053, at *4.
14
market conditions—conditions which change rapidly and pose new challenges for
directors and officers of Delaware corporations.18
Second, the relative ease of access to proof should not be accorded much
weight in this case. Although access to proof may be marginally easier in New
York, collecting evidence from other jurisdictions is regularly handled with ease in
this Court.19
Third, the availability of compulsory process for witnesses should not be
given much weight in this case. Although witnesses may be located in New York,
“the process of issuing commissions to take discovery in another state is efficient,
effective, and routinely accomplished.”20 Defendants have failed to identify
documents or witnesses that will be unavailable if litigation continues in Delaware.
Fourth, although there is an action pending in New York that arises out of
the same nucleus of operative fact, the pendency of such action does not give rise
to the hardship required to establish entitlement to a stay. Although some overlap
may result, the pendency of a similar action in another jurisdiction regarding
corporate governance issues under Delaware law does not necessarily override the
interest of Delaware in resolving such claims. Defendants argue that a stay should
be granted because the New York Court is the only court capable of granting
18See id. at *3; Topps, 924 A.2d at 954 (“When new issues arise, the state of incorporation has a
particularly strong interest in addressing them, and providing guidance.”). 19
See Merrill Lynch, 2008 WL 4824053, at *3. It is also highly unlikely that this case will require a view of the premises. 20
Id.
15
complete relief because the New York Action includes claims that can only be
adjudicated in federal court, specifically claims under Exchange Act § 10(b) and
Rule 10b-5. In response, plaintiffs argue that this Court should refuse to grant a
stay because the complaint in the New York Action contains meager Caremark
allegations compared to the Complaint in this action. According to plaintiffs, the
claims in the New York Action are primarily for securities fraud and insider
trading and set forth demand futility allegations based on defendants’
misrepresentations, omissions, and insider sales.
While the authority of one Court to grant complete relief may be a relevant
consideration under the pendency of similar actions prong of the forum non
conveniens analysis, it is not outcome determinative. In this case, it does not even
approach the required showing of hardship defendants would have to make in
order to warrant a stay of the proceedings, and I need not further scrutinize the
arguments on this prong of the test.
Finally, the “important and atypical practical considerations,” described by
the Bear Stearns Court as sui generis, are not present in this case.21 In Bear
Stearns, the Court was faced with a case involving the Federal Reserve Bank and
the Department of the Treasury in which inconsistent rulings could “negatively
impact not only the parties involved, but also the U.S. financial markets and the
21Bear Stearns, 2008 WL 959992, at *6-8.
16
national economy.”22 In light of, among other things, “the persuasive practical
reasons against embarking unnecessarily on a collision course with our sister court
in New York in these extraordinary circumstances,” the Court granted the motion
for a stay after finding that the defendants had shown that failure to stay the action
would result in overwhelming hardship.23 Defendants in this action have not
shown analogous practical circumstances or that proceeding in Delaware would
result in significant hardship. The essence of defendants’ argument in favor of the
stay is that the Court in the New York Action is capable of hearing all the claims
and that it would be more expedient and convenient to litigate in New York rather
than Delaware.24 Such considerations, however, without more, are not sufficient
to entitle defendants to a stay on forum non conveniens grounds.
III. THE MOTION TO DISMISS UNDER RULE 23.1
A. The Legal Standard for Demand Excused
The decision whether to initiate or pursue a lawsuit on behalf of the
corporation is generally within the power and responsibility of the board of
directors.25 This follows from the “cardinal precept of the General Corporation
Law of the State of Delaware . . . that directors, rather than shareholders, manage
22Id. at *8; see Merrill Lynch, 2008 WL 4824053, at *4.
23Bear Stearns, 2008 WL 959992, at *8.
24 The New York Action is pending in the Southern District of New York before Judge Sidney H. Stein. The decision not to stay this action should not be seen as reflecting on the expertise of Judge Stein, who, to my knowledge, is an excellent jurist, fully capable of adjudicating issues of Delaware law.25 8 Del. C. § 141(a).
17
the business and affairs of the corporation.”26 Accordingly, in order to cause the
corporation to pursue litigation, a shareholder must either (1) make a pre-suit
demand by presenting the allegations to the corporation’s directors, requesting that
they bring suit, and showing that they wrongfully refused to do so, or (2) plead
facts showing that demand upon the board would have been futile.27 Where, as
here, a plaintiff does not make a pre-suit demand on the board of directors, the
complaint must plead with particularity facts showing that a demand on the board
would have been futile.28 The purpose of the demand requirement is not to
insulate defendants from liability; rather, the demand requirement and the strict
requirements of factual particularity under Rule 23.1 “exist[] to preserve the
primacy of board decisionmaking regarding legal claims belonging to the
corporation.”29
Under the familiar Aronson test, to show demand futility, plaintiffs must
provide particularized factual allegations that raise a reasonable doubt that “(1) the
directors are disinterested and independent [or] (2) the challenged transaction was
otherwise the product of a valid exercise of business judgment.”30 Where,
however, plaintiffs complain of board inaction and do not challenge a specific
26Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984).
27See Stone v. Ritter, 911 A.2d 362, 366-67 (Del. 2006).
28 Ct. Ch. R. 23.1(a); see Stone, 911 A.2d at 367 n.9; Brehm v. Eisner, 746 A.2d 244, 254 (Del. 2000).29
Am. Int’l Group, Inc., Consol. Derivative Litig., C.A. No. 769-VCS, 2009 WL 366613, at *29 (Del. Ch. Feb. 10, 2009).30
Brehm, 746 A.2d at 253 (quoting Aronson, 473 A.2d at 814).
18
decision of the board, there is no “challenged transaction,” and the ordinary
Aronson analysis does not apply.31 Instead, to show demand futility where the
subject of the derivative suit is not a business decision of the board, a plaintiff must
allege particularized facts that “create a reasonable doubt that, as of the time the
complaint is filed, the board of directors could have properly exercised its
independent and disinterested business judgment in responding to a demand.”32
In evaluating whether demand is excused, the Court must accept as true the
well pleaded factual allegations in the Complaint. The pleadings, however, are
held to a higher standard under Rule 23.1 than under the permissive notice
pleading standard under Court of Chancery Rule 8(a). To establish that demand is
excused under Rule 23.1, the pleadings must comply with “stringent requirements
of factual particularity” and set forth “particularized factual statements that are
essential to the claim.”33 “A prolix complaint larded with conclusory language . . .
does not comply with these fundamental pleading mandates.”34
Plaintiffs have not alleged that a majority of the board was not independent
for purposes of evaluating demand. Rather, as to the claims for waste asserted in
Count III, plaintiffs allege that the approval of certain transactions did not
constitute a valid exercise of business judgment under the second prong of the
31Rales v. Blasband, 634 A.2d 927, 933-34 (Del. 1993).
32Id. at 934.
33Brehm, 746 A.2d at 254.
34Id.
19
Aronson test. Plaintiffs allege that demand is futile as to Counts I, II, and IV
because the director defendants are not able to exercise disinterested business
judgment in responding to a demand because their failure of oversight subjects
them to a substantial likelihood of personal liability. According to plaintiffs, the
director defendants face a substantial threat of personal liability because their
conscious disregard of their duties and lack of proper supervision and oversight
caused the Company to be overexposed to risk in the subprime mortgage market.
Demand is not excused solely because the directors would be deciding to sue
themselves.35 Rather, demand will be excused based on a possibility of personal
director liability only in the rare case when a plaintiff is able to show director
conduct that is “so egregious on its face that board approval cannot meet the test of
business judgment, and a substantial likelihood of director liability therefore
exists.”36
35Jacobs v. Yang, C.A. No. 206-N, 2004 WL 1728521, at *6 n.31 (Del. Ch. Aug. 2, 2004).
36Aronson, 473 A.2d at 815. The Complaint appears to allege that demand on defendants Rubin
and Ramirez would be futile because 1) Rubin faces a substantial threat of personal liability because he benefited personally by wrongfully selling stock while in possession of material non-public information; 2) Rubin is beholden to defendants Belda, Derr, and Parsons due to the extraordinary monetary compensation and other benefits they approved for him while he was a director and despite his lack of operational responsibility; and 3) Ramirez is not independent because he ran a subsidiary of Citigroup and received security and other services valued at more than $2 million from Citigroup while doing so. See Compl. ¶¶ 181-82. The Court does not need to determine the adequacy of these demand futility allegations because plaintiffs have not made similar individualized allegations regarding the other director defendants. Thus, even if the allegations in the Complaint are sufficient to excuse demand as to Rubin and Ramirez, plaintiffs have still failed to properly plead demand futility for a majority of the director defendants. As further explained below, instead of providing similar individualized assertions for the other director defendants, plaintiffs rely on the “group” accusation mode of pleading demand futility.
20
B. Demand Futility Regarding Plaintiffs’ Fiduciary Duty Claims
Plaintiffs’ argument is based on a theory of director liability famously
articulated by former-Chancellor Allen in In re Caremark.37 Before Caremark, in
Graham v. Allis-Chalmers Manufacturing Company,38 the Delaware Supreme
Court, in response to a theory that the Allis-Chalmers directors were liable because
they should have known about employee violations of federal anti-trust laws, held
that “absent cause for suspicion there is no duty upon the directors to install and
operate a corporate system of espionage to ferret out wrongdoing which they have
no reason to suspect exists.”39 Over thirty years later, in the context of approval of
a settlement of a class action, former-Chancellor Allen took the opportunity to
revisit the duty to monitor under Delaware law. In Caremark, the plaintiffs alleged
that the directors were liable because they should have known that certain officers
and employees were violating the federal Anti-Referral Payments Law. In
analyzing these claims, the Court began, appropriately, by reviewing the duty of
care and the protections of the business judgment rule.
With regard to director liability standards, the Court distinguished between
(1) “a board decision that results in a loss because that decision was ill advised or
‘negligent’” and (2) “an unconsidered failure of the board to act in circumstances
Had plaintiffs provided individual allegations as to each of the director defendants, the outcome of this case may have been different. 37
In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).38 188 A.2d 125 (Del. 1963).39
Id. at 130.
21
in which due attention would, arguably, have prevented the loss.”40 In the former
class of cases, director action is analyzed under the business judgment rule, which
prevents judicial second guessing of the decision if the directors employed a
rational process and considered all material information reasonably available—a
standard measured by concepts of gross negligence.41 As former-Chancellor Allen
explained:
What should be understood, but may not widely be understood by courts or commentators who are not often required to face such questions, is that compliance with a director’s duty of care can never appropriately be judicially determined by reference to the content of
the board decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the process employed. That is, whether a judge or jury considering the matter after the fact, believes a decision substantively wrong, or degrees of wrong extending through “stupid” to “egregious” or “irrational”, provides no ground for director liability, so long as the court determines that the process employed was either rational or employed in a good faith
effort to advance corporate interests. To employ a different rule—one that permitted an “objective” evaluation of the decision—would expose directors to substantive second guessing by ill-equipped judges or juries, which would, in the long-run, be injurious to investor interests. Thus, the business judgment rule is process oriented and informed by a deep respect for all good faith board decisions.42
In the latter class of cases, where directors are alleged to be liable for a
failure to monitor liability creating activities, the Caremark Court, in a
reassessment of the holding in Graham, stated that while directors could be liable
40Caremark, 698 A.2d at 967.
41Id; see Brehm, 746 A.2d at 259.
42Caremark, 698 A.2d at 967-68 (footnotes omitted).
22
for a failure to monitor, “only a sustained or systematic failure of the board to
exercise oversight—such as an utter failure to attempt to assure a reasonable
information and reporting system exists—will establish the lack of good faith that
is a necessary condition to liability.”43
In Stone v. Ritter, the Delaware Supreme Court approved the Caremark
standard for director oversight liability and made clear that liability was based on
the concept of good faith, which the Stone Court held was embedded in the
fiduciary duty of loyalty and did not constitute a freestanding fiduciary duty that
could independently give rise to liability.44 As the Stone Court explained:
Caremark articulates the necessary conditions predicate for director oversight liability: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. In either case, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.45
Thus, to establish oversight liability a plaintiff must show that the directors knew
they were not discharging their fiduciary obligations or that the directors
demonstrated a conscious disregard for their responsibilities such as by failing to
43Id. at 971.
44Stone, 911 A.2d at 370.
45Id. (footnotes omitted).
23
act in the face of a known duty to act.46 The test is rooted in concepts of bad faith;
indeed, a showing of bad faith is a necessary condition to director oversight
liability.47
1. Plaintiffs’ Caremark Allegations
Plaintiffs’ theory of how the director defendants will face personal liability
is a bit of a twist on the traditional Caremark claim. In a typical Caremark case,
plaintiffs argue that the defendants are liable for damages that arise from a failure
to properly monitor or oversee employee misconduct or violations of law. For
example, in Caremark the board allegedly failed to monitor employee actions in
violation of the federal Anti-Referral Payments Law; in Stone, the directors were
charged with a failure of oversight that resulted in liability for the company
because of employee violations of the federal Bank Secrecy Act.48
46See Guttman v. Huang, 823 A.2d 492, 506 (Del. Ch. 2003) (“[T]he [Caremark] opinion
articulates a standard for liability for failures of oversight that requires a showing that the directors breached their duty of loyalty by failing to attend to their duties in good faith. Put otherwise, the decision premises liability on a showing that the directors were conscious of the fact that they were not doing their jobs.”) (footnote omitted). 47
Stone, 911 A.2d at 369; Desimone v. Barrows, 924 A.2d 908, 935 (Del. Ch. 2007) (“Caremark
itself encouraged directors to act with reasonable diligence, but plainly held that director liability for failure to monitor required a finding that the directors acted with the state of mind traditionally used to define the mindset of a disloyal director—bad faith—because their indolence was so persistent that it could not be ascribed to anything other than a knowing decision not to even try to make sure the corporation’s officers had developed and were implementing a prudent approach to ensuring law compliance. By reinforcing that a scienter-based standard applies to claims in the delicate monitoring context, Stone ensured that the protections that exculpatory charter provisions afford to independent directors against damage claims would not be eroded.”) (footnotes omitted). 48
See, e.g., David B. Shaev Profit Sharing Account v. Armstrong, C.A. No. 1449-N, 2006 WL 391931, at *2 (Del. Ch. Feb. 13, 2006) (Caremark claims for failure to discover involvement in allegedly fraudulent business practices).
24
In contrast, plaintiffs’ Caremark claims are based on defendants’ alleged
failure to properly monitor Citigroup’s business risk, specifically its exposure to
the subprime mortgage market. In their answering brief, plaintiffs allege that the
director defendants are personally liable under Caremark for failing to “make a
good faith attempt to follow the procedures put in place or fail[ing] to assure that
adequate and proper corporate information and reporting systems existed that
would enable them to be fully informed regarding Citigroup’s risk to the subprime
mortgage market.”49 Plaintiffs point to so-called “red flags” that should have put
defendants on notice of the problems in the subprime mortgage market and further
allege that the board should have been especially conscious of these red flags
because a majority of the directors (1) served on the Citigroup board during its
previous Enron related conduct and (2) were members of the ARM Committee and
considered financial experts.
Although these claims are framed by plaintiffs as Caremark claims,
plaintiffs’ theory essentially amounts to a claim that the director defendants should
be personally liable to the Company because they failed to fully recognize the risk
posed by subprime securities. When one looks past the lofty allegations of duties
of oversight and red flags used to dress up these claims, what is left appears to be
plaintiff shareholders attempting to hold the director defendants personally liable
49 Pls.’ Answering Br. at 2.
25
for making (or allowing to be made) business decisions that, in hindsight, turned
out poorly for the Company. Delaware Courts have faced these types of claims
many times and have developed doctrines to deal with them—the fiduciary duty of
care and the business judgment rule. These doctrines properly focus on the
decision-making process rather than on a substantive evaluation of the merits of
the decision. This follows from the inadequacy of the Court, due in part to a
concept known as hindsight bias,50 to properly evaluate whether corporate
decision-makers made a “right” or “wrong” decision.
The business judgment rule “is a presumption that in making a business
decision the directors of a corporation acted on an informed basis, in good faith
and in the honest belief that the action taken was in the best interests of the
company.”51 The burden is on plaintiffs, the party challenging the directors’
decision, to rebut this presumption.52 Thus, absent an allegation of interestedness
or disloyalty to the corporation, the business judgment rule prevents a judge or jury
from second guessing director decisions if they were the product of a rational
process and the directors availed themselves of all material and reasonably
50 “Hindsight bias is the tendency for people with knowledge of an outcome to exaggerate the extent to which they believe that outcome could have been predicted.” Hal R. Arkes & Cindy A. Schipani, Medical Malpractice v. The Business Judgment Rule: Differences in Hindsight Bias,73 OR. L. REV. 587, 587 (1994). 51
Aronson, 473 A.2d at 812. 52
Id.
26
available information. The standard of director liability under the business
judgment rule “is predicated upon concepts of gross negligence.”53
Additionally, Citigroup has adopted a provision in its certificate of
incorporation pursuant to 8 Del. C. § 102(b)(7) that exculpates directors from
personal liability for violations of fiduciary duty, except for, among other things,
breaches of the duty of loyalty or actions or omissions not in good faith or that
involve intentional misconduct or a knowing violation of law. Because the director
defendants are “exculpated from liability for certain conduct, ‘then a serious threat
of liability may only be found to exist if the plaintiff pleads a non-exculpated claim
against the directors based on particularized facts.’”54 Here, plaintiffs have not
alleged that the directors were interested in the transaction and instead root their
theory of director personal liability in bad faith.
The Delaware Supreme Court has stated that bad faith conduct may be found
where a director “intentionally acts with a purpose other than that of advancing the
best interests of the corporation, . . . acts with the intent to violate applicable
positive law, or . . . intentionally fails to act in the face of a known duty to act,
demonstrating a conscious disregard for his duties.”55 More recently, the Delaware
Supreme Court held that when a plaintiff seeks to show that demand is excused
53Id.
54Wood v. Baum, 953 A.2d 136, 141 (Del. 2008) (quoting Guttman, 823 A.2d at 501).
55In re Walt Disney Co. Derivative Litig., 906 A.2d 27, 67 (Del. 2006).
27
because directors face a substantial likelihood of liability where “directors are
exculpated from liability except for claims based on ‘fraudulent,’ ‘illegal’ or ‘bad
faith’ conduct, a plaintiff must also plead particularized facts that demonstrate that
the directors acted with scienter, i.e., that they had ‘actual or constructive
knowledge’ that their conduct was legally improper.”56 A plaintiff can thus plead
bad faith by alleging with particularity that a director knowingly violated a
fiduciary duty or failed to act in violation of a known duty to act, demonstrating a
conscious disregard for her duties.
Turning now specifically to plaintiffs’ Caremark claims, one can see a
similarity between the standard for assessing oversight liability and the standard
for assessing a disinterested director’s decision under the duty of care when the
company has adopted an exculpatory provision pursuant to § 102(b)(7). In either
case, a plaintiff can show that the director defendants will be liable if their acts or
omissions constitute bad faith. A plaintiff can show bad faith conduct by, for
example, properly alleging particularized facts that show that a director
consciously disregarded an obligation to be reasonably informed about the business
and its risks or consciously disregarded the duty to monitor and oversee the
business.
56Wood, 953 A.2d at 141.
28
The Delaware Supreme Court made clear in Stone that directors of
Delaware corporations have certain responsibilities to implement and monitor a
system of oversight; however, this obligation does not eviscerate the core
protections of the business judgment rule—protections designed to allow corporate
managers and directors to pursue risky transactions without the specter of being
held personally liable if those decisions turn out poorly. Accordingly, the burden
required for a plaintiff to rebut the presumption of the business judgment rule by
showing gross negligence is a difficult one, and the burden to show bad faith is
even higher. Additionally, as former-Chancellor Allen noted in Caremark, director
liability based on the duty of oversight “is possibly the most difficult theory in
corporation law upon which a plaintiff might hope to win a judgment.”57 The
presumption of the business judgment rule, the protection of an exculpatory
§ 102(b)(7) provision, and the difficulty of proving a Caremark claim together
function to place an extremely high burden on a plaintiff to state a claim for
personal director liability for a failure to see the extent of a company’s business
risk.
To the extent the Court allows shareholder plaintiffs to succeed on a theory
that a director is liable for a failure to monitor business risk, the Court risks
undermining the well settled policy of Delaware law by inviting Courts to perform
57Caremark, 698 A.2d at 967.
29
a hindsight evaluation of the reasonableness or prudence of directors’ business
decisions. Risk has been defined as the chance that a return on an investment will
be different that expected. The essence of the business judgment of managers and
directors is deciding how the company will evaluate the trade-off between risk and
return. Businesses—and particularly financial institutions—make returns by
taking on risk; a company or investor that is willing to take on more risk can earn a
higher return. Thus, in almost any business transaction, the parties go into the deal
with the knowledge that, even if they have evaluated the situation correctly, the
return could be different than they expected.
It is almost impossible for a court, in hindsight, to determine whether the
directors of a company properly evaluated risk and thus made the “right” business
decision.58 In any investment there is a chance that returns will turn out lower than
expected, and generally a smaller chance that they will be far lower than expected.
When investments turn out poorly, it is possible that the decision-maker evaluated
the deal correctly but got “unlucky” in that a huge loss—the probability of which
was very small—actually happened. It is also possible that the decision-maker
58See Stephen M. Bainbridge, The Business Judgment Rule as Abstention Doctrine, 57 VAND. L.
REV. 83, 114-15 (2004) (“[T]here is a substantial risk that suing shareholders and reviewing judges will be unable to distinguish between competent and negligent management because bad outcomes often will be regarded, ex post, as having been foreseeable and, therefore, preventable ex ante. If liability results from bad outcomes, without regard to the ex ante quality of the decision or the decision-making process, however, managers will be discouraged from taking risks.”) (footnotes omitted).
30
improperly evaluated the risk posed by an investment and that the company
suffered large losses as a result.
Business decision-makers must operate in the real world, with imperfect
information, limited resources, and an uncertain future. To impose liability on
directors for making a “wrong” business decision would cripple their ability to
earn returns for investors by taking business risks. Indeed, this kind of judicial
second guessing is what the business judgment rule was designed to prevent, and
even if a complaint is framed under a Caremark theory, this Court will not
abandon such bedrock principles of Delaware fiduciary duty law. With these
considerations and the difficult standard required to show director oversight
liability in mind, I turn to an evaluation of the allegations in the Complaint.
a. The Complaint Does Not Properly Allege Demand Futility for Plaintiffs’ Fiduciary Duty Claims
In this case, plaintiffs allege that the defendants are liable for failing to
properly monitor the risk that Citigroup faced from subprime securities. While it
may be possible for a plaintiff to meet the burden under some set of facts, plaintiffs
in this case have failed to state a Caremark claim sufficient to excuse demand
based on a theory that the directors did not fulfill their oversight obligations by
failing to monitor the business risk of the company.
The allegations in the Complaint amount essentially to a claim that Citigroup
suffered large losses and that there were certain warning signs that could or should
31
have put defendants on notice of the business risks related to Citigroup’s
investments in subprime assets. Plaintiffs then conclude that because defendants
failed to prevent the Company’s losses associated with certain business risks, they
must have consciously ignored these warning signs or knowingly failed to monitor
the Company’s risk in accordance with their fiduciary duties.59 Such conclusory
allegations, however, are not sufficient to state a claim for failure of oversight that
would give rise to a substantial likelihood of personal liability, which would
require particularized factual allegations demonstrating bad faith by the director
defendants.
Plaintiffs do not contest that Citigroup had procedures and controls in place
that were designed to monitor risk. Plaintiffs admit that Citigroup established the
ARM Committee and in 2004 amended the ARM Committee charter to include the
fact that one of the purposes of the ARM Committee was to assist the board in
fulfilling its oversight responsibility relating to policy standards and guidelines for
risk assessment and risk management.60 The ARM Committee was also charged
with, among other things, (1) discussing with management and independent
auditors the annual audited financial statements, (2) reviewing with management
an evaluation of Citigroup’s internal control structure, and (3) discussing with
management Citigroup’s major credit, market, liquidity, and operational risk
59 Pls.’ Answering Br. at 39-40. 60 Compl. ¶ 185.
32
exposures and the steps taken by management to monitor and control such
exposures, including Citigroup’s risk assessment and risk management policies.61
According to plaintiffs’ own allegations, the ARM Committee met eleven times in
2006 and twelve times in 2007.62
Plaintiffs nevertheless argue that the director defendants breached their duty
of oversight either because the oversight mechanisms were not adequate or because
the director defendants did not make a good faith effort to comply with the
established oversight procedures. To support this claim, the Complaint alleges
numerous facts that plaintiffs argue should have put the director defendants on
notice of the impending problems in the subprime mortgage market and
Citigroup’s exposure thereto. Plaintiffs summarized some of these “red flags” in
their answering brief as follows:
the steady decline of the housing market and the impact the collapsing bubble would have on mortgages and subprime backed securities since as early as 2005;
December 2005 guidance from the FASB staff—“The FASB staff is aware of loan products whose contractual features may increase the exposure of the originator, holder, investor, guarantor, or servicer to risk of nonpayment or realization.”;
the drastic rise in foreclosure rates starting in 2006;
several large subprime lenders reporting substantial losses and filing for bankruptcy starting in 2006;
61Id. ¶ 187.
62Id. ¶ 189.
33
billions of dollars in losses reported by Citigroup’s peers, such as Bear Stearns and Merrill Lynch.
Plaintiffs argue that demand is excused because a majority of the director
defendants face a substantial likelihood of personal liability because they were
charged with management of Citigroup’s risk as members of the ARM Committee
and as audit committee financial experts and failed to properly oversee and
monitor such risk.63 As explained above, however, to establish director oversight
liability plaintiffs would ultimately have to prove bad faith conduct by the director
defendants. Plaintiffs fail to plead any particularized factual allegations that raise a
reasonable doubt that the director defendants acted in good faith.
The warning signs alleged by plaintiffs are not evidence that the directors
consciously disregarded their duties or otherwise acted in bad faith; at most they
63 Compl. ¶ 189; Pls.’ Answering Br. at 41-45. Directors with special expertise are not held to a higher standard of care in the oversight context simply because of their status as an expert. See
Canadian Commercial Workers Indus. Pension Plan v. Alden, C.A. No. 1184-N, 2006 WL 456786, at *7 n.54 (Del. Ch. Feb. 22, 2006); see also E. Norman Veasey & Christine T. Di Guglielmo, What Happened in Delaware Corporate Law and Governance from 1992-2004? A
Retrospective on Some Key Developments, 153 U. PA. L. REV. 1399, 1445-47 (2005). Directors of a committee charged with oversight of a company’s risk have additional responsibilities to monitor such risk; however, such responsibility does not change the standard of director liability under Caremark and its progeny, which requires a showing of bad faith. Evaluating director action under the bad faith standard is a contextual and fact specific inquiry and what a director knows and understands is, of course, relevant to such an inquiry. See In re Emerging Commc’ns,
Inc. S’holders Litig., C.A. No. 16415, 2004 WL 1305745, at *39-40 (Del. Ch. May 3, 2004). Even accepting, however, that a majority of the directors were members of the ARM Committee and considered audit committee financial experts, plaintiffs have not alleged facts showing that they demonstrated a conscious disregard for duty, or any other conduct or omission that would constitute bad faith. Even directors who are experts are shielded from judicial second guessing of their business decisions by the business judgment rule.
34
evidence that the directors made bad business decisions. The “red flags” in the
Complaint amount to little more than portions of public documents that reflected
the worsening conditions in the subprime mortgage market and in the economy
generally. Plaintiffs fail to plead “particularized facts suggesting that the Board
was presented with ‘red flags’ alerting it to potential misconduct” at the
Company.64 That the director defendants knew of signs of a deterioration in the
subprime mortgage market, or even signs suggesting that conditions could decline
further, is not sufficient to show that the directors were or should have been aware
of any wrongdoing at the Company or were consciously disregarding a duty
somehow to prevent Citigroup from suffering losses.65 Nothing about plaintiffs’
“red flags” supports plaintiffs’ conclusory allegation that “defendants have not
made a good faith attempt to assure that adequate and proper corporate information
and reporting systems existed that would enable them to be fully informed
regarding Citigroup’s risk to the subprime mortgage market.”66 Indeed, plaintiffs’
allegations do not even specify how the board’s oversight mechanisms were
inadequate or how the director defendants knew of these inadequacies and
consciously ignored them. Rather, plaintiffs seem to hope the Court will accept the
64Shaev, 2006 WL 391931, at *3.
65 That plaintiffs are unable to point to specific wrongdoing within the Company that caused Citigroup’s losses from exposure to the subprime mortgage market further supports my hypothesis that this case is not truly a Caremark case, but rather a straightforward claim of breach of the fiduciary duty of care. 66 Pls.’ Answering Br. at 62.
35
conclusion that since the Company suffered large losses, and since a properly
functioning risk management system would have avoided such losses, the directors
must have breached their fiduciary duties in allowing such losses.
Moving from such general ipse dixit syllogisms to the more specific,
plaintiffs argue that the director defendants, and especially those nine directors
who were on the board at the time, “should have been especially sensitive to the
red flags in the marketplace in light of the Company’s prior involvement in the
Enron Corporation debacle and other financial scandals earlier in the decade.”67
Plaintiffs also allege that the director defendants should have been especially alert
to the dangers of transactions involving SIVs because SIVs were involved in
Citigroup’s transactions with Enron that resulted in liability for the Company.
Plaintiffs allege that Citigroup helped finance transactions that allowed Enron to
hide its true financial condition and resulted in Citigroup paying approximately
$120 million in penalties and disgorgement as well as agreeing to new risk
management procedures designed to prevent similar conduct.
Plaintiffs fail in their attempt to impose some sort of higher standard of
liability on the director defendants that were on Citigroup’s board at the time of its
involvement with Enron. They have utterly failed to show how Citigroup’s
involvement with the financial scandals at Enron has any relevance to Citigroup’s
67Id. at 47.
36
investments in subprime securities. Plaintiffs cite McCall v. Scott68 to support the
proposition that directors who were on the board during previous misconduct
should be sensitive to similar circumstances which had previously prompted
investigations. That case, however, actually shows how plaintiffs’ attempt to
impose a higher standard on the directors because of the Enron scandal is
inadequate. Unlike here, the plaintiffs in McCall alleged numerous specific
instances of widespread, prevalent wrongdoing throughout the company and the
mechanisms by which the wrongdoing came to the board’s attention.69 The Sixth
Circuit in McCall did not, as plaintiffs assert, hold that alleged prior, unrelated
wrongdoing would make directors “sensitive to similar circumstances.”70 Unlike
plaintiffs’ allegations about Enron, the prior “experience” referenced in McCall
was an investigation and settlement for the same type of questionable billing
practices before the Sixth Circuit.71 Plaintiffs have not shown how involvement
with the Enron related scandals should have in any way put the director defendants
on a heightened alert to problems in the subprime mortgage market. Additionally,
the use of SIVs in the Enron related conduct would not serve to put the director
68 239 F.3d 808 (6th Cir. 2001).69
Id. at 819–24 (noting allegations of numerous financial irregularities in reports brought to the board’s attention).70 Pls.’ Answering Br. at 48. 71
See McCall, 239 F.3d at 821.
37
defendants on any type of heightened notice to the unrelated use of SIVs in
structuring transactions involving subprime securities.
The Complaint and plaintiffs’ answering brief repeatedly make the
conclusory allegation that the defendants have breached their duty of oversight, but
nowhere do plaintiffs adequately explain what the director defendants actually did
or failed to do that would constitute such a violation. Even while admitting that
Citigroup had a risk monitoring system in place, plaintiffs seem to conclude that,
because the director defendants (and the ARM Committee members in particular)
were charged with monitoring Citigroup’s risk, then they must be found liable
because Citigroup experienced losses as a result of exposure to the subprime
mortgage market. The only factual support plaintiffs provide for this conclusion
are “red flags” that actually amount to nothing more than signs of continuing
deterioration in the subprime mortgage market. These types of conclusory
allegations are exactly the kinds of allegations that do not state a claim for relief
under Caremark.
To recognize such claims under a theory of director oversight liability would
undermine the long established protections of the business judgment rule. It is
well established that the mere fact that a company takes on business risk and
suffers losses—even catastrophic losses—does not evidence misconduct, and
38
without more, is not a basis for personal director liability.72 That there were signs
in the market that reflected worsening conditions and suggested that conditions
may deteriorate even further is not an invitation for this Court to disregard the
presumptions of the business judgment rule and conclude that the directors are
liable because they did not properly evaluate business risk. What plaintiffs are
asking the Court to conclude from the presence of these “red flags” is that the
directors failed to see the extent of Citigroup’s business risk and therefore made a
“wrong” business decision by allowing Citigroup to be exposed to the subprime
mortgage market.
This Court’s recent decision in American International Group, Inc.
Consolidated Derivative Litigation73 demonstrates the stark contrast between the
allegations here and allegations that are sufficient to survive a motion to dismiss.
In AIG, the Court faced a motion to dismiss a complaint that included “well-pled
allegations of pervasive, diverse, and substantial financial fraud involving
managers at the highest levels of AIG.”74 In concluding that the complaint stated a
claim for relief under Rule 12(b)(6),75 the Court held that the factual allegations in
the complaint were sufficient to support an inference that AIG executives running
72See Gagliardi v. TriFoods Int’l, Inc., 683 A.2d 1049, 1051 (Del. Ch. 1996) (“The business
outcome of an investment project that is unaffected by director self-interest or bad faith, cannot itself be an occasion for director liability.”) (footnote omitted).73 C.A. No. 769-VCS, 2009 WL 366613 (Del. Ch. Feb. 10, 2009).74
Id. at *3.75 It is also significant that the AIG Court was analyzing the Complaint under the plaintiff-friendly standard of Rule 12(b)(6), rather than the particularized pleading standard of Rule 23.1.
39
those divisions knew of and approved much of the wrongdoing. The Court
reasoned that huge fraudulent schemes were unlikely to be perpetrated without the
knowledge of the executive in charge of that division of the company.76 Unlike the
allegations in this case, the defendants in AIG allegedly failed to exercise
reasonable oversight over pervasive fraudulent and criminal conduct. Indeed, the
Court in AIG even stated that the complaint there supported the assertion that top
AIG officials were leading a “criminal organization” and that “[t]he diversity,
pervasiveness, and materiality of the alleged financial wrongdoing at AIG is
extraordinary.”77
Contrast the AIG claims with the claims in this case. Here, plaintiffs argue
that the Complaint supports the reasonable conclusion that the director defendants
acted in bad faith by failing to see the warning signs of a deterioration in the
subprime mortgage market and failing to cause Citigroup to change its investment
policy to limit its exposure to the subprime market. Director oversight duties are
designed to ensure reasonable reporting and information systems exist that would
allow directors to know about and prevent wrongdoing that could cause losses for
the Company. There are significant differences between failing to oversee
employee fraudulent or criminal conduct and failing to recognize the extent of a
Company’s business risk. Directors should, indeed must under Delaware law,
76AIG, 2009 WL 366613 at *22.
77Id. at *23.
40
ensure that reasonable information and reporting systems exist that would put them
on notice of fraudulent or criminal conduct within the company. Such oversight
programs allow directors to intervene and prevent frauds or other wrongdoing that
could expose the company to risk of loss as a result of such conduct. While it may
be tempting to say that directors have the same duties to monitor and oversee
business risk, imposing Caremark-type duties on directors to monitor business risk
is fundamentally different. Citigroup was in the business of taking on and
managing investment and other business risks. To impose oversight liability on
directors for failure to monitor “excessive” risk would involve courts in conducting
hindsight evaluations of decisions at the heart of the business judgment of
directors. Oversight duties under Delaware law are not designed to subject
directors, even expert directors, to personal liability for failure to predict the future
and to properly evaluate business risk.78
78 If defendants had been able to predict the extent of the problems in the subprime mortgage market, then they would not only have been able to avoid losses, but presumably would have been able to make significant gains for Citigroup by taking positions that would have produced a return when the value of subprime securities dropped. Compl. ¶ 78. Query: if the Court were to adopt plaintiffs’ theory of the case—that the defendants are personally liable for their failure to see the problems in the subprime mortgage market and Citigroup’s exposure to them—then could not a plaintiff succeed on a theory that a director was personally liable for failure to predict the extent of the subprime mortgage crisis and profit from it, even if the company was not exposed to losses from the subprime mortgage market? If directors are going to be held liable for losses for failing to accurately predict market events, then why not hold them liable for failing to profit by predicting market events that, in hindsight, the director should have seen because of certain red (or green?) flags? If one expects director prescience in one direction, why not the other?
41
Instead of alleging facts that could demonstrate bad faith on the part of the
directors, by presenting the Court with the so called “red flags,” plaintiffs are
inviting the Court to engage in the exact kind of judicial second guessing that is
proscribed by the business judgment rule. In any business decision that turns out
poorly there will likely be signs that one could point to and argue are evidence that
the decision was wrong. Indeed, it is tempting in a case with such staggering
losses for one to think that they could have made the “right” decision if they had
been in the directors’ position. This temptation, however, is one of the reasons for
the presumption against an objective review of business decisions by judges, a
presumption that is no less applicable when the losses to the Company are large.
2. Plaintiffs’ Disclosure Allegations
Plaintiffs argue that demand is excused as futile because the director
defendants face a substantial likelihood of personal liability for violating their duty
of disclosure and would therefore be unable to exercise independent and
disinterested business judgment in responding to a demand.79 Plaintiffs allege that
the director defendants violated their duty of disclosure by, among other things,
failing to properly disclose the value of certain financial instruments,80 placing
underperforming assets in SIVs without fully disclosing the risk that Citigroup
79 Plaintiffs argue that the disclosure claims relate to actions taken by the board and are therefore subject to the Aronson standard. Plaintiffs request, however, that the Court review demand futility under the substantial likelihood of liability standard and present their demand futility arguments under that standard. 80 Compl. ¶ 172.
42
might have to bring the assets back onto its balance sheet,81 and failing to properly
account for guarantees, specifically the liquidity puts that allowed buyers of CDOs
to sell the products back to Citigroup at face value.82 Plaintiffs argue that the “red
flags” alleged in the Complaint lead to a reasonable inference that the director
defendants, and particularly the ARM Committee members, knew that certain
disclosures regarding the Company’s exposure to subprime assets were misleading.
“[E]ven in the absence of a request for shareholder action, shareholders are
entitled to honest communication from directors, given with complete candor and
in good faith.”83 When there is no request for shareholder action, a shareholder
plaintiff can demonstrate a breach of fiduciary duty by showing that the directors
“deliberately misinform[ed] shareholders about the business of the corporation,
either directly or by a public statement.”84 Citigroup’s certificate of incorporation
exculpates the director defendants from personal liability for violations of fiduciary
duty except for, among other things, breaches of the duty of loyalty and acts or
omissions not in good faith or that involve intentional misconduct or knowing
violation of law. Thus, to show a substantial likelihood of liability that would
excuse demand, plaintiffs must plead particularized factual allegations that
81Id. at ¶ 70.
82Id. at ¶¶ 163-65.
83In re infoUSA, Inc. S’holders Litig., 953 A.2d 963, 990 (Del. Ch. 2007).
84Malone v. Brincat, 722 A.2d 5, 14 (Del. 1998) (emphasis added); see infoUSA, 953 A.2d at
990 (finding that directors violate their fiduciary duties “where it can be shown that the directors involved issued their communication with the knowledge that it was deceptive or incomplete”).
43
“support the inference that the disclosure violation was made in bad faith,
knowingly or intentionally.”85 Additionally, directors of Delaware corporations
are fully protected in relying in good faith on the reports of officers and experts.86
The factual allegations in the Complaint are not sufficient to allow me to
reasonably conclude that the director defendants face a substantial likelihood of
liability that would prevent them from impartially considering a demand. This is
so for at least three reasons. First, plaintiffs fail to allege with sufficient specificity
the actual misstatements or omissions that constituted a violation of the board’s
duty of disclosure.87 The Complaint merely alleges, in general and conclusory
terms, that the director defendants did not adequately disclose certain risks faced
by the Company—for example, the risks posed by Citigroup’s SIVs and the
liquidity puts that allowed purchasers of CDOs to sell the instruments back to
85O’Reilly v. Transworld Healthcare, Inc., 745 A.2d 902, 915 (Del. Ch. Aug. 20, 1999).
86 8 Del. C. § 141(e) (“A member of the board of directors, or a member of any committee designated by the board of directors, shall, in the performance of such member’s duties, be fully protected in relying in good faith upon the records of the corporation and upon such information, opinions, reports or statements presented to the corporation by any of the corporation’s officers or employees, or committees of the board of directors, or by any other person as to matters the member reasonably believes are within such other person’s professional or expert competence and who has been selected with reasonable care by or on behalf of the corporation.”); see Brehm,746 A.2d at 261.87
See Pfeffer v. Redstone, No. 115, 2008, _ A.2d _, 2009 WL 188887, at *6 (Del. Jan. 23, 2009) (“Although there is ‘no reason to depart from the general pleading rules when alleging duty of disclosure violations,’ ‘it is inherent in disclosure cases that the misstated or omitted facts be identified and that the pleading not be merely conclusory.’”) (quoting Loudon v. Archer-Daniels-
Midland Co., 700 A.2d 135, 140 (Del. 1997)).
44
Citigroup at face value.88 The Complaint does not identify any actual disclosure
that was misleading or any statement that was made misleading as a result of an
omission of a material fact. Instead, plaintiffs allege, for instance, that the
Citigroup board “abdicated its fiduciary duties by not disclosing information on the
fair value of VIEs, CDOs and SIVs”89 and that “the ARM Committee abdicated its
fiduciary duties . . . to ensure the integrity of Citigroup’s financial statements and
financial reporting process, including earnings press releases and financial
information provided to analysts and rating agencies.”90
In other words, the disclosure allegations in the complaint do not meet the
stringent standard of factual particularity required under Rule 23.1. They fail to
allege with particularity which disclosures were misleading, when the Company
was obligated to make disclosures, what specifically the Company was obligated to
88 Compl. ¶¶ 160-73. To be fair, plaintiffs point to some specific statements in the Complaint. For example, paragraph 82 of the Complaint alleges that the director defendants “caused or allowed” Citigroup to issue a press release that highlighted, among other things, “positive trends from Citigroup’s strategic actions.” Paragraphs 88 and 99 of the Complaint allege that the director defendants “caused” Citigroup to issue press releases that stated that the Company had “generated strong momentum this quarter” and that cited decreasing credit costs “reflecting a stable global credit environment.” Even these allegations, however, fail to meet the strict pleading requirements under Rule 23.1. Pleading that the director defendants “caused” or “caused or allowed” the Company to issue certain statements is not sufficient particularized pleading to excuse demand under Rule 23.1. It is unclear from such allegations how the board was actually involved in creating or approving the statements, factual details that are crucial to determining whether demand on the board of directors would have been excused as futile. These allegations also fail for the other reasons described below, most notably because the Complaint fails to adequately plead facts reasonably suggesting that the director defendants made disclosures with knowledge that they were false or misleading or in bad faith.89 Compl. ¶ 172. 90
Id. at ¶ 161.
45
disclose, and how the Company failed to do so.91 This information is critical
because to establish a threat of director liability based on a disclosure violation,
plaintiffs must plead facts that show that the violation was made knowingly or in
bad faith, a showing that requires allegations regarding what the directors knew
and when. Without knowing when and how the alleged disclosure violations
occurred, it is impossible to determine if the directors made the misstatements or
omissions knowingly or in bad faith. As a result, the disclosure allegations in the
complaint do not meet the stringent requirements of factual particularity under
Rule 23.1.
Second, the Complaint does not contain specific factual allegations that
reasonably suggest sufficient board involvement in the preparation of the
disclosures that would allow me to reasonably conclude that the director
defendants face a substantial likelihood of personal liability.92 Plaintiffs do not
allege facts suggesting that the director defendants prepared the financial
91 The closest plaintiffs come to alleging a specific disclosure violation are the allegations that the Company failed to disclosure the existence of the liquidity puts until November 2007 and failed to disclose that the Company may have to take certain assets held by SIVs back onto its balance sheet. Compl. ¶¶ 70, 165-69. Even these claims, however, are vague and relatively light on the details of what the Company was required to disclose, when it was required to disclose it, and how its failure to do so would constitute a violation of the duty of disclosure. In any event, as discussed below, these claims fail to plead demand futility because plaintiffs have (1) failed to sufficiently allege facts showing that the director defendants were involved in preparing (or were otherwise responsible for) the alleged misleading disclosures and (2) failed to allege facts that would lead to a reasonable inference that the director defendants made any false or misleading statements or omissions knowingly or in bad faith. 92
See Wood, 953 A.2d at 142 (“The Board’s execution of [the company’s] financial reports, without more, is insufficient to create an inference that the directors had actual or constructive notice of any illegality.”).
46
statements or that they were directly responsible for the misstatements or
omissions. The Complaint merely alleges that Citigroup’s financial statements
contained false statements and material omissions and that the director defendants
reviewed the financial statements pursuant to their responsibilities under the ARM
Committee charter. Thus, I am unable to reasonably conclude that the director
defendants face a substantial likelihood of liability.
Third, and perhaps most importantly, the Complaint does not sufficiently
allege that the director defendants had knowledge that any disclosures or omissions
were false or misleading or that the director defendants acted in bad faith in not
adequately informing themselves.93 Plaintiffs have not alleged particular facts
showing that the director defendants were even aware of any misstatements or
omissions. Instead, plaintiffs conclusorily assert that the members of the ARM
Committee, as financial experts, knew the relevant accounting standards, knew or
should have known the extent of the Company’s exposure to the subprime
mortgage market, and are therefore responsible for alleged false statements or
omissions in Citigroup’s financial statements.94 Instead of providing factual
allegations regarding the knowledge or bad faith of the individual director
93See Pfeffer, _ A.2d _, 2009 WL 188887, at *6 (“When pleading a breach of fiduciary duty
based on the . . . Directors’ knowledge, [the plaintiff] must, at a minimum, offer ‘well-pleaded facts from which it can be reasonably inferred that this ‘something’ was knowable and that the defendant was in a position to know it.’”) (quoting IOTEX Commc’ns, Inc. v. Defries, C.A. No. 15817, 1998 WL 914265, at *4 (Del. Ch. Dec. 21, 1998)). 94 Compl. ¶ 191.
47
defendants, the Complaint makes broad group allegations about the director
defendants or the members of the ARM Committee.95 A determination of whether
the alleged misleading statements or omissions were made with knowledge or in
bad faith requires an analysis of the state of mind of the individual director
defendants, and plaintiffs have not made specific factual allegations that would
allow for such an inquiry. Plaintiffs’ alleged “red flags,” which amount to nothing
more than indications of worsening economic conditions, do not support a
reasonable inference that the director defendants approved or disseminated the
financial disclosures knowingly or in bad faith. Merely alleging that there were
signs of problems in the subprime mortgage market is not sufficient to show that
the director defendants knew that Citigroup’s disclosures were false or misleading.
The allegations are not sufficiently specific to Citigroup or to the director
defendants to meet the strict pleading requirements of Rule 23.1.
Although the members of the ARM Committee were charged with reviewing
and ensuring the accuracy of Citigroup’s financial statements under the ARM
Committee charter, director liability is not measured by the aspirational standard
established by the internal documents detailing a company’s oversight system.
Under our law, to establish liability for misstatements when the board is not
95See AIG, 2009 WL 366613 at *21 (“Although these allegations are varied and far reaching, . . .
these allegations are supported by the pled facts. For starters, the Complaint is not laden with such accusations against the D & O Defendants as a group; these group accusations are used sparingly.”).
48
seeking shareholder action, shareholder plaintiffs must show that the misstatement
was made knowingly or in bad faith. Additionally, even board members who are
experts are fully protected under § 141(e) in relying in good faith on the opinions
and statements of the corporation’s officers and employees who were responsible
for preparing the company’s financial statements. Plaintiffs’ allegations that the
members of the ARM Committee were financial experts and were aware of the
“red flags” alleged in the Complaint do not support a reasonable inference that the
director defendants’ reliance on the officers and experts who prepared the financial
statements was not in good faith.
Even accepting plaintiffs’ allegations as true, the Complaint fails to plead
with particularity facts that would lead to the reasonable inference that the director
defendants made or allowed to be made any false statements or material omissions
with knowledge or in bad faith. Accordingly, plaintiffs have failed to plead with
particularity facts creating a reasonable doubt that the director defendants face a
threat of personal liability that would render them incapable of exercising
independent and disinterested business judgment in responding to a demand.
Plaintiffs’ disclosure claims are therefore dismissed pursuant to Rule 23.1
C. Demand Futility Allegations Regarding Plaintiffs’ Waste Claims
Count III of the Complaint alleges that certain of the defendants are liable
for waste for (1) approving the Letter Agreement dated November 4, 2007 between
49
Citigroup and defendant Prince; (2) allowing the Company to purchase over $2.7
billion in subprime loans from Accredited Home Lenders at one of its “fire sales”
in March 2007 and from Ameriquest Home Mortgage in September 2007; (3)
approving the buyback of over $645 million worth of the Company’s shares at
artificially inflated prices pursuant to a repurchase program in early 2007; and (4)
allowing the Company to invest in SIVs that were unable to pay off maturing
debt.96
96 Plaintiffs do not adequately plead that the asset purchases or the investments in SIVs were the result of board action rather than inaction. To establish demand futility in the absence of director action the Complaint would have to plead facts sufficient to create a reasonable doubt that the director defendants could exercise disinterested and independent business judgment in responding to a demand. It is not clear to the Court on exactly what theory plaintiffs believe that demand is excused for these allegations. Pls.’ Answering Br. at 56 nn.45-46. In any event, the Complaint does not properly allege demand futility as to these claims because it does not create a reasonable doubt that the director defendants would be unable to exercise disinterested and independent business judgment in responding to a demand. First, because plaintiffs have failed to adequately plead that the challenged asset purchases or investments in SIVs were the result of board action, the director defendants cannot possibly face a substantial likelihood of personal liability for these transactions. See Highland Legacy Ltd. v. Singer, C.A. No. 1566-N, 2006 WL 741939, at *7 (Del. Ch. Mar. 17, 2006) (“To excuse demand on the grounds of waste, the complaint must allege particularized facts sufficient to create a reasonable doubt that the board
authorized action on the corporation’s behalf on terms that no person of ordinary, sound business judgment could conclude represents a fair exchange.”) (emphasis added).
Second, and in the alternative, the director defendants do not face a substantial likelihood of personal liability for these claims because the Complaint is devoid of any allegation that would lead to the conclusion that allowing the Company to purchase these assets or invest in the SIVs constituted bad faith conduct by the director defendants. For similar reasons as I explained with regard to the Caremark claims, the alleged “red flags” are not sufficient to support an inference that the director defendants did not act in good faith by not preventing those charged with making business decisions for the Company from purchasing subprime assets or investing in the SIVs. That these investments turned out poorly for the Company is not evidence of bad faith conduct. The decision to purchase certain investment assets, or to allow others in the Company to purchase certain investment assets, is the essence of the business judgment of directors and officers. Additionally, the Complaint makes no factual allegation that the decision to invest in the subprime assets or the SIVs was of no value to the Company. As I have said numerous times now, judges are in no position to second guess well-informed business decisions
50
Demand futility is analyzed under Aronson when plaintiffs have challenged
board action or approval of a transaction. With regard to the claims based on the
approval of the Letter Agreement and the repurchase of Citigroup stock, plaintiffs
do not argue that a majority of the director defendants were not disinterested and
independent. Rather, plaintiffs argue that demand is excused under the second
prong of the Aronson analysis, which requires that the plaintiffs plead
particularized factual allegations that raise a reasonable doubt at to whether “the
challenged transaction was otherwise the product of a valid exercise of business
judgment.”97
Delaware law provides stringent requirements for a plaintiff to state a claim
for corporate waste, and to excuse demand on grounds of waste the Complaint
must allege particularized facts that lead to a reasonable inference that the director
defendants authorized “an exchange that is so one sided that no business person of
ordinary, sound judgment could conclude that the corporation has received
adequate consideration.”98 The test to show corporate waste is difficult for any
plaintiff to meet; indeed, “[t]o prevail on a waste claim . . . the plaintiff must
overcome the general presumption of good faith by showing that the board’s
made in good faith, and the allegations in the Complaint are not sufficient to suggest that the directors knowingly or in bad faith disregarded their duty to monitor. Accordingly, the claims for waste for the asset purchases and the investments in SIVs fail to properly plead demand futility pursuant to Rule 23.1. 97
Aronson, 473 A.2d at 814.98
Brehm, 746 A.2d at 263 (quoting In re The Walt Disney Co. Derivative Litig., 731 A.2d 342, 362 (Del. Ch. 1998); see Highland, 2006 WL 741939, at *7.
51
decision was so egregious or irrational that it could not have been based on a valid
assessment of the corporation’s best interests.”99
1. Approval of the Stock Repurchase Program
Plaintiffs’ claim for waste for the board’s approval of the stock repurchase
program falls far short of satisfying the standard for demand futility. Plaintiffs
allege that “in spite of its prior buybacks below $50 per share and in spite of the
Company’s expanding losses and declining stock price, Citigroup repurchased 12.1
million shares during the first quarter of 2007 at an average price of $53.37.”100
Plaintiffs then claim that at the time the buyback of Citigroup stock was halted, the
stock was trading at $46 per share. Plaintiffs conclude that the director defendants
“authorized and did not suspend the Company’s share repurchase program, which
resulted in the Company’s buying back over $645 million worth of the Company’s
shares at artificially inflated prices.”101
Specifically, plaintiffs argue the following:
As set forth in the Complaint, the Director Defendants recklessly failed to consider and account for the subprime lending crisis, the Company’s exposure to falling CDO values by virtue of its liquidity puts, and the collective impact on the Company’s billions in warehoused subprime loans. Consequently, the Director Defendants are not entitled to the presumption of business judgment and are liable for waste for approving the buyback of over $645 million worth of the Company’s shares at artificially inflated prices pursuant to the
99White v. Panic, 783 A.2d 543, 554 n.36 (Del. 2001).
100 Pls.’ Answering Br. at 61.101
Id.
52
repurchase program. Under the circumstances, the repurchase program should have been suspended, and would have saved the Company hundreds of millions of dollars. The magnitude of the Director Defendants’ utter failure to properly inform themselves of the Company’s dire straits has only been highlighted by the Company’s recent historically low share prices.102
To say the least, this argument demonstrates that the Complaint utterly fails to state
a claim for waste for the board’s approval of the stock repurchase. Plaintiffs seem
to completely ignore the standard governing corporate waste under Delaware
law—a standard that requires that plaintiffs plead facts overcoming the
presumption of good faith by showing “an exchange that is so one sided that no
business person of ordinary, sound judgment could conclude that the corporation
has received adequate consideration.”103 Plaintiffs attempted to meet this standard
by alleging that the director defendants approved a repurchase of Citigroup stock
at the market price. Other than a conclusory allegation, plaintiffs have alleged
nothing that would explain how buying stock at the market price—the price at
which presumably ordinary and rational businesspeople were trading the stock—
could possibly be so one sided that no reasonable and ordinary business person
would consider it adequate consideration. Again, plaintiffs merely allege “red
flags” and then conclude that the board is liable for waste because Citigroup
repurchased its stock before the stock dropped in price as a result of Citigroup’s
102Id. (citation omitted).
103Brehm, 746 A.2d at 263 (quoting Disney, 731 A.2d at 362).
53
losses from exposure to the subprime market. In short, the Complaint states no
particularized facts that would lead to any inference that the board’s approval of
the stock repurchase constituted corporate waste. Accordingly, plaintiffs have not
adequately alleged demand futility as to this claim pursuant to Rule 23.1.
2. Approval of the Letter Agreement
Plaintiffs allege that the board’s approval of the November 4, 2007 letter
agreement constituted corporate waste. Because approval of the letter was board
action, demand is evaluated under the Aronson standard. Plaintiffs claim that
demand is excused under the second prong of Aronson because the particularized
factual allegations in the Complaint raise a reasonable doubt as to whether the
approval was “the product of a valid exercise of business judgment.”104
The directors of a Delaware corporation have the authority and broad
discretion to make executive compensation decisions. The standard under which
the Court evaluates a waste claim is whether there was “an exchange of corporate
assets for consideration so disproportionately small as to lie beyond the range at
which any reasonable person might be willing to trade.”105 It is also well settled in
our law, however, that the discretion of directors in setting executive compensation
is not unlimited. Indeed, the Delaware Supreme Court was clear when it stated
that “there is an outer limit” to the board’s discretion to set executive
104Aronson, 473 A.2d at 814.
105Brehm, 746 A.2d at 263.
54
compensation, “at which point a decision of the directors on executive
compensation is so disproportionately large as to be unconscionable and constitute
waste.”106
According to plaintiffs’ allegations, the November 4, 2007 letter agreement
provides that Prince will receive $68 million upon his departure from Citigroup,
including bonus, salary, and accumulated stockholdings.107 Additionally, the letter
agreement provides that Prince will receive from Citigroup an office, an
administrative assistant, and a car and driver for the lesser of five years or until he
commences full time employment with another employer.108 Plaintiffs allege that
this compensation package constituted waste and met the “so one sided” standard
because, in part, the Company paid the multi-million dollar compensation package
to a departing CEO whose failures as CEO were allegedly responsible, in part, for
billions of dollars of losses at Citigroup. In exchange for the multi-million dollar
benefits and perquisites package provided for in the letter agreement, the letter
agreement contemplated that Prince would sign a non-compete agreement, a non-
disparagement agreement, a non-solicitation agreement, and a release of claims
106Id. at 262 n.56 (citing Saxe v. Brady, 184 A.2d 602, 610 (Del. Ch. 1962)); see Grimes v.
Donald, 673 A.2d 1207, 1215 (Del. 1996). 107 Compl. ¶ 122; Pls.’ Answering Br. at 57-58.108 Compl. ¶ 124.
55
against the Company.109 Even considering the text of the letter agreement, I am
left with very little information regarding (1) how much additional compensation
Prince actually received as a result of the letter agreement and (2) the real value, if
any, of the various promises given by Prince. Without more information and
taking, as I am required, plaintiffs’ well pleaded allegations as true, there is a
reasonable doubt as to whether the letter agreement meets the admittedly stringent
“so one sided” standard or whether the letter agreement awarded compensation that
is beyond the “outer limit” described by the Delaware Supreme Court.
Accordingly, the Complaint has adequately alleged, pursuant to Rule 23.1, that
demand is excused with regard to the waste claim based on the board’s approval of
Prince’s compensation under the letter agreement.
D. The Motion to Dismiss under Rule 12(b)(6)
The only claim as to which plaintiffs adequately pleaded demand futility is
the claim for corporate waste for the board’s approval of the letter agreement
granting a multi-million dollar compensation package to Prince upon his departure
as Citigroup’s CEO. When considering a motion to dismiss for failure to state a
claim under Rule 12(b)(6), the Court is required to accept as true all well-pleaded
factual allegations in the complaint and make all reasonable inferences that
109 The Court takes judicial notice of the letter agreement, a publicly available document that was integral to plaintiffs’ waste claim and incorporated into the Complaint. See Vanderbilt Income &
Growth Assocs., L.L.C. v. Arvida/JMB Managers, Inc., 691 A.2d 609, 613 (Del. 1996).
56
logically flow from the face of the complaint in the plaintiff’s favor.110 The Court
can only dismiss the complaint if it “determines with ‘reasonable certainty’ that the
plaintiff could prevail on no set of facts that may be inferred from the well-pleaded
allegations in the complaint.”111
The standard for pleading demand futility under Rule 23.1 is more stringent
than the standard under Rule 12(b)(6), and “a complaint that survives a motion to
dismiss pursuant to Rule 23.1 will also survive a 12(b)(6) motion to dismiss,
assuming that it otherwise contains sufficient facts to state a cognizable claim.”112
Accordingly, for the same reasons stated in the demand futility analysis, the
Complaint contains well-pleaded factual allegations regarding the claim for waste
for the approval of the Prince letter agreement that make it impossible for me to
conclude with reasonable certainty that the plaintiff could prevail on no set of facts
that could be reasonably inferred from the allegations in the Complaint.113
IV. CONCLUSION
Citigroup has suffered staggering losses, in part, as a result of the recent
problems in the United States economy, particularly those in the subprime
110See Malpiede v. Townson, 780 A.2d 1075, 1082-83 (Del. 2001).
111Id.
112McPadden v. Sidhu, C.A. No. 3310-CC, 2008 WL 4017052, at *7 (Del. Ch. Aug. 29, 2008).
113 I am also not convinced that defendants would be exculpated under Citigroup’s certificate for committing waste. See In re Walt Disney Co. Derivative Litig., 907 A.2d 693, 749 (Del. Ch. 2005) (“The Delaware Supreme Court has implicitly held that committing waste is an act of bad faith.”) (citing White v. Panic, 783 A.2d 543, 553-55 (Del. 2001)).
57
mortgage market. It is understandable that investors, and others, want to find
someone to hold responsible for these losses, and it is often difficult to distinguish
between a desire to blame someone and a desire to force those responsible to
account for their wrongdoing. Our law, fortunately, provides guidance for
precisely these situations in the form of doctrines governing the duties owed by
officers and directors of Delaware corporations. This law has been refined over
hundreds of years, which no doubt included many crises, and we must not let our
desire to blame someone for our losses make us lose sight of the purpose of our
law. Ultimately, the discretion granted directors and managers allows them to
maximize shareholder value in the long term by taking risks without the
debilitating fear that they will be held personally liable if the company experiences
losses. This doctrine also means, however, that when the company suffers losses,
shareholders may not be able to hold the directors personally liable.
For the foregoing reasons, the motion to dismiss or stay in favor of the New
York Action is denied. Defendants’ motion to dismiss is denied as to the claim in
Count III of the Complaint for waste for approval of the November 4, 2007 Prince
letter agreement. All other claims in the complaint are dismissed for failure to
adequately plead demand futility pursuant to Court of Chancery Rule 23.1.
An Order has been entered consistent with this Opinion.
58