Shareholder Books and Records Requests to Become More Frequent, and More Potent

As we previously detailed, a shareholder’s request for corporate books and records can raise competing concerns for the company and its directors.  On the one hand, shareholders have a legal right under Section 220 to seek company records, and have been repeatedly encouraged by Delaware courts to exercise that right. On the other hand, because Section 220 requests are often a precursor to litigation – and because even innocuous documents can sometimes be used to bolster an otherwise baseless lawsuit – fiduciaries must ensure their response protects shareholder interests as a whole.

A string of recent Delaware decisions have added a new layer of complexity to these concerns.  Going forward, Section 220 requests will likely become more common, and will potentially carry a larger downside for companies that fail to properly respond.

First, Delaware courts are increasingly insistent that shareholders seek corporate records before filing suit.  In fact, the Delaware Court of Chancery recently went so far as to hold that if a shareholder fails to seek books and records before filing a derivative complaint, the court can assume that shareholder is unable to “provide adequate representation for the corporation.”  That decision was later overturned by the Delaware Supreme Court, but by acknowledging “the trial court’s concerns,” the Supreme Court yet again reiterated its expectation that shareholders should request company records as a matter of first course. Read More

How Corporate Charters Can Protect Directors from Money Damages for Acts of Negligence

Several weeks ago we asked whether directors of public companies face potential liability for not preventing cyber attacks. But what about liability for other acts of oversight? Can directors be held personally liable for money damages when they have done nothing affirmatively wrong?

Generally, the answer is no. Many states, like Delaware, allow corporate charters to include provisions that protect directors (and sometimes officers) from money damages for certain breaches of fiduciary duty. Acts that are not protected include breaches of the duty of loyalty, intentional misconduct, knowing violations of the law or receiving an improper personal benefit. But where plaintiffs seek money damages for breaches of the duty of care, exculpatory provisions in corporate charters typically provide directors a defense to the claims.

Practically speaking, these provisions protect directors against claims of negligence, and some courts have held the provisions even go so far as to protect against “reckless indifference.” The protection stops, however, when a director consciously disregards his or her duties. For example, and with reference to the earlier discussion on cyber attacks, an exculpatory provision might not shield a director from money damages where (i) a damaging cyber attack occurred, and (ii) it could be proven that the director exhibited a “sustained or systematic failure to exercise reasonable oversight” over the company’s cybersecurity, such that it evidenced the director’s conscious disregard of cybersecurity. Read More

Do Directors Face Potential Liability for Not Preventing Cyber Attacks?

In the past weeks, we’ve reported that while most companies are properly disclosing their exposure to cybersecurity threats, the increasing occurrence and severity of cyber attacks has the SEC considering even more stringent cybersecurity disclosure requirements. Now, another study reports that while 38% of Fortune 500 companies have disclosed that a potential cyber event would “adversely” impact their business, only six percent of those companies purchase cyber security insurance.

What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?

In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty. Read More