Caremark Duties Are Still Growing: Extension of Caremark to Corporate Officers

Basics of Caremark

Almost 30 years ago, the landmark Caremark case established a board of directors' ongoing duty to oversee mission-critical corporate affairs; the failure to perform this oversight may indicate a lack of good faith. In recent years, significant cases such as Marchand, which involved listeria-contaminated ice cream, and Boeing, which involved hastily and carelessly designed planes, have increased the significance of this duty and established some boundaries for mission-critical concerns. In January, the McDonald's decision extended Caremark duties to corporate officers.

What Has Changed?

Historically, Delaware case law distinguished directors and officers. The role of a director is to establish policies, make strategic decisions, and provide oversight. Conversely, an officer manages the corporation on a day-to-day basis. Thus, officers often escape scrutiny in Caremark cases due to the nature of their roles as compared to directors, as well as the absence of exculpation for duty of care claims for corporate officers that directors are entitled to.

However, neither of these declarations remains accurate: Delaware law allowed exculpation for duty of care claims for officers and extended Caremark duties. The reasoning in the Mcdonald’s decision, which requires officers to take action in response to "red flags," appears to be sound because directors and officers owe the same fiduciary duties, including the duty of oversight. Moreover, the high bar for pleading a bad faith oversight claim should not change the entire liability picture, because the plaintiff still must establish demand futility and one of the two prongs of bad faith oversight claim. What is more important, is the possible expansion of what would be considered a mission-critical issue in the context of Caremark claims.

What Is Mission Critical?

As there is no universal test, it is important for every company to identify its mission-critical risks. At one point in time, there was a clear distinction, where only legal risk, and not business risk, could trigger a Caremark claim. Although there were no cases assuming only business risk, the SolarWinds decision established the risk of “noncompliance” with positive law regarding cybersecurity. Moreover, the court stated that in extreme scenarios, the failure to supervise crucial business risks also could result in liability for bad faith actions.

Caremark or Not?

One way to distinguish between critical and non-critical risks is to look at their potential impact on the company’s reputation. For example, in the case of cybercrime against a corporation, while the company itself may not be breaking any laws, it is possible that third parties such as customers could be harmed. As a result, cybersecurity can have a highly detrimental impact on a company’s reputation and could thus potentially be considered a mission-critical risk.

Another potential mission-critical risk that companies may face in the future is related to ESG issues. This is especially true given the latest proposals regarding ESG disclosure, particularly for the oil and gas industry. Furthermore, ESG risk is closely linked to risks related to AI, which companies use everywhere: during hiring, training, or in creating language learning models like ChatGPT, using workers on less than $2 per hour to remove toxic data.

Caremark Mechanics

Step 1: Investigation of Potential “Red Flags”

Caremark claims begin with an examination of publicly available information. If any potential “red flags” are identified, the plaintiff could request access to the company’s books and records, including board minutes, emails, and sometimes text messages. The expansion of Section 220 has made it more difficult for companies to deny requests for document inspection. If any warning signs are detected, such as the absence of mission-critical risks committees or inadequate response to significant legal risks, we can proceed to the second step.

Step 2: Demand on the Board or Demand Futility

The Caremark claim is a derivative claim where the company is the primary recipient of any damages awarded, and any harm and recovery experienced by shareholders is indirect. Thus, the shareholder has an obligation to either make a demand on the Board or show that most of the directors were not independent and disinterested.

The first option, a board demand, has downsides: it assumes board impartiality and most are rejected, leading to high standards for wrongful refusal litigation. The second option, demand futility, requires a shareholder to show with particularity that most of the board lacked impartiality and independence using the three-prong director-by-director “universal test” adopted in Zuckerberg. The court must consider whether each director 1) received a personal benefit; 2) faces a likelihood of liability; or 3) lacks independence from someone who received a benefit or faces liability.

As Caremark claims allege a bad faith non-exculpated claim, the second prong seems the most important in these cases. However, in light of the McDonald’s decision, demand futility may be harder to prove in claims against officers, because the second prong applies only to directors. If only officers are found to have engaged in misconduct, it’s not clear whether directors face personal liability from their decision to pursue the claim, making the second prong useless. In this scenario, the third prong may be more important, implying that a director could lack independence from a corporate officer who is likely to face liability.

Step 3: Prove That the Directors or Officers Did Not Maintain Proper Oversight

The Caremark claim imposes liability under two prongs of failed oversight, considering two separate scenarios of bad-faith actions. The first relates to a board’s failure to implement any reporting system regarding mission-critical risks. For example, food safety in Marchand was a central compliance issue for the company. However, there was no system of monitoring and reporting compliance with food safety standards at the board level. Like in Marchand, the Boeing Board similarly lacked a board-level airplane safety committee.

The second scenario, one in which a system of monitoring is in place yet “red flags” are ignored by directors or officers, is more difficult to prove. To fail this prong, their conduct should establish bad faith, indicating a conscious disregard for the “red flags.” This prong is more dangerous for corporate officers as they are in the best position to monitor day-to-day activities. Thus, in the McDonald's case, the Chief People Officer was accused of ignoring complaints of sexual harassment and breaching his duty of oversight.

What Should Officers do to Protect from Caremark Liability?

1. Work closely with directors to understand their oversight duties on mission-critical issues like sexual harassment, ESG, or cybersecurity. Different officers have different duties, and it's not reasonable to expect the same oversight from everyone. For example, though the CEO should oversee the entire company, the head of the New York office should not be expected to do the same.

2. React to "red flags" in good faith and keep records of the actions taken, as the number of section 220 demands may increase following the McDonald's decision.

3. Check D&O insurance coverage for officers to ensure it covers possible Caremark liability, as Section 102(b)(7) of the Delaware General Corporation Law does not exempt them from the bad faith oversight claim.

Stanislav Liaptcev serves as a Graduate Editor of the NYU Journal of Law & Business. He is pursuing a Corporation LL.M. at the New York University School of Law as a Dean’s Graduate Scholar. Prior to attending NYU, Stanislav practiced corporate law for nine years with a focus on mergers and acquisitions, joint ventures, private equity, venture capital, and other cross-border transactions at prestigious law firms in Russia and as an independent consultant.