by Jennifer Arlen

Directors’ liability for corporate trauma stemming from their failure to carry out their duties to oversee and terminate corporate misconduct is a vital tool in the effort to deter corporate crime. Delaware’s Caremark doctrine imposes such duties and liability on directors but this liability is only effective when two conditions are met: First, the corporate trauma must result from a legal violation, as opposed to a business risk.  Second, the legal violation must constitute a “mission critical legal risk” (MCLR), as only then are directors subject to sufficiently specific and binding oversight duties to induce them to exert greater oversight over both compliance and suspected MCLR misconduct.[1]

The Delaware court has never stated specific criteria as to what might constitute a mission critical risk. Commentators often assume that the key factor is whether anyone died as a result of the harm. Yet this is not correct. In a forthcoming article, I examine the existing case law to identify the features of legal risks most likely to result in Delaware courts determining that a risk is mission critical, and explain the implications of such a determination for directors.  I also reveal the potential for directors to face Caremark liability for a previously unrecognized set of mission-critical legal risks. Those involve a company’s material misleading statements to business and government customers about risks from using its products that are so substantial that a subsequent occurrence of the risk may cause ruinous customer flight or regulatory intervention should customers ever learn they were lied to.

I. Why Director Liability is Needed

Corporate wrongdoing causes substantial harm to companies, in the form of enormous investigation costs, litigation costs, private liability, government sanctions, and, in some cases, reputational damage from lost customers.  It also causes substantial harm to society with costs ranging from lost lives, financial harm to victims, environmental harm, and the corruption of government officials and resulting waste of precious government resources. 

Society seeks to deter corporate crime through the threat of criminal liability imposed on both individual wrongdoers and their corporate employers. But this liability is not enough.  People continue to commit corporate crimes because companies regularly provide them with strong incentives to do so[2] and employees regularly face such a low risk of being caught and criminally sanctioned that they ignore the threat of criminal sanction.  Corporations, in turn, regularly maintain practices that induce misconduct and under-invest in their compliance functions because they face such a low a risk of being detected and sanctioned that crime is profitable.[3] In addition, managers may prefer weak detection when they benefit from either the profits generated by corporate crime or from the reduced oversight of weak compliance. 

Director duties coupled with liability can reduce these problems. Directors hold the keys to the company’s compliance function[4] and are less likely than management to be deterred from remediating detected materially misleading statements about cybersecurity by either their own conflicts of interest or incentive pay.  They also are ultimately the corporate institution entrusted with oversight over mission critical risks.  Directors thus are appropriate targets for oversight duties accompanied by the threat of liability should they breach their duties and cause harm to the company. Properly structured directorial oversight duties coupled with personal liability for corporate trauma resulting from bad faith breach of those duties has the potential to ameliorate these problems by causing directors to internalize costs of misconduct and inadequate compliance, thereby motivating them to cause the firm to deter, and terminate, corporate crime.[5]

II. Caremark Duties and Liability for Mission Critical Risks

Delaware’s Caremark doctrine[6] imposes on directors both oversight duties and liability for a breach of these obligations. Delaware adopted its Caremark doctrine to enhance directors’ incentives to deter corporate misconduct, yet Caremark’s original formulation did little to achieve these goals.  Caremark only requires the bare minimum of directors in most cases. They must (1) adopt some form of compliance function; (2) provide some relatively minimal oversight over it (even if only over the policies or training); and (3) ensure the company responds in some way to detected misconduct. Caremark gives directors full discretion to determine how to satisfy these duties under the protection of the Business Judgment Rule; they are only liable if they acted in bad faith in failing to satisfy their duties. Directors thus regularly escape liability by showing some attention to their Caremark duties, even when their oversight arguably was inadequate.

Under Delaware law, however, directors do face more robust oversight duties in an important class of cases: when the legal risk is a “mission critical legal risk” (MCLR) for the firm.[7] In such situations, Caremark imposes enhanced duties on directors with respect to the mission critical risk.  These duties are designed to ensure that information about both compliance weaknesses and suspected violation reaches the board and that the board acts on the information, rather than simply delegating to management. Each of these duties circumscribes the Business Judgment Rule by requiring directors to obtain information and assert oversight over matters they might otherwise have delegated to management.

Specifically, when the firm faces a MCLR the board must expressly designate which committee of the board has responsibility for overseeing that risk. The responsible directors must adopt policies to deter and detect the risk. These policies must include requirements for management to report to the commission on any compliance deficiencies and suspected violations of the mission critical legal risk. In addition, Caremark obligates the committee to actually exercise oversight over the MCLR—reserving time to learn about, and ensuring that management reports on, deficiencies in the company’s compliance function and suspected violations of the mission critical risk. Upon learning about a suspected violation, directors must assert direct oversight over the company’s investigation of and ultimate response to, suspected material misconduct; the board cannot simply delegate to management.

Caremark’s enhanced oversight duties for MCLR can help deter by increasing the probability that information about compliance weaknesses and harms from mission critical legal risks reaches the board. Caremark also shifts primary authority over investigations from managers—who are more likely to obtain private benefits from misconduct or face termination, demotion, or sanction as a result of its revelation—to directors, who have less to lose from revelation of misconduct and face personal liability under the Massey Prong of Caremark if they fail to terminate it.

III. Identifying Mission Critical Legal Risks

Delaware courts have not yet specified what type of legal violations constitute a mission critical risk.  Analysis of the existing cases, along with Delaware’s general approach to the Business Judgment Rule, however, reveals the factors that should lead Delaware judges to conclude that a legal risk is mission critical. Specifically, the cases suggest that Delaware judges have restricted Caremark’s enhanced duties to situations where the harms that could result from the legal violation could cause egregious long-run harm to the firm, usually in the form of a substantial reduction in the firm’s future revenues. The cases generally involve situations where the confluence of the harm and the legal violation threaten the firm’s long-run revenues.

Harms from legal violations have been found to constitute a mission critical legal risk in three situations, each of which entail threats to the firm’s long-run welfare. First, when the legal violation causes a sufficiently substantial harm to consumers that revelation of the harm arising from the legal violation would likely cause (and often did cause) many customers to eschew future dealings with the firm. Such customer flight is a mission critical risk if the products implicated by the violation constitute a substantial portion of the firm’s sales. Importantly, consumer flight could transform a legal violation into a mission critical risk even if the flight would be triggered by news of the harm (e.g., death) regardless of whether the firm violated the law.

Second, Delaware courts have determined a legal violation can constitute a mission critical risk when it could empower a government agency to delicense, debar, or exclude the company from markets or consumers vital to it or to recall or prevent the sales of products important to its welfare.  For example, companies that violate FDA or FAA regulations, commit federal health care fraud or certain False Claims Act violations, regularly risk debarment or exclusion from important customers or markets. Indeed, many successful[8] Caremark enhanced oversight cases involve legal violations that did or could subject the firm to a regulatory intervention that could imperil future revenues—such as a plant closure, plane grounding, cessation of pharmaceutical drug testing, mandated product recalls, and prohibitions on future sales or debarment or exclusion from sales to (or paid for by) federal agencies or programs (such as Medicare or Medicaid).

Finally, and less frequently, Delaware courts have concluded that a legal risk was mission critical when harm arising from the legal violation could entail destruction of one of the firm’s vital means of production.[9]

IV. Causation and Legal Violation Requirements and a Path Forward

Caremark does not apply to oversight of all mission critical risks. To date, Caremark has been restricted to mission critical legal risk. This restriction is a natural consequence of Caremark’s requirement that the plaintiff show that the board’s bad faith breach of its oversight duties was the proximate cause of the corporate trauma. To prevail in an oversight case, plaintiffs must show that the board would have detected the legal violation had it complied with its oversight duties. Plaintiffs also must show that the board, upon detecting the risk, would have terminated it. In the case of legal risk, plaintiffs can satisfy this latter requirement because directors who discover the company is violating the law must stop the violation. By contrast, with business risk, the board, upon discovering the risk, could allow the company to continue to encounter the risk if they rationally expect the firm to profit from it.

The legal violation requirement so far has insulated directors from liability for corporate traumas resulting from apparently inadequate oversight of mission critical risks in situations where the identified risks—in this case inadequate cybersecurity—was a business risk. Going forward, directors may not be so fortunate, however.  Companies whose risky practices could harm their customers regularly make materially misleading statements to consumers in an effort to hide the risk. These materially misleading statements violate the law. Moreover, such violations may result from directors’ breach of their duties if directors did not attend to the veracity of the company’s disclosures about these risks and the specific risk constitutes a mission critical legal risk because it related to consumer harm that was sufficiently serious that realization of the harm combined with revelation that the company lied could cause ruinous customer flight or government intervention to exclude the firm from future sales or markets.

Caremark’s potential to enhance deterrence is becoming clearer. It is likely to be significantly broader than is generally recognized – and therefore more worrisome for boards of directors.

Footnotes

[1] Jennifer Arlen, Evolution of Director Oversight Duties and Liability under Caremark: Using Enhanced Information-Acquisition Duties in the Public Interest, in Research Handbook on Corporate Liability 194, 203-04 (Martin Petrin & Christian Witting eds., 2023).

[2] For a more in-depth discussion of how companies intentionally or unintentionally induce corporate crime see, e.g., Jennifer Arlen & Lewis Kornhauser, Battle for Our Souls: A Psychological Justification for Individual and Corporate Liability for Organizational Misconduct, 2023 University of Illinois Law Review 673 (2023).

[3] For a discussion of how corporate criminal enforcement can be structured to ameliorate this issue see id.

[4] See generally, Jennifer Arlen, The Compliance Function, Oxford Handbook of Corporate Governance (Jeffrey Gordon & Wolf-George Ring eds., 2^nd ed., forthcoming 2025).

[5] For a more detailed discussion, see Arlen, supra note 4.

[6] In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).

[7] Marchand v. Barnhill, 212 A.3d 805 (Del. 2019); Teamsters Local 443 Health Servs. & Ins. Plan v. Chou, No. 2019-0816-SG, 2020 Del. Ch. LEXIS 274 (Del. Ch. Aug. 24, 2020); In re Clovis Oncology, Inc. Derivative Litig., No. 2017-0222-JRS, 2019 WL 4850188 (Del. Ch. Oct. 1, 2019); In re Boeing Co. Derivative Litig., No. 2019-0907-MTZ, 2021 WL 4059934 (Del. Ch. Sept. 7, 2021); In re Wal-Mart Stores, Inc. Del. Derivative Litig., No. 7455-CB, 2016 WL 2908344 (Del. Ch. 2016). For a justification of these enhanced duties, see Arlen, supra note 4.

[8] Success is defined by cases where the plaintiff survived a motion to dismiss.

[9] For example, safety violations that destroyed a company’s vital oil pipeline were deemed mission critical. Inter-Marketing Grp. United States v. Armstrong, No. 2017-0030-TMR, 2020 WL 756965 (Del. Ch. Jan. 31, 2020).

Jennifer Arlen is the Norma Z. Paige Professor of Law and Faculty Director of both the Program on Corporate Compliance and Enforcement and the Center on Law, Economics and Organization at NYU School of Law. This blog is based on her forthcoming article, Caremark Liability for Directors’ Failure to Oversee the Veracity of Companies’ Cybersecurity Disclosure: Solar Winds Reconsidered, J. Corp. Law (Symposium Issue) (forthcoming 2025).

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).