Scholar identifies a basis to hold directors liable for misleading cybersecurity disclosures.
Cybersecurity has become a critical business risk, one that can endanger a firm’s ability to function or even remain viable, placing growing pressure on corporate boards to ensure these risks are properly overseen. Yet, companies are increasingly dependent on technology such as cloud and AI-driven systems, making them more vulnerable than ever to catastrophic losses if critical operations are disrupted by cyberattacks.
In a recent article, Jennifer Arlen, the Norma Z. Paige Professor of Law at New York University School of Law, proposes that corporate directors can—and should—face liability under their state-law oversight duties when they knowingly allow their companies to make materially misleading statements about cybersecurity. Arlen argues that such misleading cybersecurity disclosures may constitute a “mission-critical” legal risk for companies whose deficient cybersecurity could result in serious harm to their customers. She highlights a new path for shareholder derivative claims and reframes contemporary understandings of director oversight in an era of digital threats.
The Delaware Court of Chancery’s decision in In re Caremark International Inc. Derivative Litigation established that directors could be held liable for failing to reasonably monitor corporate compliance. Since then, other states have looked to Delaware’s approach and adopted similar standards for director oversight and liability.
As Arlen points out, Delaware adopted the Caremark doctrine to enhance directors’ incentives to deter corporate misconduct by requiring board-level oversight. She explains that, under this doctrine, directors are not only responsible for monitoring the company’s adherence to the law but also for ensuring that adequate systems are in place to detect and prevent legal violations, and for overseeing those systems on an ongoing basis. She also notes that when directors are presented with red flags, they must ensure the company investigates promptly and acts to stop any identified wrongdoing.
Arlen highlights, however, that shareholder lawsuits under Caremark have consistently failed when based solely on deficient cybersecurity. She explains that courts refuse to apply Caremark liability in this context for two reasons. First, fairly minimal board oversight of cybersecurity can shield directors from liability, even if they may not be fully informed about deficiencies or breaches. Second, deficient cybersecurity alone does not violate U.S. law, as companies are generally not legally required to follow specific cybersecurity standards in most industries. As a result, though poor cybersecurity may create significant business risks, Arlen notes that it usually does not provide a sufficient basis for a Caremark claim.
Arlen explains that the landmark Construction Industry Laborers Pension Fund v. Bingle decision by the Delaware Court of Chancery illustrates how directors can escape Caremark liability. The lawsuit was brought by shareholders, known as derivative plaintiffs, who sue not for themselves but on the corporation’s behalf, and they failed to establish that directors breached their oversight duties because they had established at least a minimal cybersecurity program. She adds that although the court recognized cybersecurity as a mission critical risk for the company at issue, SolarWinds, it found the plaintiffs had not credibly alleged that the board itself was aware of the deficiencies in SolarWinds’ cybersecurity practices.
Recognizing that Caremark imposes only narrow and specific oversight duties on directors, Arlen proposes a reformulated framework for Caremark liability. Under her approach, directors may in some situations breach their duties if the company issues materially misleading statements about its cybersecurity protections and the directors fail to ensure the accuracy of those statements.
Arlen frames her proposal as addressing circumstances under which cybersecurity creates a legal risk that is mission critical to a company. Arlen outlines specific conditions under which this liability applies: a company issues materially misleading statements about its cybersecurity quality to private or public sector customers; these customers must rely on confidence in its cybersecurity quality and that confidence is shattered by the combined effect of a breach and the later revelation of the company’s misstatements; directors knowingly fail to fulfill their oversight duties relating to these disclosures; and the company suffers corporate losses caused by the misleading statements.
Importantly, Arlen emphasizes that such misleading statements may themselves violate laws prohibiting companies from lying to consumers about cybersecurity quality or making false claims to federal agencies. As she explains, what counts as a legal violation is not simply having a flawed cybersecurity program but making false or misleading statements about it. She further argues that such misrepresentations expose companies to serious risks, including regulatory enforcement, litigation, and significant customer flight, all of which can lead to “corporate trauma.”
Arlen suggests that under her approach, the case against the SolarWinds directors might have had a different outcome if the plaintiffs had focused not on the flaws in the company’s cybersecurity program itself, but on whether the directors failed to oversee the company’s compliance. If the plaintiffs had credibly alleged that the board was aware of and failed to prevent misleading disclosures that risked shattering customer confidence, they might have been able to overcome the court’s dismissal and hold directors accountable under Caremark.
Although Arlen focuses on cybersecurity, she suggests that her proposed framework could apply more broadly to other mission critical areas. For example, directors might also face Caremark liability for failing to oversee materially misleading disclosures about product safety, particularly when flawed products pose risks of widespread consumer harm or fatalities.
By reframing Caremark liability to cover oversight of cybersecurity disclosures, Arlen extends the type of liability typically imposed on directors for oversight, shifting the focus from operational failures to disclosure failures. She argues that her proposal incentivizes firms not only to implement measures to safeguard their products, but also to align their cybersecurity practices with their public statements. Arlen concludes that her application of Caremark duties promotes market efficiency by motivating companies to strengthen cybersecurity precisely when it is most critical.
