Firemen’s Ret. Sys. of St. Louis v. Sorenson, C.A. No. 2019-0965-LWW (Del. Ch. Oct. 5, 2021) (Will, V.C.)
In this memorandum opinion, the Delaware Court of Chancery granted a motion to dismiss a purported derivative action under Rule 23.1 where the stockholder plaintiff failed to allege particularized facts that any member of the Demand Board faced a substantial likelihood of liability for non-exculpated claims. Critically, the Court held that the data security breach that gave rise to the suit was “at the hands of a hacker,” and that the company was the “victim of an illegal act rather than the perpetrator.”
In the fall of 2018, Marriott International, Inc. (“Marriott” or the “Company”) discovered a data security breach of the Starwood Hotels and Resorts (“Starwood”) reservation database, which had been acquired by Marriott two years earlier. Numerous lawsuits and regulatory investigations followed Marriott’s announcement of the breach. Among them was a derivative lawsuit filed in the Court of Chancery by a Marriott stockholder against certain current and former directors and officers of the Company.
The plaintiff claimed that that the defendants, (1) prior to the Starwood acquisition, failed to conduct adequate due diligence of Starwood’s cybersecurity technology, and, (2) following the acquisition, breached their duties of loyalty under Caremark by continuing to operate Starwood’s systems and by failing to timely disclose the breach. The plaintiff claimed that demand upon the Marriott board of directors (the “Board”) would have been futile because the defendant directors faced a substantial likelihood of liability in connection with the claims. The defendants moved to dismiss pursuant to Rule 23.1 for failure to adequately plead that demand was futile.
In assessing demand futility, the Court applied the three-part “universal test” recently adopted by the Delaware Supreme Court in United Foods & Commercial Workers Union v. Zuckerberg, 2021 WL 4344361 (Del. 2021). In applying this test, the Court focused on “whether the director[s] face a substantial likelihood of liability on any of the claims that would be subject of the litigation demand.”
The Court first held that the directors did not face a substantial likelihood of liability for pre-acquisition claims because Delaware’s three-year statute of limitations barred such claims. Specifically, the Court held that the statute began to run, at the latest, on September 23, 2016, when the Starwood acquisition closed. The plaintiff filed the action on December 3, 2019, more than 3 years later. The Court also held that no tolling doctrines applied that would have paused the running of the statute. Notably, the Court held that the pendency of a stockholder demand to inspect books and records pursuant to 8 Del. C. § 220 (before the filing of a 220 complaint) generally does not operate to toll the statute of limitations. The Court explained that, unlike a 220 demand, a 220 action “presents strong evidence that [a] plaintiff was aggressively asserting a claim.” The Court, however, did not completely foreclose the possibility that, in connection with a future 220 demand, a “stockholder’s dogged pursuit of its statutory books and records rights [may] provide a basis for tolling.”
The Court next held that the plaintiff’s allegations did not demonstrate that the directors faced a substantial likelihood of liability for post-acquisition breaches of their duties of loyalty under Caremark. In general, the Court found that the plaintiff failed to plead facts showing that the defendants acted in bad faith, “essential to establish[ing] director oversight liability” under Caremark.
Under Caremark’s first prong, the Court held that the allegations of the Complaint demonstrated that the Board had adequate controls in place with respect to Company cybersecurity. Specifically, the Court pointed to allegations that the Board and Audit Committee were “routinely apprised” of cybersecurity risks and mitigation and additionally received annual reports on the Company’s “Enterprise Risk Assessment” that specifically evaluated cybersecurity, clearly meeting the “baseline requirement” of Caremark’s first prong.
The Court next held that there was no adequately alleged failure by the Board to monitor or oversee operations, as required under Caremark’s second prong, because the plaintiff had failed to adequately plead that the Board knew about “red flags” of corporate misconduct rising to the level of legal or regulatory violations and consciously disregarded them.
While the plaintiff insisted that the Board knew that the Company’s cybersecurity controls failed to meet industry standards, the Court found that such standards are not mandated by law and thus any violations thereof were insufficient to meet the rigorous standard set forth in Caremark’s second prong. Additionally, the Court held that, even if the Board had been aware of “red flags” of sufficient corporate misconduct, the complaint lacked allegations that the Board overlooked or failed to address them. Rather, the plaintiff alleged that when the Board was briefed on potential vulnerabilities in the Starwood database, it adopted “Intended Actions” to address them.
Lastly, the Court held that plaintiff’s allegations did not demonstrate that the directors faced substantial likelihood of liability related to the timing of Marriott’s disclosure of the data breach. Specifically, the plaintiff alleged that, once the Board learned that personal data had been accessed, thus triggering the notification requirement, the Company publicly announced its investigatory findings after only 11 days. The Court held that this prompt response in no way suggested bad faith on the part of the Board.