In 2020, SolarWinds Corp., a company that provided information technology software to private and government entities, was the victim of a cybersecurity breach.  Russian hackers are believed to have slipped malicious code into a SolarWinds software product called Orion, which was then used to infect, and in certain cases, compromise, SolarWinds customers.  As a consequence, SolarWinds found itself the target of litigation, including a derivative suit before the Delaware Court of Chancery in Construction Industry Laborers Pension Fund v. Bingle.

There, stockholders brought claims against the board of directors of SolarWinds for its alleged failure to oversee the company’s cybersecurity risk.  The plaintiff stockholders in Bingle argued that the defendant directors breached their fiduciary duty of loyalty by purportedly failing to adequately prevent the 2020 breach.  According to the plaintiffs, the board violated these duties by, among other things, allegedly ignoring warnings about cybersecurity deficiencies.

After carefully considering the plaintiffs’ allegations, the court concluded that dismissal was appropriate on Chancery Court Rule 23.1 grounds.  The gist of this rule is that stockholders who allege wrongdoings that have harmed a corporation must first ask the board to look into the matter before bringing a lawsuit and, if they do not, they must satisfy rigorous pleading standards.  These standards require plaintiffs to plead with specificity facts suggesting a reasonable inference that a majority of the directors consciously disregarded their duties over an extended period of time, and, therefore, a demand on the board to first investigate the matter would have been futile.

In holding that the Bingle plaintiffs failed to plead demand futility, the court explained that, under Delaware law, the “pertinent question is not whether the board was able to prevent a corporate trauma, here because of a third-party criminal attack.  Instead, the question is whether the board undertook its monitoring duties (to the extent applicable) in bad faith.”  A showing of bad faith “requires conduct that is qualitatively different from, and more culpable than, the conduct giving rise to a violation of the fiduciary duty of care (i.e., gross negligence).”

Put differently, plaintiffs must plead particularized facts showing that the directors had “actual or constructive knowledge that their conduct was legally improper.”  They can do so in one of three ways by pleading that a director: (i) violated positive law (i.e., a statute or regulation mandating certain conduct); (ii) intentionally acted with a purpose inimical to the corporation’s best interest, or (iii) consciously disregarded their duties by ignoring red flags so vibrant that scienter is implied or by utterly failing to put into place any mechanism for monitoring or reporting risk.  The court examined each of these points, starting with the plaintiffs’ allegation that the board violated positive law.

Violation of Positive Law

 In support of their allegations that the board behaved contrary to positive law, the plaintiffs relied on, among other things, a 2018 Securities and Exchange Commission interpretive guidance, which included a statement that “’[c]ompanies are required to establish and maintain appropriate and effective disclosure controls and procedures[,] including those related to cybersecurity[.]’”  “While this guidance is certainly indicative of requirements regarding public company disclosures,” the court noted, “it does not establish positive law with respect to cybersecurity procedures or how to manage cybersecurity risks.”  The court stressed that plaintiffs who plead oversight failures must demonstrate “a sufficient connection between the corporate trauma and the actions or inactions of the board” and, in Delaware courts, such a connection has only been satisfied where a board has failed to monitor compliance with positive law, and the company thereafter violates said law.  As the court observed, “no case in this jurisdiction has imposed oversight liability based solely on failure to monitor business risk,” as opposed to failure to monitor the company’s compliance with positive law.  Leaving open the question of whether board liability could be predicated on a failure to oversee business risk (such as cybersecurity risk), the court held that the plaintiffs had “not alleged that legal and regulatory frameworks have evolved with respect to cybersecurity, such that SolarWinds’s corporate governance practices must have followed.”

Intentional Action with a Purpose Inimical to the Corporation

Turning to the second prong, the court held that the plaintiffs failed to plead this prong with particularity because the plaintiffs did not plea any allegations that the board intentionally acted with a purpose inimical to the corporation’s best interests.

Ignorance of Red Flags or Lack of an Effective Reporting System

Examining the third prong, the court quickly dispensed with the plaintiffs’ allegations that the board ignored red flags.  At the outset, the court rejected the plaintiffs’ allegations that a cybersecurity briefing presented to the board’s Nominating and Governance Committee (“NGC”) was a red flag that was ignored.  According to the court, the presentation warned of cybersecurity threats and risks but “was not indicative of an imminent corporate trauma.”  The presentation was, accordingly, not a “red flag” but rather an instance of board-level oversight, and the complaint failed to plead that the presentation “made action by the Board necessary.”  The court also refused to countenance other allegations about other purported “red flags,” including concerns allegedly raised by a former employee and allegations about use of an insufficient password, noting that the plaintiffs failed to plead these flags were before the board during the relevant period of time.

The court next addressed the plaintiffs’ argument that the above and other allegations suggested the absence of an effective reporting system.  In this regard, the plaintiffs alleged that the board “did not conduct a single meeting or have a single discussion about the company’s mission critical cybersecurity risks” in the two years preceding attack.  The court noted that, during the relevant period of time, the board charged two board committees with responsibility for oversight of cybersecurity risks.  As the court explained, delegation of oversight responsibility of a “particular risk in a particular year” to a “non-sham, functioning Committee” does not indicate that the board intentionally disregarded its oversight responsibilities in bad faith.  Further, while the committees’ failure to report to the board indicated a “subpar reporting system” that should have been of concern to the directors, it did not represent an “utter failure to attempt to assure” that a reporting system existed, and thus did not indicate “an intentional ‘sustained or systematic failure’ of oversight, particularly given directors are presumed to act in good faith.”  Having concluded that the complaint failed to plead facts supporting a reasonable inference of bad faith by SolarWinds’s directors, the court held that the plaintiffs’ claim was “not viable,” and, therefore, that the plaintiffs had failed to plead demand futility.  The court, accordingly, dismissed the complaint.

The Bingle court’s decision—while favorable for SolarWinds—appears to be just a stepping stone in what is likely to be long series of proceedings.  Indeed, on November 3, 2022, SolarWinds announced that it is facing an investigation from the SEC.  Notably, the SEC is not alone in investigating companies that have experienced a data breach.  The Federal Communications Commission, the Federal Trade Commission, and the New York Department of Financial Services, among others, also have aggressively investigated and taken enforcement actions against companies.  Often, investigations by these regulators are conducted in parallel, requiring a company to simultaneously navigate jurisdictional, regional, and sectoral nuances as well of investigations of potentially different scope.  It is reasonable to expect that the list of regulators in the cyber space will continue to grow along with their security requirements, as enforcement continues to increase and fines and penalties become more severe.  Accordingly, a critical aspect of post-breach practice is collaborating with regulators to manage burden, leading to a more efficient processes and outcomes for both the target, the regulators, and ultimately, consumers.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Margaret A. Dale Margaret A. Dale

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and…

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and heads the Department’s Data Privacy and Cybersecurity Practice Group. Margaret has been recognized since 2017 in Benchmark Litigation’s Top 250 Women in Litigation.

Margaret’s practice covers the spectrum of complex commercial disputes, including privacy and data security matters, as well as disputes involving M&A, intellectual property, bankruptcy and insolvency, securities, corporate governance, and asset management.

Margaret regularly counsels clients before litigation commences to assess risk, adopt strategies to minimize or deflect disputes, and resolve matters without going to court.

Margaret is a frequent writer, including authoring a regular column on corporate and securities law in the New York Law Journal. She also serves as the lead editor of Proskauer’s blog on commercial litigation, Minding Your BusinessShe also authored the chapter titled “Privileges” in the treatise Commercial Litigation in New York State Courts (Haig, 5th ed.), as well as the chapter titled “Data Breach Litigation” in PLI’s Proskauer on Privacy.

Margaret maintains an active pro bono practice advocating on issues relating to women, children and veterans. She serves on the Board of Directors of CFR (Center for Family Representation), VLA (Volunteer Lawyers for the Arts), JALBC (Judges and Lawyers Breast Cancer Alert), and the City Bar Fund.

Photo of Nolan Goldberg Nolan Goldberg

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range…

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.

Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).

Cybersecurity

Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.

Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.

It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis.  Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.

Commercial Disputes

Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures.  When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.

Intellectual Property

Nolan’s work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol (“VoIP”); bar code scanners  financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.

Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks (“VPN”), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet (“PoE”), and digital content distribution.

He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.

Computer Forensics and Electronic Discovery

Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.

Thought Leadership

Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge, CIO.com, Forbes, and The National Law Journal.

Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).

Photo of Michelle M. Ovanesian Michelle M. Ovanesian

Michelle Ovanesian is an associate in the Litigation Department, where she focuses on intellectual property and life sciences. Michelle has worked on a range of matters in federal district courts, including serving on the successful trial team in the Amgen Inc. v. Sanofi

Michelle Ovanesian is an associate in the Litigation Department, where she focuses on intellectual property and life sciences. Michelle has worked on a range of matters in federal district courts, including serving on the successful trial team in the Amgen Inc. v. Sanofi remand jury trial in the District of Delaware.

In addition to intellectual property and life sciences, Michelle’s practice has encompassed a variety of other legal matters, including privacy and cybersecurity, and bankruptcy litigation. Most recently, Michelle was part of the litigation team that represented the Financial Oversight and Management Board in the Commonwealth of Puerto Rico’s bankruptcy proceedings.

Michelle maintains an active pro bono practice, with a focus on immigration law and civil rights. As part of her pro bono work, Michelle has filed an amicus brief in state court supporting the constitutionality of executive orders.