The trend in many legal quarters toward imposing upon businesses affirmative duties to implement measures to help prevent data breaches and comply with ever-expanding data privacy regulation—and liability if they fail to do so—has brought increased scrutiny of the actions, or more likely inactions, of corporate directors in the cybersecurity arena. A series of cases applying Delaware law, culminating in the June 2019 opinion in Marchand v. Barnhill, 212 A.3d 805, 824 (Del. 2019), indicate that directors who leave cybersecurity and data privacy compliance to management may run a substantial risk of personal liability if they turn a blind eye toward the adequacy of management’s response. These developments are of interest to New Jersey attorneys who advise companies on these matters, because many in-state corporations were incorporated in Delaware and because many states, including New Jersey, follow many aspects of Delaware corporate law. In re Merck & Co. Sec., Derivative & ERISA Litig., 493 F.3d 393, 399 (3d Cir. 2007).

Delaware cases decided before Marchand, including the seminal case of In re Caremark Int’l Derivative Litig., 98 A.2d 959 (Del. Ch. 1996), established that directors breach their duty of loyalty if they fail to make a good faith effort to monitor and oversee a company by either “utterly fail[ing] to implement any reporting or information system” that would allow information to reach the board or, if such a system exists, by “consciously fail[ing] to monitor or oversee” the company’s operations through that system. Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 370 (Del. 2006). While most so-called “Caremark claims” fail because the plaintiff concedes at least some form of board level monitoring and reporting, the allegations in Marchand presented the type of “utter failure” to monitor a company’s “essential and mission critical” compliance issues that would be sufficient to support a Caremark claim. 212 A.3d at 822-24.