no subheading added

Landmark Ruling on Oversight Liability Creates New Risks for Corporate Officers

Landmark Ruling on Oversight Liability Creates New Risks for Corporate Officers

By Brandon S. Winchester and Adam Greiner

According to a recent decision handed down by the Delaware courts, corporate officers must now contend with a new avenue of liability: the duty of oversight. Previously, only a company’s board could face personal liability from derivative suits alleging failure to adequately oversee and mitigate the risks relevant to their duties. While courts have formerly held that corporate officers owe the same fiduciary duties of loyalty and care as directors, this decision clarifies that precedent by explicitly tethering officers to a duty of oversight.

On January 25, 2023, in In re McDonald’s Corp. Stockholder Derivative Litig., 2023 WL 387292, *9 (Del. Ch. 2023), the Delaware Court of Chancery held, for the first time, that the duty of oversight articulated by In re Caremark Intern. Inc. Derivative Litig., 698 A.2d 959, 968 (Del. Ch. 1996) applies to officers as well as directors. The court denied a motion to dismiss a derivative lawsuit alleging that the former head of human resources for McDonald’s had breached his fiduciary duties, finding instead that “officers owe a fiduciary duty of oversight as to matters within their areas of responsibility.”

This decision exposes corporate officers to new forms of derivative suit. Now, an officer may be sued for breaching their duty of oversight based on either 1) their failure to implement reporting or information systems or controls or 2) their conscious disregard for the red flags generated by otherwise functioning reporting or information systems. In light of this expansion of potential liability, companies should move to mitigate risk—and ensure they are satisfying their oversight obligations—by evaluating and updating their reporting systems and controls.

Background: Previous Conditions for Director Oversight Liability

Nearly 30 years ago, the Court of Chancery handed down a seminal ruling regarding director oversight liability. The Caremark decision established that corporate directors owe a fiduciary duty to oversee their company’s operations, including a duty to make a good faith effort to ensure that reporting and information systems can provide the information needed to determine the company’s compliance with law and its business performance.

Establishing a breach of this duty requires pleading, and later proving, that the fiduciary in question acted in bad faith. The bar for meeting the requirements for breach is “quite high[,]” according to Caremark, and fiduciaries of a Delaware corporation are already presumed to act in good faith. Only evidence that “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system of controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention” will suffice.

A typical prong-one Caremark claim, or “Information-Systems Claim,” as the McDonald’s court refers to it, alleges that directors lacked the requisite systems and controls. A typical prong-two Caremark claim, or “Red-Flags Claim,” alleges that the information systems generated red flags indicating wrongdoing, and the directors failed to respond. In order to constitute bad faith under this second type of claim, a plaintiff must show that the fiduciary was aware of the red flags and consciously failed to take an action in response, and that this failure was sufficiently sustained, systematic, or striking.

The McDonald’s Conclusion: Officers Now Share a Comparable Duty

The claim brought under McDonald’s was a Caremark red flag claim. The company’s head of human resources was accused of 1) knowingly failing to respond to reports of sexual harassment in the workplace, and 2) participating in the ongoing problem by engaging in acts of sexual harassment himself.

Although the McDonald’s court held that officers in Delaware corporations owe the same Caremark duty of oversight as directors, it also clarified that officers only have a duty of oversight over “their areas of responsibility.” As an example, the court stated that:

Some officers, like the CEO, have a company-wide remit. Other officers have particular areas of responsibility, and the officer’s duty to make a good faith effort to establish an information system only applies within that area. An officer’s duty to address and report upward about red flags also generally applies within the officer’s area, although a particularly egregious red flag might require an officer to say something even if it fell outside the officer’s domain.

Thus, a corporate officer’s duty of oversight is largely restricted to the areas over which they have responsibility and can effectively establish or monitor the required information and reporting systems. However, an officer may be liable for a breach of their duty of oversight if they are made aware of a red flag so egregious that it requires them to venture outside of their domain to act, and they then fail to do so.

The McDonald’s court did not determine the head of human resources’ liability as to the claims, but it did find that the plaintiffs had adequately pled facts to support an inference that the officer acted in bad faith by consciously ignoring red flags. Notably, the court reasoned that “[w]hen a corporate officer himself engages in acts of sexual harassment, it is reasonable to infer that the officer consciously ignored red flags about similar behavior by others.”

Key Takeaways and Next Steps

The McDonald’s decision presents a potential increased litigation risk for corporate officers. Like directors, officers are now subject to a threshold of scrutiny for their monitoring practices, which will likely result in a rise of new derivative suits. While contours of the decision may change in the future, companies should expect more books and records demands seeking to investigate officer monitoring conduct as well as information and reporting systems.

To prepare, companies can institute risk reduction measures based on the duty of oversight, including taking steps beyond simply ensuring that the necessary systems and controls are in place. For example, written processes can be developed to ensure that red flag issues are identified, reported, monitored, and addressed; officers’ oversight activities can be recorded; and protections such as exculpatory provisions and employment and indemnification agreements can be reevaluated.

These processes should be adapted as the McDonald’s decision develops through further litigation, as the Delaware Supreme Court may ultimately choose to abrogate the scope of an officer’s duty of oversight or otherwise reformulate the duty on appeal. In the meantime, though, companies should continue to monitor this shifting landscape and maintain protections for their officers as best they can.

Brandon S. Winchester is senior counsel and Adam Greiner is an associate at Hicks Johnson PLLC, a Houston-based trial law firm.