Court Dismisses Shareholder Derivative Action Because Plaintiffs Failed To Allege Demand Futility Under Delaware LawPrint Article
- Posted on: Apr 22 2020
It is well settled, and understood, that “the business and affairs of every corporation are managed by a board of directors.” Stone ex. re. AmSouth Bancorp. v. Ritter, 911 A2d 362 (Del. 2006). By its very nature a derivative litigation “impinges on the managerial freedom” of the corporation’s directors. Id. “Therefore, the right of a stockholder to prosecute a derivative suit is limited to situations where either the stockholder has demanded the directors pursue a corporate claim and the directors have wrongfully refused to do so, or where demand is excused because the directors are incapable of making an impartial decision regarding whether to institute such litigation.” Id. Accordingly, the shareholder plaintiff must “allege with particularity the efforts, if any, made by the plaintiff to obtain the action the plaintiff desires from the directors [or] the reasons for the plaintiff’s failure to obtain the action or for not making the effort.” Id.
Under Delaware law, the factors to be examined in determining whether demand is excused depends on whether the plaintiffs’ complaint concerns affirmative board actions and transactions or a board’s alleged failure to act. Where the plaintiff seeks to challenge affirmative board action, Delaware courts apply the two-prong test set forth in Aronson v. Lewis, 473 A.2d 805, 814 (Del. Ch. 1984), overruled in part on other grounds, Brehm v. Eisner, 746 A.2d 244 (Del. 2000), to assess the futility of a demand. Under this test, demand is excused when there is a reasonable doubt that: (1) the directors are disinterested and independent; or (2) the challenged transaction was otherwise the product of a valid exercise of business judgment. Id. Since the test is in the disjunctive, if either prong is satisfied, pre-suit demand is excused.
Where the plaintiff alleges board inaction, demand futility can be established by particularized facts creating a reasonable doubt that at the time the complaint was filed, the board could not have properly exercised its independent and disinterested business judgment in responding to the demand. Rales v. Blasband, 634 A.2d 927 (Del. 1993).
In Barrientos v. Salmirs, 2020 N.Y. Slip Op. 30942(U) (Sup. Ct., N.Y. County Apr. 13, 2020) (here), the Court dismissed a shareholder complaint because Plaintiffs failed to make the required demand on the board of directors and failed to allege facts to show that demand was excused. In doing so, the Court determined that board inaction was at play, despite plaintiffs’ allegation that the Individual Defendants (i.e., certain current and former members of ABM’s Board of Directors) made a “conscious” decision not to act, which, Plaintiffs claimed, was “akin to affirmative board action for purposes of determining which standard [i.e., the Aronson Test or the Rales Test] to use.” Slip Op. at *7.
Nominal defendant ABM Industries, Inc. (“ABM”) is a Delaware corporation with its principal place of business in New York City. ABM provides “janitorial, facilities engineering, parking, and specialized mechanical and electrical technical solutions.” Id. at *2.
ABM allegedly collects and stores highly sensitive private information (“PI”) about its employees, including its former employees. On or about August 1, 2017, ABM discovered that it had incurred a data breach. A phishing attack was successfully executed, resulting in the theft of PI. Plaintiffs alleged that ABM did not notify its employees of the data breach until the week of March 5, 2018, more than seven months later.
ABM suffered another attack in 2018. On or around June 14, 2018, ABM was alerted to suspicious activity related to certain employee email accounts. ABM determined that an unknown actor gained access to certain ABM employee email accounts through another phishing attack. Following an investigation, ABM determined that the unauthorized access occurred between January 8, 2018 and August 7, 2018. Plaintiffs claimed that the 2018 data breach affected approximately 60,000 current and former ABM employees.
Plaintiffs commenced the action in September 2018, alleging: (1) breach of fiduciary duty against ABM’s current and former directors (first cause of action); (2) breach of fiduciary duty against ABM’s CEO (second cause of action); and breach of fiduciary duty against ABM’s non-director officers (third cause of action).
In particular, in their amended verified complaint, Plaintiffs alleged that the Individual Defendants breached their fiduciary duties to ABM by: (i) failing to implement and enforce a system of effective internal controls and procedures to protect employees’ PI; (ii) failing to exercise their oversight duties by not monitoring ABM’s compliance with internal procedures and federal and state regulations; (iii) storing the PI of employees, former employees and vendors; (iv) failing to have proper cybersecurity safeguards to adequately secure the PI; (v) failing to have a sufficient incident response plan to immediately respond to a data breach; (vi) failing to ensure that ABM notified all potentially affected individuals and entities in a timely manner upon discovering the data breaches; (vii) failing to make adequate public disclosure of the data breaches and related Employees’ Class Action; and (viii) allowing ABM to violate state and federal laws and regulations concerning data privacy. Plaintiffs claimed that, because of the Individual Defendants’ breach of their fiduciary duties, ABM had and will in the future be required to expend significant amounts of money, and that ABM had lost “credibility, reputation and goodwill.”
Plaintiffs did not make a demand on the Board to investigate their allegations before commencing the action and did not make a demand before serving the amended verified complaint. Plaintiffs alleged that “demand would be a futile and useless act because the Individual Defendants [were] incapable of making an independent and disinterested decision to institute and vigorously prosecute th[e] action.” Slip Op. at *4-*5.
Defendants moved to dismiss on the ground that Plaintiffs lacked standing because they did not make the required demand on the Board and failed to allege facts to show that demand was excused. The Court granted the motion.
The Court’s Decision
In dismissing the complaint, the Court held that the Rales Test was the appropriate test to apply to determine whether demand was excused. The Court reasoned that even though the Board formed a subcommittee and appointed a Chief Information Officer (“CIO”) to address (among other things) cybersecurity issues, neither were, as Plaintiffs alleged, “adequately prepared for, or responded to, the data breaches.” Such an allegation, observed the Court, “plainly support[ed] application of the Rales demand futility standard.” Slip Op. at *8. So too did Plaintiffs’ allegation that the Board failed to ensure adequate and full disclosure of the data breaches in ABM’s public filings. Id. (citing Deckter on Behalf of Bristol–Myers Squibb Co. v. Adreotti, 170 A.D.3d 486, 487 (1st Dept. 2019), quoting Steinberg v. Bearden, 2018 WL 2434558, *8 (Del. Ch. 2018)).
Having decided which test to apply, the Court held that Plaintiffs failed to satisfy the Rales Test. Under this test, as noted, where, a plaintiff’s claims are based upon failure of a board of directors to exercise its oversight duties, “[o]nly a sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists – will establish the lack of good faith that is a necessary condition to liability.” In re Caremark Int’l Inc. Derv. Litig, 698 A.2d 959, 971 (Del. Ch. 1996). “[T]he mere threat of personal liability … is insufficient to challenge either the independence or disinterestedness of directors.” Deckter, 170 A.D.3d at 487, quoting Rales, 634 A.2d at 934-36. The threat of personal liability must be substantial. Madison Sullivan Partners LLC v. PMG Sullivan Street LLC, 173 A.D.3d 437, 438 (1st Dept. 2019) (plaintiffs must set forth “particularized facts establishing that defendants faced a ‘substantial likelihood’ of personal liability.”).
The Court held that Plaintiffs failed to plead facts showing a “sustained or systematic failure of the board to exercise oversight” with the requisite specificity. Slip Op. at *10. “At most,” said the Court, “they plead[ed] facts showing that the Board did not act quickly enough to disclose the data breaches, did not disclose enough about the data breaches, and did not do enough to protect against past and future data breaches.” Id. Such allegations, concluded the Court, did “not amount to the ‘utter failure’ of the Board to respond to the challenges of cybersecurity.” Id.
In addition, the Court found the board to be insulated from monetary liability for the breach of the fiduciary duty claims under an exculpation provision in ABM’s restated certificate of incorporation. Id. (citing, among others, 8 Del. C. § 102(b)(7)). Under Delaware law, to survive a motion to dismiss on demand futility grounds made by an independent director protected by an exculpation clause, the plaintiff must plead “facts supporting a rational inference that director harbored self-interest adverse to the stockholders’ interests, acted to advance the self-interest of an interested party from whom they could not be presumed to act independently, or acted in bad faith.” Id. at *10-*11 (quoting In re Cornerstone Therapeutics, Inc. Stockholder Litig., 115 A.3d 1173, 1179-80 (Del. 2015) (internal quotation marks and orig’l footnote omitted)).
The Court held that “Plaintiffs generically claim[ed] that the Board advanced their own self-interest above that of the ABM shareholders because they paid themselves ‘lavishly.’” Id. at *11. They failed, however, “to state specific facts showing that the Board members’ alleged lavish compensation caused them to fail properly to oversee ABM’s cybersecurity.” Id. The Court noted that Plaintiffs did not even “allege that any of the Individual Defendants personally profited from the Board’s alleged failure to oversee ABM’s cybersecurity.” Id.
The Court also held that Plaintiffs failed to plead facts sufficient to show that the Board acted with bad faith. Id. The Court explained that Plaintiffs did “not plead any underlying facts showing that the Board took any specific action to misreport or underreport the data breaches. Instead, Plaintiffs broadly allege[d] that ABM’s public statements and disclosures were insufficient or too general, and therefore false and misleading.” Id. at *11-*12. Such allegations lacked the required specificity to withstand a motion to dismiss. Id. at *12.
“Likewise,” noted the Court, “Plaintiffs’ allegation that the Board, in bad faith, caused ABM to violate federal securities regulations on disclosure, as well as state privacy laws, [were] impermissibly broad.” Id. The Court explained that Plaintiffs failed to make any “particularized allegations as to what type of violation occurred, or as to which Board Member caused the alleged violations.” Id. The Court concluded that Plaintiffs provided “no particularized facts to support the assertion that a security law violation even occurred, let alone which Board Member acted to cause the violation.” Id.
Accordingly, the Court dismissed the complaint with prejudice.
Barrientos demonstrates that a board’s failure to act is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” Asbestos Workers Phila. Pension Fund Asbestos Workers v. Bell, 137 A.D.3d 680, 684 (1st Dept. 2016). One reason for such difficulty is the demand requirement. The cases show that the demand requirement is rigorous. Factual particularity is necessary. As the Court found in Barrientos, Plaintiffs could not meet those requirements.