Tola v. Bryant (Mar. 24, 2022, A161150) __ Cal.App.5th __ [2022 WL 871073]
Plaintiff brought a shareholder derivative action against defendants, officers and directors of a corporation, after media reports described security vulnerabilities affecting the corporation’s microprocessors and the corporation’s stock dropped, erasing over $20 billion in market capitalization. Plaintiff alleged that corporate board members breached their duties to shareholders by failing to adequately monitor corporate affairs. Shareholders, however, may not maintain a derivative suit unless the board has either wrongfully refused a demand to pursue a corporate claim or such a demand would be futile because the board could not make an impartial decision. Because plaintiff failed to make a presuit demand on defendants and did not adequately allege the futility of doing so, the trial court dismissed the complaint without leave to amend.
Plaintiff appealed, arguing that a presuit demand was futile and that the failure to oversee and monitor cybersecurity risks created a substantial likelihood of defendants’ liability. Relying on Caremark International Inc. (Del. Ch. 1996) 698 A.2d 959, plaintiff argued that defendants were required to make a good faith effort to oversee the corporation’s operations and ensure that it had a system of internal controls in place to inform the board of risks requiring their attention, such as the security vulnerabilities of the microprocessors.
The Court of Appeal affirmed, holding that plaintiff’s allegations fell short of the Caremark standard because plaintiff did not allege with particularity that defendants acted in bad faith in discharging their duties. The court noted that liability under the Caremark standard is possibly the most difficult theory to prove in corporation law and that plaintiff conceded the facts indicating defendants acted in good faith: the corporation employed an outside auditor during the relevant time, the board had an audit committee tasked with investigating major financial risk exposures, and the audit committee met regularly with outside auditors and management. The court held that the absence of board-level discussion on specific cybersecurity risks over the course of seven months did not, on its own, suggest an utter failure to attempt to assure a reasonable information and reporting system existed.
