Prior posts here, here here, and here concerned so-called “Caremark Claims” – a civil claim often brought by shareholders in the aftermath of Foreign Corrupt Practices Act scrutiny or an enforcement action.
In short, a corporate director’s duty of good faith has evolved over time to include an obligation to attempt in good faith to assure that an adequate corporate information and reporting system exists. In Caremark (a 1996 decision by the Delaware Court of Chancery – a trial court), the court held that a director’s failure to do so, in certain circumstances, may give rise to individual director liability for breach of fiduciary duty. In 2006, in Stone v. Ritter, the Delaware Supreme Court provided the following necessary conditions for director oversight liability under the so-called Caremark standard: (i) a director utterly failed to implement any reporting or information system or controls; or (ii) having implemented such systems or controls, a director failed to monitor or oversee the corporation’s operations.
Search for the term “FCPA” and “Caremark” and you will find enough reading material to last the rest of the day. However, much of the analysis is thin “Caremark Claims” are not nearly the boogeyman that some FCPA commentators make it out to be.
A recent Delaware Court of Chancery opinion in the cybersecurity context highlights the difficulty of successfully pleading a “Caremark Claim.” As relevant to “Caremark Claims” in the FCPA context, the opinion notes that SEC guidance “does not establish positive law.”