How Directors’ Oversight Duties and Liability under Caremark Are Evolving

Corporate law prohibits companies from pursuing profits through criminal misconduct. It uses the fiduciary duties imposed on boards under the Caremark doctrine, and the threat of personal liability of directors for deliberate breach, to help motivate directors to have their companies comply with the law. Yet, as I discuss in a recent paper, Caremark has largely failed: most boards have neither adopted effective systems to deter corporate crime nor asserted effective oversight over investigations. Caremark did not require directors to obtain information about either material compliance failures or detected misconduct: information that is essential to effective oversight. To induce directors to deter misconduct—even when it is profitable—corporate law must impose duties on them to adopt systems to detect misconduct and ensure they are informed about it, thus triggering their duty to terminate it. Fortunately, Delaware courts appear to be modifying the Caremark standard to impose duties to detect and obtain information about certain material risks. If Delaware continues on this track, compliance and deterrence will benefit.

A. Why Director Oversight Liability Is Needed

Corporate criminal liability does not adequately deter corporate misconduct because most corporate misconduct is not detected and sanctioned. As a result, directors and senior managers may enable misconduct, because both the firm and the individuals personally benefit from the misconduct.[1] They also may favor weak compliance, even at the company’s expense, because they personally benefit from weaker oversight.

To enhance deterrence, and promote its commitment to limiting companies to lawful profits, corporate law needs to create personal incentives for directors and officers to deter misconduct. Corporate law can incentivize directors and officers to actively deter by imposing fiduciary duties on them that provide directors with a personal incentive to deter misconduct even when the company would benefit from it. The duties should be designed to increase the likelihood that the firm will detect, and independent directors will learn about, misconduct because this would enhance deterrence. Independent directors are more likely than management to objectively investigate, detect, terminate, and report the misconduct if given the incentives to do so.[2]

B. Promise and Limitations of Caremark

In In re Caremark International, Chancellor William Allen imposed duties on directors to ensure that their companies adopted an information and reporting system for deterring, detecting, and informing them about corporate misconduct and to exercise oversight over the system, including by responding to red flags.

Yet Caremark has not been effective in inducing boards to adopt effective compliance functions, or assert truly effective oversight over either compliance or corporate investigations. Though the decision professed to impose oversight duties on directors, it gave directors full discretion over the design of the firm’s compliance system and the type and nature of the oversight.  Chancellor Allen assumed that directors told to act in good faith on behalf of the firm would adopt effective systems to deter corporate crime—and would ensure they were informed about it.[3]

Chancellor Allen was mistaken for a simple reason: Corporate crime often is profitable. Thus, directors can often best serve their duty to maximize shareholder value by adopting weak compliance systems. Caremark gives directors sufficient discretion to serve shareholders’ interests at the expense of society’s interest in deterrence. Directors can most effectively oversee compliance by adopting systems to detect misconduct and inform them about it. The existence, nature, and distribution of detected misconduct is, after all, the best indicia of the effectiveness of the firm’s efforts to deter misconduct. Yet directors of firms that profit from misconduct have good reason not to produce or obtain this information because, once they are informed, they have a clear duty to terminate the misconduct or face liability if they do not.

C. Effective Directors’ Duties

Corporate law could materially enhance compliance by imposing duties on directors to (1) adopt internal systems designed to detect and to inform the directors about suspected violations of legal injunctions, (2) obtain regular reports about deficiencies in the firm’s oversight system and suspected material violations, and (3) oversee investigations of suspected material misconduct.

Courts should impose a duty to detect and ensure that directors are informed about material misconduct because boards cannot reliably assess the effectiveness of their firms’ compliance programs unless they receive, and assess, information about detected material misconduct and its root causes. Moreover, ensuring that directors receive this information triggers directors’ duty to terminate detected misconduct.

Unlike other fiduciary duties, which are imposed to benefit the firm and its shareholders, directors should have duties to detect and terminate misconduct even when the firm profits from it. Thus, these duties should be used to create—rather than eliminate—an agency cost, by giving directors a personal incentive to implement measures likely to deter misconduct even when likely to reduce corporate profits.

Courts should not require directors to become informed about every instance of misconduct. Companies are subject to a host of laws and regularly detect misconduct of varying significance to society. Directors’ time is precious; they should only have to be informed about detected misconduct that is material to the firm or society. Courts could restrict the enhanced oversight duties to legal risks whose violation presents significant probability of serious personal injury or death or where society has evidenced its heightened interest in compliance through intensive regulation, especially if it includes a duty to report detected violations or potential harms.

Imposing such duties on directors should reduce the expected duration, and thus the expected social cost, of misconduct. Directors informed about misconduct are legally obligated to terminate it. In addition, giving directors primary authority over investigations would help stop senior management from soft peddling the investigation to protect the firm’s and their own reputations or financial interests.

These information-acquisition duties also increase directors’ incentives to implement systems to deter misconduct because directors benefit less from misconduct when subject to duties that reduce its duration and magnitude. These duties also increase directors’ cost of misconduct as misconduct can trigger Caremark liability and impose reputational damage. Thus, even when the company profits from misconduct, directors obligated to obtain information about it may benefit from deterring it.

Finally, information-acquisition duties should promote corporate self-reporting, thereby increasing individual wrongdoers’ expected cost of engaging in misconduct. Directors are more likely than senior management to cause the firm to report to federal authorities because they are less likely to suffer personal costs as a result. Thus, this duty enhances corporate criminal liability’s ability to deter.

D. Caremark 2.0

Over the last several years, Delaware courts have modified the Caremark doctrine to impose duties on directors that appear consistent with the duties discussed above. Directors are required to adopt systems that inform them about misconduct, ensure that they receive this information regularly, and oversee investigations. These duties are sufficiently specific to create a standard for judging directors. As a result, derivative plaintiffs’ claims have survived motions to dismiss where defendants would have prevailed under Caremark’s original formulation.[4] Delaware courts have only imposed these duties when compliance with the law is particularly important. Most of the cases predicate enhanced duties on evidence that oversight of compliance with the legal duty in question was critical to the firm. This is consistent with a shareholder-centric view of the purpose of these duties. But in recent cases, the Delaware court appears to recognize that these enhanced oversight duties should be imposed when society has a strong interest in deterring misconduct because, for example, the violation risks serious personal injury or death to multiple people.

1. Marchand v Barnhill

Delaware’s first case imposing enhanced information-acquisition oversight duties is Marchand v Barnhill. Marchand involved a Caremark claim arising out of a listeria outbreak at an ice cream company, Blue Bell, that killed multiple people and sickened others. Plaintiffs claimed the board breached its duties by not ensuring that they were informed about either detected deficiency in the firm’s food safety systems or detected food safety problems (eg listeria).

Under Caremark’s original formulation, the plaintiff’s claim would have been (and was) dismissed because Blue Bell had a compliance program and the board exerted oversight of the firm’s procedures for ensuring food safety. But the Delaware Supreme Court concluded that because food safety was mission critical to the firm, the board could not satisfy its oversight duties unless it implemented procedures to inform the board about detected safety violations and ensured that it regularly received such reports. The board also had to oversee the investigation and resolution of those problems. 

The court declined to dismiss the complaint because plaintiffs created a reasonable belief that the board engaged in intentional and sustained neglect of its duty to be informed about food safety violations. It did not delegate responsibility to oversee food safety to a committee of the board, establish protocols to ensure that management apprised the full board about food safety, or establish a process to ensure that the board received information about adverse events. In addition,  there was no evidence in the board minutes that the board regularly discussed food safety [Marchand, 212 A3d at 822].

2. Teamsters Local 443 v Chou

In 2020, the Delaware court imposed enhanced Caremark 2.0 duties in circumstances in which the primary justification for imposing these enhanced duties appears to be society’s interest in protecting people from death and serious permanent injury. Teamsters Local 443 v Chou involved claims that the board of AmerisourceBergen Company breached its duties to ensure that its subsidiaries complied with laws governing the sale of cancer drugs. The board did not utterly neglect its duties. The firm had a compliance program, the chief compliance officer (CCO) reported to the board on efforts to improve compliance, and the board hired an outside law firm to identify weaknesses. Yet the Delaware court imposed enhanced Caremark 2.0 duties, which included a duty to ensure that the board was informed about the firm’s response to remediating detected violations. The court justified the heightened duties by stating that lack of compliance with laws in question were ‘mission critical risks.’ Yet compliance with these laws does not appear to have been mission critical to the firm. The suit was against the board of the parent company; the oversight duties involved activities in a subsidiary that accounted for only a small portion of the parent’s revenues. Instead, imposition of enhanced duties appears to rest on society’s strong interest in ensuring compliance with rules designed to protect pharmaceutical customers from injury and death.

3. In re Boeing Company Derivative Litigation

In Re Boeing Company Derivative Litigation involves Caremark claims for damages to the firm resulting from the crash of two Boeing 737 MAX planes. The court subjected the Boeing board to enhanced Caremark 2.0 duties for several reasons. First, Boeing operates ‘in the shadow of ‘essential and mission critical’ regulatory compliance risk.’ Second, Boeing’s products are widely distributed and used by consumers who could be killed by safety violations. Third, Boeing was subject to intensive regulation that included a duty to report detected safety problems.

The court found that the plaintiff could satisfy his burden to show that the board acted in bad faith because it failed to establish a system to inform it about plane safety or obtain information about plane safety. The board entirely neglected its duty to adopt systems to ensure it was informed about detected violations because it did not (1) establish a committee responsible for monitoring airplane safety, (2) regularly monitor, discuss, or address airplane safety, (3) establish a system to monitor for safety violations or ensure board oversight of detected problems; or (4) require management to apprise it of airplane safety problems. The court found scienter because the board knew that there was no committee focused on safety, knew they had not scheduled meetings to discuss it, and knew that they were not receiving regular updates on it.

The court also found that the plaintiff could show the board utterly failed to exert ongoing oversight by obtaining information about plane safety violations. Following the crash of Boeing’s first 737 MAX aircraft, directors failed to immediately request information about the causes of the crash and passively accepted the information provided by management without requiring an independent assessment, even after newspaper articles revealed a likely technical flaw with the plane.

E. Conclusion

Delaware courts are reforming Caremark to impose oversight duties on directors and officers that can potentially improve corporate compliance. In many companies, director oversight is limited to the firm’s policies and procedures. Compliance experts recognize that directors and officers cannot ensure that their companies comply with the law unless they also adopt measures to detect misconduct and ensure that independent directors are promptly informed about material misconduct and actively oversee its investigation and remediation. Delaware now requires directors to adopt measures to detect misconduct that is most material to the firm and to society and engage in its investigation, termination, and remediation. Such information-acquisition duties can give effect to Delaware’s directorial duty not to violate the law by increasing the likelihood that directors learn about misconduct and thus feel pressured to terminate it.

Jennifer Arlen is the Norma Z. Paige Professor of Law and Director of the Program on Corporate Compliance and Enforcement at New York University School of Law.

[1] For example, directors and officers of firms that are at risk of failing or are materially under-performing relative to peers may benefit from committing or overlooking evidence of securities fraud designed to make the company look healthier than it is, even when shareholders are harmed by, and would want to deter, the misconduct. See Jennifer Arlen & William J. Carney, Vicarious Liability for Fraud on Securities Markets: Theory and Evidence, 1992 U. Ill. L. Rev. 691 (1992). In addition, companies may enable CEOs to assault employees or others for their personal benefit, even when such acts harm the firm, because other executives fear reprisals from the CEO should they intervene. Cf Ken Auletta, Hollywood Ending: Harvey Weinstein and the Culture of Silence (2022).

[2] For a discussion of the optimal structure of corporate liability, see, eg Jennifer Arlen & Lewis Kornhauser, Battle for Our Souls: A Psychological Justification for Corporate and Individual Liability for Organizational Misconduct, U. Ill. L. Rev. (forthcoming); Jennifer Arlen, The Potential Promise and Perils of Introducing Deferred Prosecution Agreements Outside the U.S., in Negotiated Settlements in Bribery Cases: A Principled Approach 156 (Abiola Makinwa & Tina Søreide eds, 2020).

[3] See Jennifer Arlen, The Story of Allis-Chalmers, Caremark, and Stone: Directors’ Evolving Duty to Monitor, 323, in Corporate Stories (J. Mark Ramseyer ed., 2009) (discussing William Allen’s rationale in formulating Caremark); Jennifer Arlen, Evolution of Director Oversight Duties and Liability under Caremark: Using Enhanced Information-Acquisition Duties in the Public Interest, Research Handbook on Corporate Liability (Martin Petrin & Christian Witting eds., forthcoming 2023).

[4] Recent Caremark cases where plaintiffs have survived motions to dismiss for failure to make a demand include Marchand v Barnhill, 212 A3d 805 (Del. 2019); Chou, No CV 2019-0816-SG; In re Clovis Oncology, Inc. Derivative Litig., No CV 2017-0222-JRS (Del. Ch. Oct. 1, 2019); In re Boeing Co. Derivative Litig., No CV 2019-0907-MTZ, 2021 WL 4059934 (Del. Ch. Sept. 7, 2021). Plaintiffs have prevailed in gaining the right to inspect corporate books and records under § 220 based on claims of mismanagement arising from credible evidence of misconduct in the following cases:  Lebanon Cty. Employees' Ret. Fund v AmerisourceBergen Corp., No CV 2019-0527-JTL (Del. Ch. Jan. 13, 2020), aff'd, 243 A3d 417 (Del. 2020); In re Facebook, Inc. Section 220 Litig., No CV 2018-0661-JRS (Del. Ch. May 30, 2019), as revised (May 31, 2019), judgment entered sub nom. In re Facebook, Inc. (Del. Ch. 2019).