Insights from the Delaware courts on board oversight of compliance programs

By Rebecca Walker, JD

Rebecca Walker (rwalker@kaplanwalker.com) is a partner in the law firm of Kaplan & Walker LLP, located in Santa Monica, California, and Princeton, New Jersey, USA.

Since the Delaware Chancery Court’s decision in the Caremark[1] case in 1996, it has been understood that boards of directors owe a fiduciary duty to oversee an organization’s compliance monitoring and reporting systems. Or, to use the court’s language in that case, boards cannot “satisfy their obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning...the corporation’s compliance with law....”

Since Caremark, it has also been clear that holding directors personally liable for misconduct at an organization (for failure to exercise their duty to be reasonably informed) is quite difficult. Indeed, according to the Delaware courts, it is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”[2]

This high bar for liability has resulted in a large number of dismissed cases over the intervening years. However, in 2019, in two different cases, Delaware courts refused to dismiss plaintiffs’ Caremark claims on summary judgment, allowing the cases to proceed. Although the courts gave no indication that their decisions were intended to modify existing law, the decisions do further expand on Caremark in a way that is important for compliance and ethics professionals to be aware of. Robust and engaged board oversight of compliance systems is necessary to afford a compliance program the level of independence and authority that is required for effectiveness, and these cases offer a rare (from the Delaware courts, at least) opportunity for organizations to revisit the topic of board oversight of compliance. In this article, we will review both of the recent cases with that in mind. But first, a little background on Delaware law in this area.

Caremark and Stone v. Ritter

In Caremark, the plaintiff shareholders had sought to hold the company’s directors liable for the damages resulting from violations of certain federal and state laws governing healthcare fraud. The complaint alleged that the directors had (through their failure of oversight) allowed misconduct to occur, which exposed the organization to liability, and thereby violated a duty to monitor the company’s compliance with legal requirements. The Caremark case established that directors have a duty to “be reasonably informed concerning the corporation,” including assuring themselves that there are systems in place to permit the board to oversee the company’s compliance with law. In other words, boards must make some effort to ensure that they are being kept appropriately apprised of a company’s compliance.

However, Caremark and subsequent cases also made clear that—while director liability is possible—it presents a high bar for success. The Caremark court described it thus: “Only a sustained or systematic failure of the board to exercise oversight such as an utter failure to attempt to assure a reasonable information and reporting system exists will establish the lack of good faith that is a necessary condition to liability.”[3]

Ten years after Caremark, in the 2006 case of Stone v. Ritter,[4] the Delaware Supreme Court affirmed the Chancery Court’s Caremark holding, stating that directors may be held liable for misconduct that occurs on their watch if they either completely failed to implement a reporting or information system or controls or, “having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.”[5] The court further held that, in a case such as Stone, where information failed to reach the board because of ineffective internal controls, but information systems had been established and the directors neither knew nor should have known of the violations of law, there had been no violation of the duty of good faith.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. By submitting this form, you are agreeing to receive updates, offers, and communications related to SCCE & HCCA products and services. You can opt out of receiving such communications at any time by clicking the unsubscribe link in our emails. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings