Firemen's Retirement System of St. Louis v. Arne M. Sorenson, et al. (Marriott International, Inc.)
Annotate this Case
Download PDF
IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE FIREMEN’S RETIREMENT SYSTEM OF ST. LOUIS, derivatively on behalf of Marriott International, Inc., Plaintiff, v. ARNE M. SORENSON, J.W. MARRIOTT, JR., KATHLEEN K. OBERG, DEBORAH MARRIOTT HARRISON, BAO GIANG VAL BAUDUIN, BRUCE HOFFMEISTER, STEPHANIE C. LINNARTZ, ERIC HIPPEAU, LAWRENCE W. KELLNER, GEORGE MUÑOZ, MARY K. BUSH, DEBRA L. LEE, FREDERICK A. HENDERSON, AYLWIN B. LEWIS, BRUCE W. DUNCAN, W. MITT ROMNEY, STEVEN S. REINEMUND, and SUSAN C. SCHWAB, Defendants, and MARRIOTT INTERNATIONAL, INC., a Delaware Corporation, Nominal Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) C.A. No. 2019-0965-LWW MEMORANDUM OPINION Date Submitted: July 7, 2021 Date Decided: October 5, 2021 Samuel L. Closic and Eric Juray, PRICKETT, JONES & ELLIOTT, P.A., Wilmington, Delaware; Brian J. Robbins, Craig W. Smith, Gregory E. Del Gaizo, and Emily R. Bishop, ROBBINS LLP, San Diego, California; Counsel for Plaintiff Firemen’s Retirement System of St. Louis Raymond J. DiCamillo and John M. O’Toole, RICHARDS, LAYTON & FINGER, P.A., Wilmington, Delaware; Jason J. Mendro and Jeffrey S. Rosenberg, GIBSON, DUNN & CRUTCHER LLP, Washington, D.C.; Adam H. Offenhartz and Laura Kathryn O’Boyle, GIBSON, DUNN & CRUTCHER LLP, New York, New York; Counsel for Defendants Arne M. Sorenson, J.W. Marriott, Jr., Kathleen K. Oberg, Deborah Marriott Harrison, Bao Giang Val Bauduin, Bruce Hoffmeister, Stephanie C. Linnartz, Eric Hippeau, Lawrence W. Kellner, George Muñoz, Mary K. Bush, Debra L. Lee, Frederick A. Henderson, Aylwin B. Lewis, Bruce W. Duncan, W. Mitt Romney, Steven S. Reinemund, and Susan C. Schwab, and Nominal Defendant Marriott International, Inc. WILL, Vice Chancellor In the fall of 2018, Marriott International, Inc. discovered a data security breach that had exposed the personal information of up to 500 million guests. An investigation revealed that the cyberattack was perpetrated through the reservation database of Starwood Hotels and Resorts—which Marriott had acquired two years prior—and had begun in 2014. Marriott publicly announced the incident on November 30, 2018. A series of stockholder and consumer actions followed. The stockholder plaintiff in this action brought a derivative lawsuit against several key executives and Marriott’s directors for breaches of fiduciary duty. The plaintiff’s claims are based on the defendants’ conduct both before and after the acquisition of Starwood. Regarding the pre-acquisition time period, the plaintiff alleges that the defendants breached their fiduciary duties by failing to conduct adequate due diligence of Starwood’s cybersecurity technology. Regarding the postacquisition period, the plaintiff alleges that the defendants continued to operate Starwood’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under Caremark. The defendants have moved to dismiss the complaint for failure to plead demand futility. In this decision, I conclude that demand was not excused because none of the director defendants faces a substantial likelihood of liability on a non-exculpated claim. First, the plaintiff’s claims regarding pre-acquisition due diligence are time 1 barred. They arose more than three years before the plaintiff’s complaint was filed and no basis for tolling applies. Second, none of the directors face a substantial likelihood of liability under Caremark. Cybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors. But the allegations in the complaint do not meet the high bar required to state a Caremark claim. The plaintiff has not shown that the directors completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures. Finally, the plaintiff’s claim based on unmet notification requirements is also unsupported by allegations of bad faith. The Marriott board therefore retained its ability to assess whether to pursue litigation on behalf of the company. Demand is not excused. The motion to dismiss is granted pursuant to Court of Chancery Rule 23.1. I. BACKGROUND Unless otherwise noted, the following facts are drawn from the Amended Verified Stockholder Derivative Complaint and the documents it incorporates by 2 reference.1 Any additional facts are either not subject to reasonable dispute or are subject to judicial notice.2 A. The Starwood Acquisition Nominal defendant Marriott International, Inc. (the “Company”) is a Delaware corporation headquartered in Bethesda, Maryland.3 Founded in 1927, Marriott is one of the largest hospitality companies in the world.4 Marriott operates, Verified Am. Deriv. Compl. (“Am. Compl.”) (Dkt. 33). See Winshall v. Viacom Int’l, Inc., 76 A.3d 808, 818 (Del. 2013) (“[A] plaintiff may not reference certain documents outside the complaint and at the same time prevent the court from considering those documents’ actual terms.” (quoting Fletcher Int’l, Ltd. v. ION Geophysical Corp., 2011 WL 1167088, at *3 n.17 (Del. Ch. Mar. 29, 2011))); Freedman v. Adams, 2012 WL 1345638, at *5 (Del. Ch. Mar. 30, 2012) (“When a plaintiff expressly refers to and heavily relies upon documents in her complaint, these documents are considered to be incorporated by reference into the complaint . . . .”). The parties agreed that documents produced by Marriott pursuant to 8 Del. C. § 220 would be deemed incorporated into any complaint the plaintiff filed. See Defs.’ Opening Br. 8 n.2 (Dkt. 40); Amalgamated Bank v. Yahoo! Inc., 132 A.3d 752, 797 (Del. Ch. 2016). Citations in the form “Defs.’ Ex. __” refer to exhibits to the Transmittal Declaration of John M. O’Toole, Esq. in Support of Defendants’ Opening Brief in Support of their Motion to Dismiss the Verified Amended Stockholder Derivative Complaint (Dkt. 41, 66). Page numbers to these exhibits are designated by the last four digits of a Bates number, where appropriate. 1 2 See, e.g., In re Books–A–Million, Inc. S’holders Litig., 2016 WL 5874974, at *1 (Del. Ch. Oct. 10, 2016) (“This court may consider the Proxy Statement to establish what was disclosed to stockholders and other facts that are not subject to reasonable dispute.” (citing In re Gen. Motors (Hughes) S’holder Litig., 897 A.2d 162, 170 (Del. 2006)); Lima Delta Co. v. Glob. Aerospace, Inc., 2017 WL 4461423, at *4 (Del. Super. Oct. 5, 2017) (explaining that dockets, pleadings, and transcripts from a foreign action are subject to judicial notice). 3 Am. Compl. ¶ 19. 4 Id. ¶ 49. 3 manages, and franchises a broad portfolio of over 6,900 hotels and lodging facilities.5 On November 16, 2015, Marriott announced its intent to acquire Starwood Hotels and Resorts Worldwide, Inc. (the “Acquisition”), a hotel and leisure company whose brands included W Hotels, St. Regis, and Le Meridien.6 At that time, Starwood had more than 1,270 properties providing approximately 360,000 rooms in 100 countries.7 Marriott and Starwood would together create a more globally diversified company operating or franchising more than 5,500 hotels and 1.1 million rooms worldwide.8 In discussing the Acquisition, Marriott’s then-President and Chief Executive Officer, Arne M. Sorenson,9 described Starwood’s guest loyalty program, Starwood Preferred Guest, as the “central, strategic rationale for the transaction” and the “most important piece of the [A]cquisition.”10 Starwood Preferred Guest had a devoted 5 Id. ¶¶ 19, 69. 6 Id. ¶¶ 1, 104. 7 Defs.’ Ex. 29 at 8. 8 Id. at 97. 9 On February 16, 2021, Marriott announced that Sorenson passed away on February 15, 2021. Marriott International, Inc. (Form 8-K) (Feb. 16, 2021). Sorenson had served as Marriott’s President from May 2009 and Chief Executive Officer from May 2012 until his passing. Am. Compl. ¶ 20. 10 Id. ¶ 78. 4 following of business travelers. Acquiring the program would expand Marriott’s client base, increase its brand loyalty, and enhance the Company’s ability to compete in an evolving global marketplace.11 B. Marriott’s Due Diligence and Starwood’s Data Security Eleven months of due diligence commenced in late 2015, with ten months passing between the signing of the Agreement and Plan of Acquisition on November 15, 2015 and closing on September 23, 2016.12 During that time, the Company, and Sorenson in particular, publicly touted Marriott’s “extensive” diligence into Starwood and “joint integration planning” efforts.13 In the midst of the Company’s diligence of Starwood, Marriott’s Board of Directors ranked cybersecurity as the number one risk facing Marriott in 2016.14 The Board at that time consisted of 11 members: defendants Sorenson, J.W. Marriott, Jr. (the Company’s Executive Chairman and Chairman of the Board), Deborah Marriott Harrison (the Company’s Global Cultural Ambassador Emeritus), Lawrence W. Kellner, George Muñoz, Mary K. Bush, Debra L. Lee, Frederick A. Henderson, Steven S. Reinemund, Susan C. Schwab, and W. Mitt Romney (together, 11 Id. ¶¶ 75, 81; Defs.’ Ex. 29 at 97. 12 Am. Compl. ¶¶ 87, 109. 13 Id. ¶¶ 179-81. 14 Id. ¶ 100. 5 the “Pre-Acquisition Board”).15 Despite knowing that cybersecurity was a pervasive risk in the hospitality industry that could affect Marriott’s ability to achieve its goals,16 the Pre-Acquisition Board did not order any specific due diligence into cybersecurity in connection with the planned Acquisition.17 On November 20, 2015—five days after Marriott and Starwood signed the merger agreement—Starwood disclosed that the point-of-sale systems at 54 of its hotels in North America had been infected by malware. 18 Several months later, an internal Marriott report summarizing the costs of integrating the Marriott Guest Loyalty and Starwood Preferred Guest databases noted that Starwood’s systems lacked certain protections such as tokenization—the process of replacing sensitive data with unique identification symbols—and point-to-point encryption across its point-of-sale systems.19 None of this information reached the Board before the Acquisition closed. 15 Id. ¶¶ 20-21, 23, 28-32, 35-37. 16 Id. ¶ 100. 17 Id. ¶ 5. 18 Id. ¶¶ 79, 88. 19 Id.; see Kevin Batchelor, What is Tokenization, and Why Is It So Important?, Forbes (Apr. 19, 2019). 6 C. Starwood’s Information Security Systems Post-Closing Cybersecurity remained a “top level risk[]” for Marriott after the $13 billion Acquisition of Starwood closed on September 23, 2016. 20 Cybersecurity was viewed by the Board as the second biggest risk facing Marriott for fiscal year 2017.21 By then, Marriott’s data systems included Starwood’s legacy systems, some of which remained in use post-Acquisition.22 The Board and Audit Committee were routinely apprised of cybersecurity issues after the Acquisition.23 On February 8, 2017, for example, the Audit Committee—comprised of director defendants Henderson, Bush, Aylwin B. Lewis, and Muñoz—was told by Marriott’s independent auditor Ernst & Young that audit committees were “expected to have an understanding of the business implications of cyber risks.”24 Internal Audit and Chief Audit Executive Keri Day also told the Audit Committee that Marriott had “established a Security Operations Center (SOC), an Incident Response (IR) plan, and related procedures” because its “incident 20 Am. Compl. ¶¶ 76, 121. 21 Id. ¶ 121. 22 Id. ¶¶ 126-27. 23 Id. ¶ 118. 24 Id. ¶ 118; Defs.’ Ex. 12 at 1238, 1240. 7 response plan [wa]s not up to date.”25 Day further reported that “[t]he Company [wa]s actively evaluating Starwood’s exposures to cybersecurity risks.”26 At a regularly scheduled meeting on February 10, 2017, the Marriott Board— which now included former Starwood directors Bruce W. Duncan, Eric Hippeau, and Lewis (together with the Pre-Acquisition Board members, the “Post-Acquisition Board”)—was allegedly told for the first time about deficiencies in Starwood’s cybersecurity controls.27 During the February 10, 2017 meeting, defendant Bruce Hoffmeister, Marriott’s Global Chief Information Officer, gave a presentation titled “Marriott Cybersecurity Report” to the full Post-Acquisition Board.28 Hoffmeister discussed various steps that Marriott had taken to protect against data breaches, including the engagement of a “specialized security company” to manage its “Security Operations Center.”29 The “primary” step Marriott had taken to protect its own systems was tokenization.30 Hoffmeister told the Board that a review of Starwood’s legacy data systems “revealed that, while there was a vibrant framework, tokenization was not adopted 25 Am. Compl. ¶ 119; Defs.’ Ex. 11 at 1118. 26 Am. Compl. ¶ 118; Defs.’ Ex. 11 at 1067. 27 Am. Compl. ¶¶ 123-24. 28 Id. ¶ 122; Defs.’ Ex. 14 at 1279. 29 Defs.’ Ex. 14 at 1282. 30 Am. Compl. ¶ 126; Defs.’ Ex. 13 at 1249. 8 as a matter of course.”31 He described early findings by PricewaterhouseCoopers (“PwC”), which Marriott had hired post-Acquisition to conduct a “Starwood Security Program Assessment.”32 Hoffmeister’s presentation explained that, in addition to not mandating tokenization, Starwood’s “[b]rand standards did not mandate [payment card industry (‘PCI’)] compliance . . . or point-to-point encryption.”33 The Payment Card Industry Data Security Standard (“PCI DSS”) is a set of security standards required by credit card companies to ensure the security of credit card transactions in the payment industry.34 The Board was also informed about PwC’s four “Key Recommendations” for Marriott to “[u]pdate Starwood’s brand standards,” including mandating PCI and setting clear cybersecurity expectations.35 Consistent with PwC’s recommendation, Hoffmeister advised the Board on February 10, 2017 that there would be efforts to implement tokenization across Starwood’s data systems.36 31 Am. Compl. ¶ 124. Defs.’ Ex. 13 at 1250. 32 Am. Compl. ¶ 124; Defs.’ Ex. 14 at 1287-88. 33 Am. Compl. ¶¶ 124, 126; Defs.’ Ex. 13 at 1249-50; Defs.’ Ex. 14 at 1288. 34 Am. Compl. ¶ 53. 35 Id. ¶ 125; Defs.’ Ex. 14 at 1287-88. 36 Defs.’ Ex. 13 at 1250. 9 D. Ongoing Migration of Starwood’s Systems The full Post-Acquisition Board was next updated on cybersecurity at a regularly scheduled meeting held on February 9, 2018.37 At that meeting, defendant Chief Financial Officer Kathleen K. Oberg advised the Board that Marriott had undertaken several “Key Mitigating Activities” to address the Company’s top risks including cybersecurity.38 Those activities included adopting new technologies to strengthen cybersecurity and “[m]igration of Starwood systems to the Marriott established technology standards” with a September 2019 estimated completion date.39 In addition, Marriott had “implement[ed] patching compliance tools and reporting framework within Starwood environments.”40 On May 3, 2018, Ernst & Young presented to the Audit Committee an assessment of “the effectiveness of the Company’s controls over IT risks,” which included “testing the conversion of Starwood legacy activities” to new systems.41 On August 9, 2018, Hoffmeister updated the full Board on “Noteworthy Security Events/Incidents,” including 4 cybersecurity events which involved legacy 37 Am. Compl. ¶ 127; Defs.’ Ex. 16 at 1394. 38 Am. Compl. ¶ 130. 39 Id. ¶ 127; Defs.’ Ex. 15 at 1386. 40 Am. Compl. ¶ 127; Defs.’ Ex. 15 at 1386. 41 Defs.’ Ex. 17 at 1496. 10 Starwood systems.42 Those incidents included a cyberattack on a legacy Starwood franchise network and malware found on a legacy Starwood server utilized by the Marriott Law Department.43 Hoffmeister “confirmed there were no successful attempts to download [or] install” the malware onto that server.44 Hoffmeister also reported that the Company had “engaged a consultant to execute a cybersecurity assessment.”45 E. Discovery of a Starwood Guest Reservation Database Breach On September 7, 2018, Marriott received an alert that an unknown user had run a query in Starwood’s guest reservation database.46 A third party contractor that managed the guest reservation database informed Marriott’s Information Technology department about the incident the following day.47 Ten days later, on September 17, 2018, outside investigators engaged by Marriott uncovered malware on Starwood’s system that had the potential to access, surveil, and gain Am. Compl. ¶ 128; Defs.’ Ex. 19 at 1741; Defs.’ Ex. 20 at 1783-90. Lewis was absent from the meeting. Defs.’ Ex. 19 at 1741. 42 Am. Compl. ¶ 128; Defs.’ Ex. 20 at 1783, 1790. No guest data was lost from the franchise network attack. Id. at 1790. 43 44 Id. at 1783. 45 Defs.’ Ex. 19 at 1746. 46 Am. Compl. ¶¶ 8, 133. 47 Id. at ¶ 133. 11 administrative control over the system computer.48 Marriott’s Information Technology department informed Sorenson about the ongoing investigation the same day.49 On September 18, 2018, Sorenson notified the Board.50 The Company notified the FBI of the intrusion on October 29, 2018 after Marriott’s investigators found evidence of other malware in Starwood’s database, including malware that hackers use to search a device for usernames and passwords.51 The Company’s investigation continued into November 2018, with the Board and Audit Committee receiving regular updates from management and privileged briefings from Marriott’s General Counsel.52 In early November 2018, Marriott learned that the breach began as far back as July 2014.53 On November 13, 2018, “[Marriott’s] investigators discovered evidence that two compressed encrypted files had been deleted from a device they were examining.”54 On November 19, 2018, 48 Id. 49 Id. ¶ 136. 50 Id. 51 Id. ¶¶ 137-38. E.g., id. ¶¶ 139-42; Defs.’ Ex. 21 at 1946; Ex. 22 at 2079; Ex. 23 at 2084; see also Defs.’ Exs. 25-27. 52 53 Am. Compl. ¶ 139. 54 Defs.’ Ex. 28 at 2743. 12 the Company discovered that those files contained customers’ personal information.55 Eleven days later, on November 30, 2018, the Company publicly announced the data security incident.56 Marriott’s press release explained that there had been unauthorized access to the Starwood network since 2014 that exposed the personal information of approximately 500 million guests.57 The exploited information included guests’ names, passport numbers, birth dates, email and mailing addresses, payment card details, and Starwood Preferred Guest account information.58 The cyber attack resulted in one of the biggest data breaches in history.59 55 Am. Compl. ¶ 140; Defs.’ Ex. 28 at 2743. 56 Am. Compl. ¶¶ 140-41, 143. Id. ¶ 143; see also Defs.’ Ex. 28 at 2744 (Sorenson stating that the Breach involved less than 383 million unique guests). 57 58 Am. Compl. ¶ 143. Id. ¶ 217 (calling the incident the “second largest data breach in history”); see Aisha AlMuslim, Dustin Volz, and Kimberly Chin, Marriott Says Starwood Data Breach Affects Up to 500 Million People, Wall St. J. (Nov. 30, 2018); Nicole Perlroth, Amie Tsang, and Adam Satariano, Marriott Hacking Exposes Data of Up to 500 Million Guests, N.Y. Times (Nov. 30, 2018) (“The assault . . . was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau Equifax.”). 59 13 Marriott’s stock price dropped by more than 5.5% following the announcement.60 In the weeks that followed, the stock price dropped $15.45 per share (more than 12%) from its high on November 29, 2018.61 F. Federal Lawsuits and Regulatory Investigations Numerous lawsuits and regulatory investigations followed Marriott’s November 30, 2018 announcement. Attorneys general of all 50 states and the District of Columbia, the Securities and Exchange Commission, the Federal Trade Commission, and certain committees of the U.S. Senate and House of Representatives, among others, opened investigations into the data breach.62 Marriott also faced class action lawsuits for violations of federal securities laws, violations of state and federal consumer protection laws, and violations of state disclosure laws. Those lawsuits, along with a lawsuit by a financial institution accusing Marriott of failing to perform adequate due diligence during the acquisition, were consolidated for multi-district litigation (the “Federal Action”) in the United States District Court for the District of Maryland.63 60 Am. Compl. ¶ 151. 61 Id. 62 Id. ¶¶ 14, 152-54. In re Marriott Int’l Inc., Customer Data Sec. Breach Litig., 2021 WL 2401641, at *1-3 (D. Md. June 11, 2021). 63 14 With respect to the consumer class action, the District of Maryland denied, in part, Marriott’s motion to dismiss certain “bellwether” claims that the parties had selected to test the sufficiency of the pleadings. In doing so, the court held that the consumer plaintiffs plausibly stated claims that Marriott had violated the Maryland Personal Information Privacy Act’s requirement to provide “timely notice to customers affected by [a] breach” by “fail[ing] to disclose the data breach for more than two months.”64 The court similarly denied Marriott’s motion under Michigan’s Identity Theft Protection Act, which also required timely notice to consumers.65 As for the federal securities law claims, the District of Maryland held that the statements challenged by the plaintiffs—including statements about due diligence and integration, risk factors, and protection of customer data—were not materially false or misleading and dismissed those claims with prejudice.66 Delaware state law claims for breach of fiduciary duty, waste of corporate assets, and unjust enrichment were also dismissed without prejudice.67 In re Marriott Int’l Inc. Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 488 (D. Md. 2020). 64 65 Id. at 490. 66 Marriott, 2021 WL 2401641, at *6-7. 67 Id. at *19. 15 G. This Derivative Litigation The plaintiff filed this derivative action on December 3, 2019 after obtaining roughly 3,000 pages of documents from the Company pursuant to 8 Del. C. § 220.68 The plaintiff’s books and records request was limited to Board-level “cybersecurity” documents since May 23, 2014.69 On March 16, 2020, the plaintiff filed an amended complaint, the operative complaint in this action (the “Complaint”).70 The Complaint asserts a single claim for breach of fiduciary duty against 13 of the 14 directors who served on the Board when the Complaint was filed (i.e., the Post-Acquisition Board), several officers, and one former director (Romney).71 The claim is based on allegations that the individual defendants breached their fiduciary duties by (1) failing to “undertake cybersecurity and technology due diligence” during the Acquisition; (2) failing to implement adequate internal controls after the Acquisition; and (3) concealing the data security incident until November 30, 2018.72 68 Defs.’ Opening Br. 16. Am. Compl. ¶ 107; see Pl.’s Answering Br. 23 n.10 (Dkt. 51). The production did not include officer-level documents. Id.; Mot. to Dismiss Hr’g Tr. 55 (noting that the plaintiff did not press to receive a beneath-the-board Section 220 production). 69 70 Dkt. 33. 71 Am. Compl. ¶¶ 20-37. The four officer defendants are Oberg, Hoffmeister, Bao Giang Val Bauduin (Marriott’s Controller and Chief Accounting Officer), and Stephanie C. Linnartz (Marriott’s Chief Commercial Officer and Executive Vice President). Am. Compl. ¶¶ 22, 24-26. 72 Id. ¶¶ 20-37, 246-47. The Complaint also advances other theories for breach of fiduciary duty such as “violating the Company’s Guidelines” and suggests that certain defendants 16 On April 30, 2020, the defendants moved to dismiss the Complaint.73 After the reassignment of this matter from then-Chancellor Bouchard, I heard re-argument on the motion to dismiss on July 7, 2021.74 II. ANALYSIS The defendants have moved to dismiss the Complaint under Court of Chancery Rule 23.1 for failure to make a demand on the Board. For the reasons explained below, I conclude that demand was not excused. The Complaint is therefore dismissed in its entirety. A. The Legal Standard for Demand Excusal “The decision whether to initiate or pursue a lawsuit on behalf of the corporation is generally within the power and responsibility of the board of directors.”75 A stockholder plaintiff can pursue claims belonging to the corporation if (1) the corporation’s directors wrongfully refused a demand to authorize the could not impartially consider a demand because of the Securities Class Action. See Am. Compl. ¶ 238. But these issues were not briefed or pressed at argument. Issues not briefed are waived. See, e.g., Emerald P’rs v. Berlin, 726 A.2d 1215, 1224 (Del. 1999). The plaintiff also withdrew its assertions of breach of fiduciary duty based on disclosure violations after overlapping claims were dismissed in the Federal Action. See Mot. to Dismiss Hr’g Reargument Tr. at 67 (hereinafter “Reargument Hr’g Tr.”) (Dkt. 87); Marriott, 2021 WL 2407518, at *45. 73 Dkt. 39. 74 Dkt. 87. In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d 106, 120 (Del. Ch. 2009) (citing 8 Del. C. § 141(a)). 75 17 corporation to bring the suit or (2) a demand would have been futile because the directors were incapable of impartially considering the demand.76 Because the plaintiff did not make a demand on Marriott’s Board, the Complaint must plead particularized factual allegations establishing that demand was excused.77 The parties initially debated whether the Aronson or Rales standard for assessing demand excusal should apply.78 The defendants argued that the Rales standard applied because the plaintiff’s claims are predicated upon the Board’s alleged failure to act and not a challenge to an affirmative decision.79 The plaintiff agreed that Rales applied other than to the claim challenging the Board’s decision to complete the Acquisition without conducting cybersecurity due diligence, which it argued should be analyzed under Aronson.80 That question became moot after the Delaware Supreme Court’s decision in United Foods & Commercial Workers Union v. Zuckerberg.81 There, the Court held that it is “no longer necessary to determine whether the Aronson test or the Rales 76 See Rales v. Blasband, 634 A.2d 927, 932 (Del. 1993). 77 Ct. Ch. R. 23.1; see, e.g., Guttman v. Huang, 823 A.2d 492, 499 (Del. Ch. 2003). 78 See Aronson v. Lewis, 473 A.2d 805, 814 (Del. 1984) overruled on other grounds by Brehm v. Eisner, 746 A.2d 244 (Del. 2000); Rales 634 A.2d at 932-935. 79 Defs.’ Reply Br. 5 (Dkt. 65). 80 Pl.’s Answering Br. 20-22. 81 2021 WL 4344361 (Del. 2021). 18 test governs a complaint’s demand-futility allegations.”82 Instead, the Court adopted a three-part “universal test” for assessing demand futility that is “consistent with and enhances” Aronson, Rales, and their progeny, which “remain good law.”83 Going forward: Delaware courts should ask the following three questions on a directorby-director basis when evaluating allegations of demand futility: (i) whether the director received a material personal benefit from the alleged misconduct that is the subject of the litigation demand; (ii) whether the director faces a substantial likelihood of liability on any of the claims that would be the subject of the litigation demand; and (iii) whether the director lacks independence from someone who received a material personal benefit from the alleged misconduct that would be the subject of the litigation demand or who would face a substantial likelihood of liability on any of the claims that are the subject of the litigation demand.84 Demand is excused as futile if “the answer to any of the questions is ‘yes’ for at least half of the members of the demand board.”85 The “analysis is conducted on a claimby-claim basis.”86 82 Id. at *17. 83 Id. 84 Id. 85 Id. 86 Beam v. Stewart, 833 A.2d 961, 977 (Del. Ch. 2003). 19 While engaging in this analysis, I confine myself to the well-pleaded allegations of the Complaint, the documents incorporated into the Complaint by reference, and facts subject to judicial notice.87 All reasonable inferences from the allegations in the Complaint are drawn in favor of the plaintiff.88 “Rule 23.1 is not satisfied by conclusory statements or mere notice pleading.”89 Instead, “[w]hat the pleader must set forth are particularized factual statements that are essential to the claim.”90 B. The Demand Excusal Analysis in This Case “The court ‘counts heads’ of the members of a board to determine whether a majority of its members are disinterested and independent for demand futility purposes.”91 The Board in place when this litigation was filed had 14 members: the Post-Acquisition Board members (Sorenson, Marriott, Jr., Harrison, Kellner, Muñoz, Bush, Lee, Henderson, Reinemund, Schwab, Duncan, Hippeau, and Lewis), excluding Romney who was replaced by non-party Margaret M. McCarthy 87 See, e.g., White v. Panic, 783 A.2d 543, 546-47 (Del. 2001); see also Gen. Motors, 897 A.2d at 170. 88 Brehm, 746 A.2d at 255. 89 Id. at 254. 90 Id. 91 See In re Zimmer Biomet Hldgs. Inc. Deriv. Litig., 2021 WL 3779155, at *10 (Del. Ch. Aug. 25, 2021). 20 (together, the “Demand Board”).92 The plaintiff does not challenge the impartiality of McCarthy. Nor does the plaintiff claim that any director received a material personal benefit from the challenged conduct. The plaintiff only alleges that four members of the Demand Board— Sorenson, Marriott, Jr., Harrison, and Reinemund—lack (or lacked) independence.93 Even if the plaintiff could sufficiently demonstrate that these four directors lacked independence, it must also impugn the disinterestedness of at least three others to show that a majority of the Demand Board could not consider a demand.94 The plaintiff attempts to make that showing by arguing that the Post-Acquisition Board members all face a substantial likelihood of personal liability.95 “To establish a substantial likelihood of liability at the pleading stage, a plaintiff must ‘make a threshold showing, through the allegation of particularized facts, that their claims have some merit.’”96 Because Marriott’s certificate of incorporation contains a provision exculpating its directors for breaches of the duty 92 Am. Compl. ¶¶ 20-21, 23, 27-37, 227. 93 Pl.’s Answering Br. 59. 94 See Zuckerberg, 2021 WL 4344361, at *17. 95 Pl.’s Answering Br. 20-21. In re TrueCar, Inc. S’holder Deriv. Litig., 2020 WL 5816761, at *12 (Del. Ch. Sept. 30, 2020) (quoting Rales, 634 A.2d at 934). 96 21 of care, as permitted under 8 Del. C. § 102(b)(7),97 “the plaintiff[] must plead with particularity facts that support a meritorious claim for breach of the duty of loyalty.”98 The Complaint focuses on three areas of potential liability based on the Board’s alleged failure to: (1) conduct pre-Acquisition due diligence into Starwood’s cybersecurity; (2) remedy deficiencies in Starwood’s information protection systems post-Acquisition; and (3) timely disclose the data security incident. The outcome of my analysis on each issue is that none of the Post-Acquisition Board members face a substantial likelihood of liability for a non-exculpated claim. Any claim based on pre-Acquisition due diligence is time-barred. The remaining claims fall short of pleading a breach of the directors’ duty of loyalty. At least 10 of the 14 Demand Board members were therefore both disinterested and independent with respect to a pre-suit litigation demand. I need not decide whether the remaining four directors lacked independence. 1. The Plaintiff’s Challenge to Pre-Acquisition Due Diligence is Time Barred. The plaintiff asserts that the 11 members of the Pre-Acquisition Board face a substantial likelihood of personal liability for their “decision to complete the 97 Defs.’ Ex. 4 at 12. 98 Zimmer, 2021 WL 3779155, at *12; see Zuckerberg, 2021 WL 4344361, at *8-15 (holding that exculpated care claims do not satisfy the second prong of Aronson and do not render a director incapable of impartially considering a litigation demand). 22 Acquisition without conducting any due diligence into Starwood’s cybersecurity.”99 The defendants contend that the claim is time barred.100 Delaware’s three-year statute of limitations applies by analogy to equitable claims seeking legal relief.101 Absent tolling, the limitations period “begins to run from the time of the [allegedly] wrongful act, without regard for whether the plaintiff became aware of the wrongdoing at that time.”102 Here, the plaintiff’s breach of fiduciary duty claim seeking monetary damages is subject to the analogous three-year statute of limitations.103 The alleged wrongful act—the Pre-Acquisition Board’s approval of the Acquisition, allegedly without adequate cybersecurity due diligence—occurred before Marriott announced that approval on December 22, 2015.104 At the latest, the statute of limitations began to 99 Pl.’s Answering Br. 21 (emphasis removed). 100 See Defs.’ Reply Br. 8 n.3; Defs.’ Supp. Br. 5 (Dkt. 81). 101 See Kraft v. Wisdom-Tree Invs., Inc., 145 A.3d 969, 979-81, 983 (Del. Ch. 2016) (explaining that for equitable claims seeking legal relief, such as “a breach of fiduciary duty action seeking monetary damages,” the “analogous limitations period [will] operate as a strong presumption of laches”); see also 10 Del. C. § 8106. 102 Kraft, 145 A.3d at 989 (citing Wal-Mart Stores, Inc. v. AIG Life Ins. Co., 860 A.2d 312, 319 (Del. 2004)); see also Tilden v. Cunningham, 2018 WL 5307706, at *14 (Del. Ch. Oct. 26, 2018) (“[T]he law in Delaware is crystal clear that a claim accrues as soon as the wrongful act occurs.”). 103 See Kraft, 145 A.3d at 983. Defs.’ Ex. 29 at 97 (explaining that the Board approved the merger agreement on November 15, 2015 and recommended stockholder approval). 104 23 run on September 23, 2016 when the Acquisition closed.105 The plaintiff filed this action more than three years later on December 3, 2019. The plaintiff’s due diligence-based claim is therefore barred as untimely “absent tolling or other extraordinary circumstances.”106 The plaintiff contends that the defendants waived their untimeliness defenses and also advances two tolling arguments. None of the plaintiff’s arguments have merit. a. Waiver The plaintiff first contends that defendants waived their untimeliness argument because it was not raised in their opening brief.107 “Under the briefing rules, a party is obliged in its motion and opening brief to set forth all of the grounds, authorities and arguments supporting its motion.”108 No such waiver occurred. As I wrote to counsel when requesting supplemental briefing, it was not apparent from the Complaint that the plaintiff was Am. Compl. ¶ 104; see Mot. to Dismiss Hr’g Tr. at 51-52, 54 (“The Court: [W]hat are you alleging is the wrongful act that would have triggered the statute of limitations? Is it the acquisition or is it the board approval? [Counsel]: It is the acquisition, Your Honor. It is not the board approval.”). 105 106 Kraft, 145 A.3d at 982-83. 107 Pl.’s Supp. Br. 2 (Dkt. 82). 108 Franklin Balance Sheet Inv. Fund v. Crowley, 2006 WL 3095952, at *4 (Del. Ch. Oct. 19, 2006) (citing Ct. Ch. R. 7(b), 171); see Thor Merritt Square, LLC v. Bayview Malls LLC, 2010 WL 972776, at *5 (Del. Ch. Mar. 5, 2010) (“The failure to raise a legal issue in an opening brief generally constitutes a waiver of the ability to raise that issue in connection with a matter under submission to the court.”). 24 challenging the closing of the Acquisition as an affirmative act of the Board.109 The plaintiff’s answering brief squarely presented the argument that the Board’s “decision to complete the acquisition without conducting . . . due diligence into Starwood’s cybersecurity” was itself a breach of the duty of loyalty.110 The defendants raised the untimeliness of that “reformulated” claim in their reply brief,111 which appropriately “consisted of material necessary to respond to the answering brief.”112 b. Equitable Tolling and Fraudulent Concealment The plaintiff also argues that the claim is not time-barred because the statute of limitations was tolled pursuant to fraudulent concealment and equitable tolling.113 The doctrines of fraudulent concealment and equitable tolling “permit[] tolling of the limitations period where ‘the facts underlying the claim [are] so hidden that a reasonable plaintiff could not timely discover them.’”114 Fraudulent concealment may be demonstrated where a defendant conceals information through an affirmative 109 Dkt. 78 at 2-3. 110 Pl.’s Answering Br. 21-22; compare Am. Compl. ¶ 228. 111 Defs.’ Reply Br. 8 n.3. 112 Crowley, 2006 WL 3095952, at *4. 113 Pl.’s Supp. Br. 5. Weiss v. Swanson, 948 A.2d 433, 451 (Del. Ch. 2008) (quoting In re Dean Witter P’ship Litig., 1998 WL 442456, at *6 (Del. Ch. July 17, 1998)). 114 25 act of “actual artifice” that prevents a plaintiff from gaining knowledge of the facts or misdirects a plaintiff from the truth.115 Equitable tolling can toll the statute of limitations for self-dealing claims, even without actual concealment, where a plaintiff relies “on the competence and good faith of a fiduciary.”116 The plaintiff asserts that the defendants cannot “point to a single allegation in the Complaint” demonstrating that stockholders were on notice that the PreAcquisition Board did not conduct cybersecurity due diligence.117 But it is the plaintiff’s burden to plead specific facts demonstrating that the statute of limitations was tolled before this litigation was filed.118 Assuming the facts alleged in the Complaint as true, neither tolling doctrine is applicable. The plaintiff does not allege any affirmative acts of concealment that could support the application of fraudulent concealment. “Mere silence is insufficient . . . .”119 The only acts that the plaintiff cites are public statements by Sorenson and 115 Id. (quoting In re Tyson Foods, Inc., 919 A.2d 563, 585 (Del. Ch. 2007)); State v. Pettinaro Enters., 870 A.2d 513, 531 (Del. Ch. 2005) (“Fraudulent concealment may be found to exist where a defendant knowingly acted to prevent a plaintiff from learning facts or otherwise made misrepresentations intended to ‘put the plaintiff off the trail of inquiry.’” (quoting Halpern v. Barran, 313 A.2d 139, 143 (Del. Ch. 1973))). 116 Weiss, 948 A.2d at 451. 117 Pl.’s Supp. Br. 7. 118 Weiss, 948 A.2d at 451. 119 Krahmer v. Christie’s Inc., 911 A.2d 399, 407 (Del. Ch. 2006). 26 others touting Marriott’s “extensive” due diligence of Starwood.120 There is no reason to doubt the truth of those statements generally. The plaintiff points to no representation that Marriott was undertaking cybersecurity diligence in particular. Nor does the plaintiff allege specific facts that would suggest Marriott’s statements were meant to throw stockholders “off the trail of inquiry.”121 As to equitable tolling, there are no allegations in the Complaint that permit a reasonable inference of wrongful self-dealing. In fact, the plaintiff does not allege that any of the individual defendants benefitted from the conduct challenged in the Complaint. For claims that do not involve self-dealing, “equitable tolling operates in much the same way as the doctrine of fraudulent concealment,” and an affirmative act of concealment is required.122 Again, the plaintiff has not made that showing. Pl.’s Supp. Br. 5 (citing Am. Compl. ¶¶ 12, 104, 174, 179, 180-83). The court need not consider similar statements about the Company’s general due diligence in Marriott’s Form S-4, filed in connection with the Acquisition. See Pl.’s Supp. Br. 7 (asking that the court decline to take judicial notice of the Form S-4). 120 121 Pettinaro Enters., 870 A.2d at 531. 122 Litman v. Prudential-Bache Props., Inc., 1994 WL 30529, at *3 (Del. Ch. Jan. 14, 1994). In Litman, then-Vice Chancellor Chandler discussed then-Chancellor Allen’s decision in Kahn v. Seaboard Corp., 625 A.2d 269 (Del. Ch. 1993), where the court explained that affirmative acts of concealment may not be necessary to apply the doctrine of equitable tolling if “the parties to the litigation stand in a fiduciary relationship to each other and where the plaintiff alleges self-dealing.” Litman, 1994 WL 30529, at *3 (emphasis added). Litman held that “[i]n situations that do not involve self-dealing, equitable tolling . . . operate[s] to toll a limitations period when the defendant has engaged in certain acts that would prevent the plaintiff from discovering the alleged wrong.” Id. 27 c. Tolling During Inspection Demand Finally, the plaintiff argues the statute of limitations was tolled while the plaintiff pursued an inspection demand pursuant to 8 Del. C. § 220. Even if the analogous statute of limitations began to run on September 23, 2016 when the Acquisition closed, it was not tolled by the plaintiff’s January 4, 2019 books and records demand.123 The plaintiff relies on precedent where the court has tolled the statute of limitations during the pendency of Section 220 litigation.124 The plaintiff does not, however, cite any authority to support the notion that service of a books and records demand alone tolls the statute of limitations for a subsequent plenary lawsuit. In Technicorp, the court explained that “the institution of other litigation to ascertain the facts involved in the later suit will toll the statute of limitations while that litigation proceeds.”125 Likewise, in Sutherland, the court noted that the Section 220 lawsuit tolled the applicable three-year statute of limitations . . . during the 123 Am. Compl. ¶¶ 79, 218; see supra 23-24. No allegation that the Board undertook the “wrongful act” of closing the Acquisition is found in the Complaint. The Board’s recommendation that stockholders approve the Acquisition is the last affirmative act of the Board in the pre-Acquisition time period. See Technicorp Int’l II v. Johnston, 2000 WL 713750, at *9 (Del. Ch. May 31, 2000); Sutherland v. Sutherland, 2009 WL 857468, at *4-5 (Del. Ch. Mar. 23, 2009). 124 125 2000 WL 713750, at *9. 28 pendency of the plaintiff’s Section 220 action”126 Here, despite the running of the statute of limitations during its Section 220 investigation, the plaintiff did not file a Section 220 lawsuit. Further, “there is no hard and fast rule tolling the running of the statute of limitations during the pendency of books and records litigation.”127 Nor did the plaintiff obtain a tolling agreement with the defendants while its investigation continued.128 Tolling considerations are different for a Section 220 demand and a Section 220 lawsuit. The former has no formal schedule. A stockholder could serve a Section 220 demand that fails to satisfy even the basic statutory requirements of Section 220(b) and use the demand effectively as a placeholder. A Section 220 126 2009 WL 857468, at *5. 127 Sutherland, 2009 WL 1177047, at *1; see also Sutherland v. Sutherland, 2010 WL 1838968, at *5 n.19 (Del. Ch. May 3, 2010) (explaining that a court should consider whether the plaintiff “was, or should have been, aware of [the derivative] claims during the pendency of the § 220 Action”). In Gotham P’rs, L.P. v. Hallwood Realty P’rs, L.P., the court explained that a plaintiff could defeat a laches defense by showing “that it asserted its rights in a timely manner by making [a] demand [under Section 220] and filing th[at] action.” 714 A.2d 96, 104-05 (Del. Ch. 1998) (emphasis added). The court did not say that a timely demand alone would toll the statute of limitations until a subsequent plenary action was filed. Rather, the court was discussing how a stockholder can demonstrate that it asserted its rights or claim—both through a books and records demand and in pursuing litigation—in a manner that defeats a laches defense. Id. 128 As a result, there is no basis to apply the doctrine of equitable estoppel, as the plaintiff suggests. See Pl.’s Supp. Br. 10-11. The plaintiff asserts that the defendant “slow-rolled” the process of producing documents in response to its Section 220 demand, leading the plaintiff to rely on that conduct to its detriment. Id. But the plaintiff had the right to file Section 220 litigation, a plenary suit, or demand a tolling agreement. 29 lawsuit, by contrast, is a summary proceeding with “expedited discovery and a prompt hearing.”129 Unlike a demand, a Section 220 action presents “strong evidence that [a] plaintiff was aggressively asserting its claims.” 130 There may be an instance where a stockholder’s dogged pursuit of its statutory books and records rights provides a basis for tolling. But this lawsuit, where the stockholder took nearly 11 months between serving a demand and filing a plenary lawsuit, is not it. 2. The Plaintiff’s Challenges to Cybersecurity Oversight PostClosing Do Not Excuse Demand. The plaintiff next argues that a majority of the Demand Board faces a substantial likelihood of liability for their “conscious and bad faith decision not to remedy Starwood’s severely deficient information protection systems postAcquisition.”131 As often stated, oversight liability under Caremark is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”132 To prevail, the plaintiff must plead particularized facts showing that either (1) “the directors utterly failed to implement any reporting or information system or controls” or (2) “having implemented such a system or controls, 129 Cutlip v. CBA Int'l, Inc. I, 1995 WL 694422, at *1 (Del. Ch. Oct. 27, 1995). 130 Gotham P’rs, 714 A.2d at 105. 131 Pl.’s Answering Br. 34. 132 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996). 30 consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”133 Compliance risk oversight generally falls within the governance responsibilities of the board of directors.134 Key enterprise risks affecting a corporation’s “mission critical” components has been a focus of Delaware courts in assessing potential oversight liability, particularly where a board has allegedly failed to implement reporting systems or controls to monitor those risks.135 Cybersecurity, however, is an area of consequential risk that spans modern business sectors. In the past several years alone, cyberattacks have affected thousands of companies and government agencies. High-profile data breaches have exposed customer data at businesses from Yahoo! to Target and Home Depot.136 Targeted attacks have shut 133 Stone v. Ritter, 911 A.2d 362, 370 (Del. Ch. 2006). 134 See Okla. Firefighters Pension & Ret. Sys. v. Corbat, 2017 WL 6452240, at *18 (Del. Ch. Dec. 18, 2017) (“[E]valuation of risk is a core function of the exercise of business judgment.”); Marchand v. Barnhill, 212 A.3d 805, 824 (Del. 2019) (describing the board’s duty to “put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risk”). 135 See, e.g., Marchand, 212 A.3d at 824 (finding that board-level monitoring on food safety was needed where “food safety . . . essential and mission critical” to an ice cream manufacturer); In re Boeing Co. Deriv. Litig., 2021 WL 4059934, at *26 (Del. Ch. Sept. 7, 2021) (finding airplane safety “mission critical” to an airplane manufacturer’s business); see also In re Clovis Oncology, Inc. Deriv. Litig., 2019 WL 4850188, at *14-15 (Del. Ch. Oct. 1, 2019) (denying motion to dismiss in the context of Caremark’s second prong where red flags about a “monoline” company’s single promising drug were ignored). Stockholder litigation followed. See, e.g., In re Home Depot, Inc. S’holder Deriv. Litig., 223 F. Supp. 3d 1317 (N.D. Ga. 2016); Davis v. Steinhafel, Lead Case No. 14-cv-203 (PAM/JJK) (D. Minn. July 7, 2016) (ORDER); Okla. Firefighters Pension & Ret. Sys. v. 136 31 down hospitals and taken offline major fuel pipelines.137 Regulators in the United States and abroad have become more active in issuing cybersecurity guidance and undertaking enforcement activities in response.138 The President of the United States has named cybersecurity a “top priority and essential to national and economic security.”139 Delaware courts have not broadened a board’s Caremark duties to include monitoring risk in the context of business decisions.140 Oversight violations are Brandt, C.A. No. 2017-0133-SG (Del. Ch. Feb. 23, 2017); In re Yahoo! Inc., S’holder Litig., No. 17-CV-307054 (Cal. Super. Ct. Mar. 2, 2018). 137 See Robert McMillan and Melanie Evans, Ransomware Attack Hits Universal Health Services, Wall St. J. (Sept. 30, 2020); Christopher Bing and Stephanie Kelly, Cyber Attack Shuts Down U.S. Fuel Pipeline ‘Jugular,’ Biden Briefed, Reuters (May 8, 2021). 138 See, e.g., Cal. Civ. Code §§ 1798.110, 1798.150 (West 2021) (imposing data collection obligations on companies doing business in California and providing consumers with a private right of action to address harms caused by data breaches); European Union General Data Protection Regulation, Council Regulation 2016/679 (mandating data security measures and breach notification); Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg. 8,166 (Feb. 22, 2018) (Sec. & Exch. Comm’n) (“[T]he Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”); Jared Ho, Corporate Boards: Don’t Underestimate Your Role in Data Security Oversight, Fed. Trade Comm’n (Apr. 28, 2021). 139 Exec. Order No. 14,208, 86 Fed. Reg. at 26,633 (2021). See, e.g., Reiter v. Fairbank, 2016 WL 6081823, at *8 (Del. Ch. Oct. 18, 2016) (“This Court has been careful to distinguish between failing to fulfill one’s oversight obligations with respect to fraudulent or criminal conduct as opposed to monitoring the business risk of the enterprise.”); In re Goldman Sachs Grp., Inc. S’holder Litig., 2011 WL 4826104, at *21 (Del. Ch. Oct. 12, 2011) (stating that the Court of Chancery has “not definitively stated whether a board’s Caremark duties involve a duty to monitor business risk”); Corbat, 2017 140 32 typically found where companies—particularly those operating within a highlyregulated industry—violate the law or run afoul of regulatory mandates.141 But as the legal and regulatory frameworks governing cybersecurity advance and the risks become manifest, corporate governance must evolve to address them.142 The corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place. The growing risks posed by cybersecurity threats do not, however, lower the high threshold that a plaintiff must meet to plead a Caremark claim. For either prong of Caremark, “a showing of bad faith conduct . . . is essential to establish director WL 6452240, at *18 (stating that a “failure to monitor or properly limit business risk” is a “theory of director liability that this Court has never definitively accepted”); In re Facebook, Inc. Section 220 Litig., 2019 WL 2320842, at *14 (Del. Ch. May 30, 2019) (“The legal academy has observed that Delaware courts are more inclined to find Caremark oversight liability at the board level when the company operates in the midst of obligations imposed upon it by positive law yet fails to implement compliance systems, or fails to monitor existing compliance systems, such that a violation of law and resulting liability occurs.”). E.g., La. Mun. Police Empls.’ Ret. Sys. v. Pyott, 46 A.3d 313, 355 (Del. Ch. 2012) (finding it was reasonable to infer directors approved a business plan allowing for illegal off-label marketing); In re Massey Energy Co., 2011 WL 2176479, at *20-21 (Del. Ch. May 31, 2011) (“[A] fiduciary of a Delaware corporation cannot be loyal to a Delaware corporation by knowingly causing it to seek profit by violating the law.”). 141 142 See Leo E. Strine, Jr., Kirby M. Smith & Reilly S. Steel, Caremark and ESG: Perfect Together: A Practical Approach to Implementing an Integrated, Efficient and Effective Caremark and EESG Strategy, 106 Iowa L. Rev. 1885, 1893 (describing “the first principle of corporate law: corporations may only conduct lawful business by lawful means”). 33 oversight liability.”143 Only a “sustained or systemic failure of the board to exercise oversight . . . will establish the lack of good faith that is a necessary condition to liability.”144 The Complaint in this case falls well short of demonstrating that the Post-Acquisition Board members face a substantial likelihood of liability for a sustained, bad faith failure of oversight. Demand is therefore not futile on that basis. a. Cybersecurity Reporting Systems and Controls To the extent the plaintiff attempts to put forward a claim under Caremark’s first prong, I find that effort unpersuasive. Delaware law imposes on directors a duty to ensure that board-level monitoring and reporting systems are in place. But because doing so is a disinterested business judgment, “directors have great discretion to design context- and industry-specific approaches tailored to their companies’ businesses and resources.”145 For directors to face liability under Caremark’s first prong, a plaintiff must show that the director “made no good faith effort to ensure the company had in place any ‘system of controls.’”146 143 Stone, 911 A.2d at 370. 144 Caremark, 698 A.2d at 971. 145 Marchand, 212 A.3d at 821; Citigroup, 964 A.2d at 125 (explaining that although “directors of Delaware corporations have certain responsibilities to implement and monitor a system of oversight” that “obligation does not eviscerate the core protections of the business judgment rule”). 146 Marchand, 212 A.3d at 822. 34 Marriott’s Board consistently ranked cybersecurity as a primary risk facing the Company.147 The plaintiff does not, however, assert that the Post-Acquisition Board “utterly failed” to implement any reporting system or internal controls to address it.148 Instead, the Complaint and documents incorporated into it demonstrate that the directors surpassed Caremark’s baseline requirement that they “try” in good faith to put a “reasonable compliance and reporting system in place.”149 The Complaint, for example, describes how the Board and Audit Committee were “routinely apprised” on cybersecurity risks and mitigation, provided with annual reports on the Company’s Enterprise Risk Assessment that specifically evaluated cyber risks, and engaged outside consultants to improve and auditors to audit corporate cybersecurity practices.150 The Complaint also describes internal controls over the Company’s public disclosure practices.151 And when management received information that the plaintiff describes as “red flags” indicating 147 E.g., Am. Compl. ¶¶ 100, 118. 148 See Rojas v. Ellison, 2019 WL 3408812, at *9 (Del. Ch. July 29, 2019); Horman v. Abney, 2017 WL 242571, at *8 & n.46 (Del. Ch. Jan. 19, 2017) (noting that, in the Caremark context, “utterly failed” is a “linguistically extreme formulation” that means “absolute, total” (citations omitted)). 149 Marchand, 212 A.2d at 821. 150 See Am. Compl. ¶¶ 118-130; supra notes 6-10 (describing ongoing updates to directors on information protection and cybersecurity). 151 Am. Comp. ¶¶ 42-44. 35 vulnerabilities, the reports were delivered to the Board.152 To the extent that the plaintiff contends the Post-Acquisition Board faces liability under the first prong of Caremark, that argument is meritless.153 The Complaint itself shows that the Board has systems in place to assess cybersecurity risks. b. No Failure to Monitor or Oversee Operations The plaintiff’s primary argument is that the Post-Acquisition Board faces a substantial likelihood of liability under the second prong of Caremark for consciously disregarding “red flags” indicating that Marriott was violating positive law.154 For purposes of Caremark, a plaintiff must plead that the board knew about “red flags” alerting them to corporate misconduct and “consciously failed to act after learning about evidence of illegality.”155 The plaintiff has not, however, pleaded Compare Marchand, 212 A.2d at 809 (“Consistent with this dearth of any board-level effort at monitoring, the complaint pleads particularized facts supporting an inference that during a crucial period when yellow and red flags about food safety were presented to management, there was no equivalent reporting to the board.”). 152 153 See Home Depot, 223 F. Supp. 3d at 1326 (applying Delaware law and finding, in the context of a data security incident, that allegations of “numerous instances where the Audit Committee received regular reports from management on the state of [the company’s] data security, and the Board in turn received briefings from both management and the Audit Committee” led to the conclusion that “the Board was fulfilling its duty of loyalty to ensure that a reasonable system of reporting existed”); see also Corporate Risk Hlds. LLC v. Rowlands, 2018 WL 9517195, at *4 (S.D.N.Y. Sept. 28, 2018) (finding swift efforts “to address [security] breach with contingency plans to ascertain and mitigate the harm” foreclosed claim under the “first category of Caremark liability”). 154 Pl.’s Answering. Br. 34-35. Pyott, 46 A.3d at 341; see also Melbourne Mun. Firefighters’ Pension Tr. v. Jacobs, 2016 WL 4076369, at *12 (Del. Ch. Aug. 1, 2016) (distinguishing Pyott and Massey 155 36 with particularity that the Post-Acquisition Board learned of legal or regulatory violations. And even if it had, the Board did not consciously choose to remain idle. i. No known violations of law The plaintiff argues that the Post-Acquisition Board knew that Starwood’s systems violated the law because it learned in February 2017 that Starwood’s “[b]rand standards did not mandate PCI compliance, tokenization, or point-to-point encryption.”156 But the PCI DSS standards are required by financial institutions with which companies contract, not mandated by law.157 Nor is tokenization, which can reduce the amount of cardholder data in a digital environment and streamline PCI DSS compliance efforts.158 Pleading non-compliance with non-binding industry because “the Board, at all times, was under the impression that its conduct did not violate applicable . . . laws”); South v. Baker, 62 A.3d 1, 14-15 (Del. 2012) (explaining that a plaintiff who cannot plead actual director involvement in “decisions that violated positive law” can “plead that the board consciously failed to act after learning about evidence of illegality—the proverbial ‘red flag’”); see generally Elizabeth Pollman, Corporate Disobedience, 68 Duke L.J. 709, 723 (2019). 156 Am. Compl. ¶ 124. 157 Those standards, set by the PCI Security Standards Council, founded by American Express, Discover, JCB International, Mastercard and Visa, are intended to reduce credit card fraud. See PSI Security Standards Council, PCI Security https://www.pcisecuritystandards.org/pci_security/. 158 See PCI Security Standards Council, Tokenization Product Security Guidelines (Apr. 2015) https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_ Guidelines.pdf. 37 standards, like the PCI DSS, is not the same as pleading that directors knowingly permitted a company to violate positive law.159 The plaintiff also argues that the failure to improve Starwood’s deficient systems risked the violation of various laws, including the FTC Act, state privacy acts and unfair competition laws, and “international regulatory standards.”160 Simply listing statues “in vague, broad terms” without alleging what law was violated and how is insufficient to state a Caremark claim.161 The only law the parties specifically address in their briefs is the FTC Act. The plaintiff asserts that the Board’s knowledge of PCI DSS non-compliance is enough to support a reasonable inference that its members knew Starwood’s cybersecurity practices fell short of the FTC’s heightened requirements.162 The defendants respond that the FTC only “recommends” data security practices and requires companies to maintain Wilkin v. Narachi, 2018 WL 1100372, at *12 (Del. Ch. Feb. 28, 2018) (“Pleading violations of nonbinding recommendations does not constitute pleading a violation of positive law such that the board faces a substantial likelihood of liability and cannot consider demand.”). 159 160 Am. Compl. ¶¶ 58-63. 161 See Narachi, 2018 WL 1100372, at *12 (finding demand not excused where the plaintiff listed various statutes and regulations but did not specify what law was violated because “[m]erely discussing these statutes in vague, broad terms does not support a finding that Director Defendants’ decisions somehow violated these statutes”); Desimone v. Barrow, 924 A.2d 908, 928 (Del. Ch. 2007) (“I do not accept cursory contentions of wrongdoing as a substitute for the pleading of particularized facts. Mere notice pleading is insufficient to meet the plaintiff's burden to show demand excusal in a derivative case.”). 162 Pl.’s Answering Br. 41 n.18. 38 “reasonable” cybersecurity practices.163 Whether the FTC expects PCI DSS standards or tokenization, however, does not change the fact that there are no allegations in the Complaint that the Post-Acquisition Board knew about the FTC’s requirements or that Marriott was violating them. A Caremark claim requires that a plaintiff demonstrate scienter.164 The plaintiff here has not. In short, there is no known illegal conduct, lawbreaking, or violations of a regulatory mandate alleged in the Complaint that could support a finding that the Post-Acquisition Board faces a substantial likelihood of liability for failed oversight. That reality distinguishes this case from those relied upon by the plaintiff. In Massey, the plaintiffs pleaded “a myriad of particularized facts” demonstrating the board’s knowledge of serious violations of mining safety laws and that the directors knowingly “caus[ed] [the company] to seek profit” through unlawful acts.165 In 163 Am. Compl. ¶¶ 57-59; Statement of the FTC, FTC v. LifeLock (Dec. 17, 2015) (explaining that “the reasonableness of security will depend on the facts and circumstances of each case”). 164 E.g., Hays v. Almeida, 2019 WL 3389172, at *3 (Del. Ch. July 26, 2019) (ORDER) (rejecting the argument that directors faced oversight liability where “the complaint [did] not allege that the directors knew that Walgreens was violating the law or even engaging in the conduct that risked violating the law”); Teamsters Local 443 Health Servs. & Ins. Plan v. Chou, 2020 WL 5028065, at *16 (Del. Ch. Aug. 24, 2020) (“Because a Caremark claim must plead bad faith, ‘a plaintiff must allege facts that allow a reasonable inference that the directors acted with scienter which, in turn, requires not only proof that a director acted inconsistently with his fiduciary duties, but also most importantly, that the director knew he was so acting.’” (quoting Corbat, 2017 WL 6452240, at *14)). 165 Massey, 2011 WL 2176479, at *20. 39 Westmoreland, the United States Court of Appeals for the Seventh Circuit found that the plaintiffs pleaded particularized facts that the board “took no action to ensure the company’s timely compliance with the law,” despite the repeated warnings from the FDA—which were passed along to the board—that the company was in violation of FDA regulations.166 And in Abbott Labs, the Seventh Circuit likewise found that a board’s failure to rectify known, ongoing, and pervasive violations of FDA regulations could constitute bad faith and excuse demand.167 The plaintiff in this action has not pleaded particularized facts that the Post-Acquisition Board knowingly permitted Marriott to violate the law.168 166 Westmoreland Cty. Emp. Ret. Sys. v. Parkinson, 727 F.3d 719, 726-29 (7th Cir. 2013). 167 In re Abbott Lab’ys Deriv. S’holders Litig., 325 F.3d 795, 808-09 (7th Cir. 2003). In October 2020, the United Kingdom Information Commissioner’s Office fined Marriott £18.4 million ($24.0 million) in connection with the cyberattack for violating the General Data Protection Regulation (GDPR). See ICO Fines Marriott 18.4 Million Pounds for Failing to Secure Customer Data, Reuters (Oct. 30, 2020); see Am. Compl. ¶¶ 164-65. The GDPR was adopted on April 14, 2016 and became enforceable on March 25, 2018. See GDPR, supra note 137. The GDPR requires, among other things, that customers handling European Union citizens’ data implement reasonable data protection measures to protect consumers’ personal data and privacy from loss or exposure. See GDPR Art. 5; Am. Compl. ¶ 62. The plaintiff alleges that “the defendants failed to comply with various provisions of the GDPR which required Marriott to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Am. Compl. ¶ 163. But the Complaint lacks any particularized facts suggesting that the PostAcquisition Board intentionally violated the GDPR or knowingly permitted GDPR violations to continue unabated. There are no allegations suggesting that Marriott’s directors “viewed themselves or [Marriott] as above the law.” Corbat, 2017 WL 6452240, at *24 (explaining that alleged “failed” efforts “to comply with the wide range of laws and regulations that govern large financial institutions” are “not enough to support a plausible inference of bad faith” and that [b]ad results alone do not imply bad faith.”); In re Walt Disney Co. Deriv. Litig., 906 A.2d 27, 67 (Del. 2006) (noting that “a failure to act in good 168 40 ii. No conscious disregard of “red flags” The plaintiff also contends that the Post-Acquisition Board faces a substantial risk of liability for ignoring several “red flags” about Starwood’s inadequate data protection systems post-closing. Those “red flags” are not of illegality, as previously discussed.169 The plaintiff does not allege that the directors were told, for example, that Starwood’s standards ran afoul of regulatory or legal requirements. The socalled “red flags” were updates to the Board about aspects of Starwood’s cybersecurity measures that needed improvement.170 The purported “red flags” the plaintiff focuses on are as follows. First, five members of the Demand Board learned at a February 8, 2017 Audit Committee meeting that Internal Audit rated Marriott as “Needs Improvement” for cybersecurity and that its “incident response plan [wa]s not up to date.”171 Second, the Board was told by Hoffmeister on February 10, 2017 that Starwood’s data faith may be shown . . . where the fiduciary acts with the intent to violate applicable positive law” or “where the fiduciary intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for his duties” (citation omitted)). Although not briefed by the parties in any event, the ICO fine is not a basis to find that the PostAcquisition Board faces a substantial likelihood of liability for a bad faith oversight violation. 169 See supra Section II.B.2.b.i. 170 See Citigroup, 964 A.2d at 124-26; see infra note 184. 171 Am. Compl. ¶¶ 118-19. 41 security standards did not mandate PCI compliance or tokenization.172 And third, PwC told the Board that Starwood’s “[d]ecentralized technology management model” created a “greater opportunity for deviation from the expected published standard.”173 These “red flags” were effectively ignored, the plaintiff asserts, because the Board waited a year before taking up Starwood’s information protection systems again.174 Even if the gaps in Starwood’s data security evidenced the sort of compliance failure that could support a viable claim under the second prong of Caremark, the Complaint lacks particularized allegations that the Board consciously overlooked or failed to address them.175 As the defendants point out, no “red flags” were deliberately disregarded.176 Rather, management told the Board that it was addressing or would address the issues presented.177 At the same February 10, 2017 meeting where the Board learned about Starwood’s PCI non-compliance, Hoffmeister reported there “would be efforts made 172 Id. ¶ 124. 173 Id. 174 Id. ¶ 130; Defs.’ Ex. 15 at 1386. See Desimone, 924 A.2d at 940 (“Delaware courts routinely reject the conclusory allegation that because illegal behavior occurred, internal controls must have been deficient, and the board must have known so.”). 175 176 Defs.’ Opening Br. 39-40. 177 Defs.’ Reply Br. 15. 42 immediately to remedy” Starwood’s lack of tokenization.178 In addition, the presentation given to the Board confirmed that the Company had a plan in place to “consolidate Marriott + Starwood [s]ecurity.”179 The Board was also told about several recommendations that PwC had made to appropriately update Starwood’s brand standards and detailed “Intended Actions” to address those recommendations.180 These facts are not reflective of a board that has decided to turn a blind eye to potential corporate wrongdoing.181 Perhaps the entirety of Starwood’s deficiencies were not addressed “immediately,” as Hoffmeister told the Board they could be. And, with hindsight knowledge of the extent of the data breach, the implementation plan was probably too slow. It wasn’t until the following year on February 9, 2018 that the Board was 178 Am. Compl. ¶ 126. 179 Id. ¶¶ 122, 124; Defs.’ Ex. 14 at 1284-85. 180 Am. Compl. ¶ 125. 181 See Corbat, 2017 WL 6452240 at *17 (finding no substantial likelihood of liability for bad faith failed oversight where the board was presented with an action plan by management and outside advisors); id. at *22 (finding no particularized allegations of board inaction where the company “dealt with [a] red flag in a manner that cannot be said to reflect bad faith”); Reiter, 2016 WL 6081823, at *13 (declining to draw inference that directors knew they were breaching fiduciary duties by allowing corporate violations of law where “the same reports that described the Company's heightened compliance risk simultaneously explained to the directors in considerable detail on a regular basis the initiatives management was taking to address those problems and to ameliorate . . . compliance risk”). 43 next updated about those migration efforts.182 But, the plaintiff does not allege that the full Board had any reason to suspect that management was not promptly acting on PwC’s recommendations.183 As the documents incorporated into the Complaint confirm, management had “enhance[ed] monitoring,” “[e]xpand[ed] enterprise security logging and event management,” and “[e]xpand[ed] the use of third party monitoring” among other numerous actions between February 2017 and 2018.184 An attempted yet failed remediation effort generally cannot implicate bad faith.185 Finally, the plaintiff asserts that the Post-Acquisition Board is exposed to Caremark liability for its failure to immediately discontinue use of the Starwood guest reservation system after learning, in September 2018, that it was infected with Id. at 1366, 1386 (Oberg’s Enterprise Risk Assessment presentation, detailing a detailed “Cybersecurity Risk Scorecard” that described current risk mitigation efforts and tracked performance, including the anticipated “[m]igration of Starwood systems to the Marriott established technology standards” for end user devices by September 2019). 182 See Horman, 2017 WL 242571, at *13 (“Delaware courts have consistently rejected . . . the inference that directors must have known about a problem because someone was supposed to tell them about it.” (quoting Cottrell v. Duke, 829 F.3d 983, 995 (8th Cir. 2016) (alteration in original))). 183 184 Defs.’ Ex. 30 at 1372. 185 See Richardson v. Clark, 2020 WL 7861335, at *11 (Del. Ch. Dec. 31, 2020); see also Jacobs, 2016 WL 4076369, at *9 (“Simply alleging that a board incorrectly exercised its business judgment and made a ‘wrong’ decision in response to red flags . . . is not enough to plead bad faith.”); Home Depot, 223 F. Supp. 3d at 1326-27 (finding no substantial likelihood of liability for Caremark violation based on allegation that implementation to remedy deficiency in company’s data security was not completed fast enough where allegations did not demonstrate bad faith). 44 malware that could allow attackers to access customer data.186 The plaintiff does not allege that the Board learned on September 17, 2018 that an immediate shutdown of the system was necessary to protect consumer data but chose to continue its use nonetheless. According to the Complaint, Marriott did not learn about the extent of the breach and that customer data had been accessed until November 2018.187 The Complaint and documents incorporated into it demonstrate that the Board continued to receive detailed updates on the “incredible amount of work” management and forensic specialists performed throughout November 2018 to investigate and address the problem.188 There are no facts pleaded to suggest that the directors’ ignorance on the extent of the breach in September 2018 is the result of a breach of fiduciary duty.189 The plaintiff has therefore failed to demonstrate that a majority of the Demand Board faces a substantial likelihood of liability for consciously disregarding “red flags.” 186 Pl.’s Answering Br. 13-14, 37. 187 Am. Compl. ¶¶ 139-41. 188 Defs.’ Ex. 21 at 1946-47; Defs.’ Exs. 25-27. 189 See Horman, 2017 WL 242571, at *15 (explaining that the size of the ultimate harm is “not a sufficient basis on which to rest liability” absent facts showing a “board’s ignorance can only be explained by a breach of fiduciary duty” (quoting David B. Shaev Profit Sharing Acct. v. Armstrong, 2006 WL 391931, at *6 (Del. Ch. Feb. 13, 2006)). 45 iii. Notification Requirements Regarding the Breach The plaintiff’s final theory of liability for the Demand Board is another variation of alleged failure to comply with positive law—this time, based on the timing of Marriott’s disclosure of the data breach. The plaintiff contends that Marriott was “required by various state laws to expeditiously disclose the data breach” and that the Board “knew they were required by their fiduciary duties to cause Marriott to disclose this information” in compliance with those laws.190 By not alerting the public about the incident until November 30, 2018—despite the Board first learning of malware on September 18, 2018—the plaintiff alleges that notification laws were violated. The plaintiff’s argument suffers from many of the same flaws as those regarding PCI DSS and tokenization. To start, the plaintiff does not allege that the directors were informed about the applicable notification laws. Directors cannot be liable under the second prong of Caremark for legal violations that they did not know about.191 Of the notification laws of 31 states and territories that the plaintiff asserts were violated by Marriott’s “83-day delay” in notifying individuals affected by the 190 Pl.’s Answering Br. 55. 191 See Horman, 2017 WL 242571, at *11 (explaining that directors are liable if they “become aware of the red flags and do nothing in response”). 46 breach,192 only three statutes—of Delaware, Maryland, and Michigan—are addressed in the parties’ briefs. Those laws each concern notification requirements in the event of the disclosure of personal data.193 Maryland’s Personal Information Privacy Act requires a business that has discovered or has been notified of a security breach to conduct a prompt investigation to determine if “Personal Information” has or will be misused.194 If it has, the business is required to notify the affected individuals “as soon as reasonably practicable.”195 Michigan’s notification law likewise defines a “security breach” as the “unauthorized access and acquisition of data that compromises the security or confidentiality of personal information.”196 192 Am. Compl. ¶ 172. 193 At argument, the plaintiff explained that it focused on Maryland and Michigan because those states’ notification laws were selected as bellwether claims in the Federal Action and on Delaware given the action in this court. See Reargument Hr’g Tr.; Pl.’s Answering Br. 56 n.26; Defs.’ Opening Br. 49-50; Defs.’ Reply Br. 21 n.8. Md. Code Ann., Com. Law § 14-3504(b)(1) (West 2021). “Personal Information” is defined to include: 194 An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable: . . . a passport number . . . [a]n account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account. Id. § 14-3501(e)(1)(i). 195 Id. §§ 14-3504(b)(2), 14-3504(c)(2). Mich. Comp. Laws Ann. § 445.63(b) (West 2021). “Personal information” is defined to include: 196 47 Delaware’s Consumer Security Breach Act also requires notification “without unreasonable delay” when a resident’s “personal information was breached or is reasonably believed to have been breached.”197 The plaintiff points to the fact that consumer class action claims based on the Maryland and Michigan notification statutes survived a motion to dismiss in the Federal Action as a basis for finding liability here.198 Those claims were not, however, brought against the members of the Demand Board and cannot implicate their liability. 199 Under the heightened pleading standards of Rule 23.1, the lack of particularized allegations indicating that the directors consciously disregarded or intentionally violated positive law is dispositive. [T]he first name or first initial and last name linked to 1 or more of the following data elements of a resident of this state: (i) Social security number[;] (ii) Driver license number or state personal identification card number[;] (iii) Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts. Id. § 445.63(r). 197 6 Del. C. § 12B-102(a). 198 Marriott, 440 F. Supp. 3d at 487, 490. 199 See generally id. Cf. Pfeiffer v. Toll, 989 A.2d 683, 690 (Del. Ch. 2010), abrogated on other grounds by Kahn v. Kohlberg Kravis Roberts & Co. L.P., 23 A.3d 831 (Del. 2011) (finding demand futile based, in part, on federal court decision holding that the same individual defendants acted with scienter regarding “the same trades at issue” in the Delaware action). 48 Regardless, there are no allegations that the Board knew personal data was accessed such that the notification obligations had been triggered prior to November 2018.200 The plaintiff suggests that it “strains credulity” to conclude the Board did not know personal information was accessed given the severity of the breach.201 But as the defendants point out, discovering malware is not the same as discovering that personal information has been accessed.202 The Complaint plainly states that Marriott first discovered that “customers’ personal information” was potentially accessed on November 19, 2018.203 Marriott’s notification of interested parties 10 days later and public announcement of its investigatory findings on the eleventh day are not obvious violations of notification laws that suggest bad faith on the part of the Board.204 200 See supra note 164 (discussing the scienter requirement for an oversight claim). 201 Pl.’s Answering Br. 57. 202 Am. Compl. ¶¶ 140, 217; Defs.’ Reply Br. 20. 203 Am. Compl. ¶ 140. 204 Id. ¶¶ 142-43. The plaintiff originally argued that the members of the Audit Committee face a substantial likelihood of liability for issuing a Form 10-Q on November 6, 2018 that “remained silent as to the Breach.” Id. ¶¶ 139, 248; Pl.’s Answering Br. 56. After the District Court in the Federal Action dismissed securities law claims for allegedly false and misleading disclosures with prejudice, the plaintiff here determined not to press its disclosure claims. See Mot. to Dismiss Hr’g Tr. 59. Had they not, the claim likely would have failed because the plaintiff does not ascribe any bad faith actions or motives to the Audit Committee members who approved the Form 10-Q. The claim would, at most, implicate the directors’ “‘erroneous judgment’ concerning the proper scope and content of the disclosure.” Orman v. Cullman, 794 A.2d 5, 41 (Del. Ch. 2002) (quoting Crescent/Mach I P’rs, L.P. v. Turner, 846 A.2d 963, 987 (Del. Ch. 2000)); see also 49 * * * The data breach that is at the center of this case was momentous in scale and put the data of hundreds of millions of people at risk. Critically, however, the corporate trauma that came to fruition was at the hands of a hacker. Marriott was the victim of an illegal act rather than the perpetrator. One could argue that the Complaint depicts a preventable scenario because the directors did not respond to internal reports about inadequate data security risks as swiftly as they might have. But the difference between a flawed effort and a deliberate failure to act is one of extent and intent. A Caremark violation requires a plaintiff to demonstrate the latter. Here, the Complaint lacks particularized allegations demonstrating that the Post-Acquisition Board knew that the vulnerabilities in Starwood’s data system ran afoul of the law, that it nonetheless chose not to address them, or that it scorned legal notification requirements. Having failed to show that those directors consciously disregarded positive law or acted in bad faith, the plaintiff has not impugned the ability of any member of the Demand Board to impartially consider a demand based on a substantial likelihood of liability for failed oversight. Morrison v. Berry, 2019 WL 7369431, at *18 (Del. Ch. Dec. 31, 2019) (“Bad faith, in the context of omissions, requires that the omission be intentional and constitute more than an error of judgment or gross negligence.”). 50 III. CONCLUSION The plaintiff failed to allege particularized facts that could support a finding that any member of the Demand Board faced a substantial likelihood of liability on a non-exculpated claim. Any claim based on pre-Acquisition due diligence is time barred. The remaining claims are unsupported by particularized allegations demonstrating that the Post-Acquisition Board acted in bad faith with regard to cybersecurity oversight, compliance, or notification of the data breach. As a result, a demand made on the Demand Board would not have been futile with respect to the plaintiff’s breach of fiduciary duty claim. The defendants’ Motion to Dismiss is granted and the Complaint is dismissed pursuant to Court of Chancery Rule 23.1. 51
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
