To date, Caremark cases against directors for corporate trauma arising from woefully deficient cybersecurity have failed, even when cybersecurity was a mission critical risk for the company because, as explained in SolarWinds, Caremark requires a legal violation, and inadequate cybersecurity generally does not violate positive law. This Article shows that Caremark claims to recover for corporate trauma from cyber-events can succeed in an important class of cases: when (1) the company made unlawful materially misleading statements to private and public sector customers about its cybersecurity quality; (2) lying to customers about cybersecurity constituted a mission critical legal risk because, given the nature of the company’s product, customers’ willingness to deal with the firm depends on their confidence that the company has good cybersecurity, confidence which would be shattered by the confluence of a breach and disclosure that the company mislead its customers; (3) directors knowingly did not satisfy their Marchand/Caremark duties relating to cybersecurity disclosure; and (4) the company suffered corporate losses (including from government enforcement actions for customer lies that reached shareholders) proximately caused by the company’s misleading statements to consumers. This Article elucidates the potential scope of Caremark liability for materially misleading cybersecurity disclosure and shows that had the derivative plaintiffs in SolarWinds sought recovery for the corporate trauma caused by SolarWinds’ misleading disclosure they likely would have prevailed. The framing identified in this Article also should be applicable for corporate traumas arising from safety violations by companies that lied about product safety.

READ PDF