Stockholders’ derivative claims against directors of a software company for failure to oversee cybersecurity were not viable



United States

In Construction Industry Laborers Pension Fund, et al. v. Mike Bingle, et al., 2021-0940-SG (Del. Ch. September 6, 2022), the defendant company provided information technology infrastructure management software. A cyberattack on the company affected up to 18,000 clients and the company’s stock suffered significant losses. The stockholders alleged that the defendant corporate directors failed to adequately oversee cybersecurity and sought damages. The defendants sought dismissal under Delaware Court of Chancery rule 23.1.

The rule 23.1 demand requirement

Rule 23.1 requires stockholders seeking exploitation of a corporate litigation asset to make a demand for the director to act. This requirement will be excused only where the plaintiff pleads with specificity facts from which a court may infer that a demand would be futile. Otherwise, the derivative action will be dismissed. 

Caremark claims

The plaintiffs argued that demand was futile because at least half of the members of the Board were substantially likely to be liable under the Caremark theory of liability. The Delaware Court of Chancery explained that derivative claims against corporate directors for failure to oversee operations are known as Caremark claims. Plaintiffs in Caremark cases must plead with particularity a sufficient connection between the corporate trauma and the actions or inactions of the board.

The plaintiffs argued that oversight liability could be established even in the absence of a violation of positive law. A meritorious Caremark claim demonstrates a breach of the duty of loyalty by way of the director’s failure to act in good faith. In such cases, director gross negligence is insufficient to establish director liability; instead, liability may only attach where a director acts in bad faith. 

Bad faith 

In this context, bad faith is established where the fiduciary intentionally acts with a purpose other than that of advancing the best interests of the corporation; where the fiduciary acts with the intent to violate applicable positive law; or, where the fiduciary intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for their duties. Thus, to act in bad faith, the directors must have acted with scienter. 

Plaintiffs failed to plead scienter with particularity

The plaintiffs alleged that the directors intentionally failed to act in the face of a known duty to act, either by ignoring red flags in a manner that scienter could be implied or by failing to put into place a mechanism for monitoring and reporting risk. 

However, the Court found that the directors delegated oversight of risk to two functioning committees and that the failure of those committees to make a Board presentation on a particular risk in a particular year did not give rise to an inference that the Board intentionally disregarded its oversight duties in bad faith. Furthermore, a subpar reporting system is not equivalent to a failure to assure that a reporting system existed. 

Thus, the Court found that the Complaint did not plead sufficient particularized facts to support a reasonable inference of scienter. 


The Court found that because the Caremark claim was not viable, there was no substantial likelihood of liability attaching to a majority of the directors on the demand Board. Therefore, demand would not have been futile. Accordingly, the Court granted the defendants’ motion to dismiss under rule 23.1.

October 24, 2022
Construction Industry Laborers Pension Fund, et al. v. Mike Bingle, et al., 2021-0940-SG (Del. Ch. September 6, 2022)
Author: Grace Baehren
Delaware Courts