The current pandemic and attendant disruption in securities markets are creating unprecedented challenges for directors of both public and private companies. In the coming months, directors can expect to see a rash of shareholder derivative and class action lawsuits based on their actual and perceived missteps in handling the complex business issues that have arisen in the wake of these disruptions. Not only will investors seek to hold company directors personally responsible for falling share prices, but others, such as victims of cybersecurity and privacy failures and employees who become ill through contacts at their workplaces, can be expected to place blame on company management.

Claims against directors are likely to allege breaches of fiduciary duty falling into a few broad categories – false or insufficient disclosure, negligent or inadequate management or planning, and failure to supervise. Such claims may include:

• Failure to disclose known risks or inaccurate representations of the company’s ability to deal with those risks;
• Failure to adequately plan for business disruption contingencies (such as a pandemic) and/or failure to supervise the company’s risk management; and
• Failure to adopt reasonable cybersecurity policies or implement and oversee such policies.

We have already seen federal securities class actions filed against several companies, including against a cruise line for “employing sales tactics” that included “providing customers with unproven and/or blatantly false statements about COVID-19” as well as materially false and misleading or unsupported statements about the state of the company’s business and its purported “proactive” implementation of “several preventive measures to reduce potential exposure and transmission of COVID-19.” Douglas v. Norwegian Cruise Lines Holdings Ltd., et al., Case No. 1:20-cv-21107 (S.D. Fla. March 12, 2020). These cases are, of course, cause for concern, but generally do not raise issues of personal liability for companies’ directors.

On April 20, 2020, however, following the filing of a class action against Inovio Pharmaceuticals, Inc. for market manipulation, a separate shareholder derivative lawsuit was filed against the company’s directors, tracking the allegations in the class action suit and charging that the defendants breached their fiduciary duties by making or causing the company to make false or misleading claims that the company could develop a COVID-19 vaccine “within three hours,” and that clinical trials would supposedly start in April 2020. These statements allegedly led to a sharp uptick in the company’s share price, followed by a precipitous drop in its market value when a third party revealed the statements to be false. Beheshti v. Kim, et al., Case No. 2:20-cv-01962 (E.D. Pa, April 20, 2020). The claims against the directors also include unjust enrichment, abuse of control, gross mismanagement, and waste of corporate assets (for subjecting the company to the class action suit). More such suits can certainly be expected.

On March 25, 2020, the Securities and Exchange Commission (SEC) issued guidance addressed directly to reporting companies’ disclosures related to the COVID-19 situation. While careful to state that the guidance was not mandatory, the SEC noted that disclosures should address companies’ “assessment of, and plans for addressing, material risks to their business and operations resulting from the coronavirus to the fullest extent practical to keep investors and markets informed of material developments.” This guidance leaves it up to the company’s directors and officers to judge whether particular developments would be considered “material” to investors. For instance, some executives have chosen to reveal their COVID-19 diagnoses notwithstanding their right to keep personal medical information private. Others, like Morgan Stanley CEO James Gorman, only revealed their diagnoses after the fact, on the theory that the executive was never gravely ill or continued to work from home, making the illness not a material event. Companies also grapple with the need to tell the public about sick workers, balancing the materiality of these facts against employees’ privacy rights. Certainly if the illness is so widespread as to force a plant shutdown, for instance, materiality is obvious, but what if only a few workers are sick? Do other employees and the public have a right to know?

In addition, it is beginning to look as if a Caremark duty of oversight claim may no longer be the “most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” as it had previously been considered. Recently, the Delaware courts have denied preliminary motions to dismiss directors for breach of their duty of oversight in three cases, allowing the cases to proceed to discovery. In the latest, Hughes v. Hu, C.A. No. 2019-0112-JTL (Del. Ch., April 27, 2020), the plaintiff contended that, in the face of historically bad decisions by management, “the director defendants consciously failed to establish a board-level system of oversight for the Company’s financial statements and related-party transactions, choosing instead to rely blindly on management while devoting patently inadequate time to the necessary tasks.” This decision, like the two before it (Marchand v. Barnhill, C.A. No. 2017-0586-JRS (Del. S. Ct., April 24, 2019), and In re: Clovis Oncology, Inc. Derivative Lit., C.A. No. 2017-0222-JRS (Del. Ch., Oct. 1, 2019)), demonstrate that directors are particularly vulnerable when they have advance notice of a problem and fail to take action to correct it.

In the COVID-19 world, cybersecurity breaches may fall into this category. Today, no director can credibly claim not to have notice of the risks posed by cyber criminals that can result in loss of intellectual property and other critical company information, loss of customers’ or employees’ personal data, or costly ransom demands. The situation has been complicated by the need for many companies to allow their employees to work from home on devices that may not be adequately secured. Nevertheless, directors whose companies and shareholders are injured because they failed to properly anticipate, plan for, and insure against such events may be fair game for a claimed breach of fiduciary duty of oversight.

What can directors do to mitigate these risks?

• Now, more than ever, directors must stay informed about their business risks and be diligent in addressing those risks.
• Directors should realize that they are responsible for company disclosures – the buck stops at the board. Any false, misleading, or incomplete disclosures will be laid at their doorstep.
• Enterprise risk management is nothing new, but it is a more critical skill for directors than ever before. Directors who do not follow through by instituting, implementing, and overseeing appropriate compliance programs will be at risk.
• Directors should revisit (or institute) reasonable cybersecurity policies that include recognized cyber best practices and employee training to avoid phishing and other business email scams that can result in the inadvertent disclosure or loss of company trade secrets or private information of customers and employees, and assure that such policies are enforced and monitored.
• It is critical to check director and officer liability and cybersecurity insurance policies to avoid surprises in the case of losses connected to COVID-19. Many policies contain exclusions limiting coverage in the case of force majeure or even specifically pandemic situations.