Delaware Court of Chancery Dismisses Marriott Data Breach Derivative Suit
On October 5, 2021, the Delaware Court of Chancery in Firemen’s Ret. Sys. of St. Louis v. Sorenson dismissed derivative breach of fiduciary duty claims against Marriott’s executives and directors, finding that the statute of limitations on some of the claims had lapsed, and that the plaintiff had failed to adequately plead demand futility because none of the director defendants faced a substantial likelihood of liability for a non-exculpated breach of fiduciary duty claim.
This case arose out of the 2018 data breach of Marriot’s Starwood system. After obtaining documents from Marriott pursuant to a § 220 books and records demand, the plaintiff filed a derivative complaint alleging that the company’s directors and several of its officers breached their fiduciary duties by failing to conduct adequate due diligence, failing to implement adequate controls, and concealing the data breach between September and November 2018. Prior to filing suit, the plaintiff did not make a litigation demand on Marriott’s Board of Directors, and instead argued that a demand was excused on the primary basis that most of Marriott’s directors faced a substantial likelihood of personal liability.
Rejecting plaintiff’s arguments, Vice Chancellor Lori W. Will dismissed the claims, concluding that none of the Marriott director defendants faced a substantial likelihood of personal liability under any of plaintiff’s theories. First, the court found that any claims based on the directors’ failure to conduct adequate diligence prior to its 2016 acquisition of Starwood were time barred by a three-year statute of limitations. Next, the court rejected the plaintiff’s arguments that the directors faced liability under Caremark for failing to implement and oversee adequate internal controls to address Starwood’s allegedly “severely deficient information protection systems.”
On the contrary, the court found that the Board 1) was “‘routinely apprised’ of cybersecurity risks and mitigation, provided with annual reports on the company’s Enterprise Risk Assessment that specifically evaluated cyber risks, and engaged outside consultants to improve and auditors to audit corporate cybersecurity practices”; 2) was never given notice that Marriott was in violation of any laws or regulations regarding data security; and 3) addressed concerns regarding Starwood’s data security standards when they learned of them.
Finally, the court rejected plaintiff’s contention that the Board concealed the data breach in violation of state law, finding that the applicable state laws only mandated timely disclosure of data breaches where personal information had been accessed. Though the Board learned that Starwood’s systems had been compromised by malware in September 2018, it did not learn that any personal information had been accessed until ten days prior to disclosing the breach, a time period which the court deemed to be not an “obvious violation of notification laws that suggest[s] bad faith on the part of the Board.”
DOJ Announces Creation of National Cryptocurrency Enforcement TeamOn October 6, 2021, the U.S. Department of Justice announced the creation of a National Cryptocurrency Enforcement Team (NCET) dedicated to the investigation and prosecution of criminal activity involving cryptocurrencies. The team will focus on crimes committed using virtual currency exchanges, which can be used to facilitate ransom payments, money laundering, and payments for illegal goods and services. In addition to pursuing cases against cryptocurrency exchanges, infrastructure providers, and other entities facilitating the use of cryptocurrency in criminal activities, the NCET will assist in tracing and recovering cryptocurrency payments made by the victims of fraud and extortion schemes.
Fifth Circuit Applies New Standard for Disgorgement Orders In Securities Cases to Affirm $2.4 Million SEC AwardOn October 12, 2021, in SEC v. Blackburn, the U.S. Court of Appeals for the Fifth Circuit affirmed a $2.4 million disgorgement award against three individuals for violations of the Securities Act in their operation of penny stock company Treaty Energy Corporation. In upholding the disgorgement award, the Fifth Circuit became the first court of appeals to assess a disgorgement order for compliance with the “awarded for victims” requirement set forth by the U.S. Supreme Court in Liu v. SEC.
In Blackburn, the U.S. Securities and Exchange Commission (“SEC”) charged the three defendants and others with selling unregistered securities and misleading investors in violation of the Securities Act. On summary judgment, the district court found the three defendants liable on several of the SEC’s claims and ordered, among other remedies, disgorgement of the defendants’ fraud proceeds. Defendants appealed arguing that summary judgment was not warranted and that the disgorgement award was not “for the benefit of investors” — a requirement recently articulated by the Supreme Court in Liu. More specifically, in Liu, the Supreme Court found that the practice of ordering disgorgement in securities cases was a permissible form of equitable relief under the Securities Exchange Act of 1934 so long as the disgorgement did not exceed defendants’ net profits and was awarded for the benefit of victims.
The Fifth Circuit affirmed both the summary judgment order and disgorgement award entered in favor of the SEC. First, the Fifth Circuit affirmed the lower court’s award of summary judgment in the SEC’s favor on the issue of liability, noting that while summary judgment is uncommon for claims involving questions of intent, it was appropriate where, as here, the undisputed evidence removed any doubt on the issue. Second, applying, Liu, the Fifth Circuit held that the disgorgement order was “awarded for victims” because the SEC had identified the victims and created a process for the return of disgorged funds. Notably, however, the court explicitly left open the question of whether simply placing disgorgement funds in a Treasury fund to pay whistleblowers and fund the Inspector General would satisfy the requirements laid out in Liu.
Delaware Supreme Court Upholds Ruling Against Investment Fund Manager for Breach of Fiduciary DutyIn a single-page decision issued on October 14, 2021, in Homf II Investment Corp. v. Altenberg, the Delaware Supreme Court affirmed judgment against the manager of a solar power-related investment fund for breach of his fiduciary duty of loyalty. The judgment, issued by the Court of Chancery, was upheld on the basis of the findings set forth in its May 2020 memorandum opinion.
This case arose out of the “diasastrous” performance of VERT Solar Fund, I LLC, an investment fund created for the purpose of acquiring, funding, and refinancing solar projects. The investors brought claims for fraudulent inducement, fraud, breach of fiduciary duty, and breach of contract against the fund’s manager, Joaquin Altenberg, and the entity he used to manage the managed the fund, which has since filed for bankruptcy.
In the lower court’s opinion, Vice Chancellor J. Travis Laster did not find defendant Altenberg liable for fraud or fraudulent inducement, but did find defendant Altenberg breached his fiduciary duty of loyalty by engaging in self-interested transactions that he could not prove were entirely fair. The court reserved judgment on plaintiff’s breach of contract claim against the management entity due to the pending bankruptcy proceeding. Vice Chancellor Laster later approved an order declaring Altenberg liable for $4.43 million in damages and $1.72 million in plaintiffs’ legal fees plus interest.
Ezekiel L. Hill
Kate E. MacLeman
Cassandra T. Desjourdy