Delaware Court in Marriott ruling: Directors have duty of oversight in cybersecurity

A new ruling by the Delaware Court of Chancery in the Marriott data breach case highlights the centrality of cybersecurity risks to directors oversight duties,while confirming the principle that directors who monitor cyber risks closely, seek outside advice and act diligently to mitigate risks would not face liability.

The highly anticipated ruling follows a recent slew of cases in which Delaware courts sustained claims against directors for breaching their oversight duties, most notably in the recent Boeing decision, where Delaware court denied Boeing’s motion to dismiss a breach of oversight duty claim regarding the 737 Max air crashes. These recent decisions signaled a dramatic change in the accountability and responsibility borne by board members in the famously business-friendly state’s legal system.

Marriott’s case originates in the Starwood Hotels and Resorts Worldwide’s guest reservation database being breached in 2014, two years prior to its acquisition by Marriott International for $13 billion. Mariott only learned about the breach in September 2018, disclosing it publicly on November 30 of that year.

The hackers have allegedly harvested 24 million passport numbers and more than 9 million credit and debit card numbers. Unnamed government officials attributed the cyberattack to Chinese state actors executing an intelligence-gathering effort, which also included attacking health insurers and stealing security clearance files.

The incident naturally took a financial-, as well as a reputational-, toll on Marriott. Company shares fell almost 5% in pre-market trading the day of the disclosure. Multiple lawsuits were filed. All 50 states’ and DC’s attorneys general, SEC, FTC, and U.S. Senate and Congress committees, among others, opened investigations. And in October 2020, the company was fined £18.4 million ($23.8 million) by the UK’s Information Commissioner Office.

On December 3, 2019, The Firemen's Retirement System of St. Louis, a Marriott stockholder, filed a derivative lawsuit against Marriott, key executives and its 14 post-acquisition directors, claiming a breach of fiduciary duty. The Plaintiff accused the defendants of “failing to conduct adequate due diligence of Starwood’s cybersecurity technology” before the acquisition, and that following it, they failed to implement adequate internal controls, “continued to operate Starwood’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under Caremark”, according to the ruling.

Vice Chancellor Lori W. Will of the Delaware Court of Chancery took this chance to address the issue of the principle of directors oversight responsibilities for cybersecurity. “The corporate harms presented by non-compliance with cybersecurity safeguards”, Vice Chancellor Will ruled on October 5th, “increasingly call upon directors to ensure that companies have appropriate oversight systems in place.” And while usually, the Vice Chancellor explained, the court would find directors liable only for risks that are uniquely and specifically major for their firms, cybersecurity does not fit this designation. Cybersecurity, Will wrote, “is an area of consequential risk that spans modern business sectors. In the past several years alone, cyberattacks have affected thousands of companies and government agencies. High-profile data breaches have exposed customer data at businesses from Yahoo! to Target and Home Depot.Targeted attacks have shut down hospitals and taken offline major fuel pipelines. Regulators in the United States and abroad have become more active in issuing cybersecurity guidance and undertaking enforcement activities in response.The President of the United States has named cybersecurity a ‘top priority and essential to national and economic security’.”

Thus, the Marriott case confirms that directors in all firms are expected to monitor cyber risks, and could be found liable for lack of oversight on cyber vulnerabilities. “There's a lot at stake here, not just for Marriott, but for all Delaware corporations”, the directors’ attorney Jason J. Mendro argued during the hearing, warning that finding directors personally liable in pervasive cybercrime risks could cause a deluge of litigation "seeking to extract fees from victims".

Yet, the court also affirms that directors who act in good faith to monitor risks will not be second guessed in court. Only directors who marginalize, or turn a blind eye on, cyber risks, will fail to gain the court’s protection. Directors who do their best to identify risks and cope with them, demand information and utilize expertise, will be viewed as fulfilling their duties even when a cyber attack causes serious harm.

Accordingly, the court found that the Marriott board acted in good faith to fulfill their oversight duties: “Marriott’s Board consistently ranked cybersecurity as a primary risk facing the Company”, the court said. It “‘routinely apprised’” - the court quoted these words verbatim from the complaint itself - “on cybersecurity risks and mitigation, provided with annual reports on the Company’s Enterprise Risk Assessment that specifically evaluated cyber risks”.

Finally, the court stressed that the Marriott board “engaged outside consultants to improve and auditors to audit corporate cybersecurity practices”. Marriott’s execs and board had not ignored urgent Starwood cybersecurity flaws presented to them, the court said.

As echoed in Vice Chancellor Will’s words: “The data breach that is at the center of this case was momentous in scale and put the data of hundreds of millions of people at risk. Critically, however, the corporate trauma that came to fruition was at the hands of a hacker. Marriott was the victim of an illegal act rather than the perpetrator”.

Michal Barzuza is a Professor with the University of Virginia School of Law. Ido Kenan is VP Content, Cytactic cyber crisis management.