The biggest news from latest regulatory filing (PDF) from SolarWinds centered around a disclosure that executives at the Texas-based IT management company - whose Orion software was at the heart of a massive hacking campaign linked to the Russian government in 2020 - are still facing an imminent potential SEC-enforcement action around the campaign.
But that announcement overshadowed another relevant disclosure: that the Supreme Court of the State of Delaware has upheld a decision to throw out a civil suit filed against the company by the Construction Industry Laborers Pension Fund and other shareholders.
Last year, Delaware Vice Chancellor Sam Glasscock III threw out the case, causing the plaintiffs to appeal to the State Supreme Court, arguing it was wrongly decided and that SolarWinds and its executives should be held legally liable for security failures in the lead up to the Orion hack.
The May 17 State Supreme Court ruling, signed by Justice Karen Valihura, found that the lower court’s original decision to dismiss the case was valid and should be affirmed “on the basis of and for the reasons assigned by the Court of Chancery in its Memorandum Opinion [and final judgement].”
No "credible" allegations that executives broke laws
In light of the ruling, it’s worth revisiting Glasscock’s September 2022 opinion, as it touches on many aspects that made the lawsuit against SolarWinds and its executives so compelling within the information security community.
SolarWinds is far from the only company to have suffered a breach and been sued as a result, but the case became emblematic of many broader trends and debates in the cybersecurity industry around whether and how much legal responsibility companies have when their products are exploited by malicious hackers.
In this case, the downstream impact of the hack on SolarWinds’ customers and other parties was incredibly damaging, though not all of it stemmed directly from the compromise of Orion: approximately 100 companies and 9 federal agencies had their own systems and networks compromised during the campaign.
Details about the company’s cybersecurity practices uncovered by media reports, security researchers and the lawsuits painted an unflattering portrait of apathy around cybersecurity, including the infamous use of the password “SolarWinds123” for one of its file servers, while a former security consultant for the company said many of the security practices listed on the company’s website were essentially “non-existent” and window dressing.
It should be noted that none of the security failures listed in the lawsuits were directly tied to the Orion hack, and that may have been one of the deciding factors in throwing out the Delaware suit.
There remains a tremendous grey area between when and where, exactly, a company’s security practices cross the line from insufficient to legally liable.
Glasscock’s opinion, however, offers a fairly direct answer to some of these questions, at least under Delaware state law. Namely that there is no evidence of a positive violation of law by SolarWinds or its executives, and that the actions detailed in the case did not rise to the level of a legal failure to provide “duty of care.” It also asserts that questions around how businesses assess and consider risk before a breach is a primary function of its board and that “judicial post-hoc” interventions, particularly for claims of gross negligence, are “problematic.”
“Here, there is no credible allegation that the Company violated positive law. Instead, the Directors are accused of failing to monitor corporate effort in way that prevented cybercrime. Of course, absent statutory or regulatory obligations, how much effort to expend to prevent criminal activities by third parties against the corporate interest requires an evaluation of business risk, the quintessential board function,” Glasscock wrote.
Case must show clear "bad faith" intent
Most interesting, the opinion takes direct aim at lawsuits that combine a security breach with general security shortfalls to bring a “Caremark” claim against the company, effectively arguing that the board of directors has failed to uphold a “duty to care” with regard to their corporate responsibilities.
Caremark liability stems from a 2019 lawsuit filed against Blue Bell Creameries by shareholders after an outbreak of listeria in their ice cream products led to three deaths and multiple sicknesses among consumers. While the Delaware Chancery Court dismissed the case, saying Blue Bell had an ostensible food safety program in place, the state Supreme Court overruled them, finding that the board of directors “utterly failed” to conduct any oversight over the system, and were thus liable for the outbreak.
Glasscock wrote that in the years since the ruling, such lawsuits against companies have “bloomed like dandelions,” often attempting to tie general failings to specific harms.
“Derivative claims against corporate directors for failure to oversee operations—so-called Caremark claims, once relative rarities—have in recent years bloomed like dandelions after a warm spring rain..,” Glasscock wrote. “The cases, superficially at least, seem easy to conjure up: find a corporate trauma; allege the truism that the board of directors failed to avert that trauma; and hey, presto! an oversight liability claim is born.”
For such allegations to hold water under Caremark, the plaintiffs must prove that “the lack of oversight pled [is] so extreme that it represents a breach of the duty of loyalty” and that “this in turn requires…demonstrating bad faith [or] a failure to fulfill the duty of care in good faith.”
Examples offered by Glasscock include things like an action or statement (or omission) that a director knows is contrary to the corporate weal, failure to implement any kind of system for reporting risk, or failure to act in the face of “red flag” disclosures that are “so vibrant that lack of action implicates bad faith.”
That lack of evidence demonstrating bad faith actions that were connected to the Orion breach made the Delaware case “an easy action to resolve in favor of the Defendants.”
“In other words, the directors failed to prevent a large corporate trauma, but the Plaintiffs have failed to plead specific facts from which I may infer bad faith liability on the part of a majority of the directors regarding that trauma,” Glasscock wrote.
Cara Peterman, an attorney and partner at Alston and Bird who focuses on securities litigation, privacy, cybersecurity and data strategy, told SC Media that while the Glasscock opinion acknowledged that an "egregious" failure to oversee a business risk could hypothetically open a corporation up to liability, the SolarWinds case failed to meet this "high pleading burden."
Peterman said the decision underscores the importance of corporations establishing cyber-risk oversight up to the board of directors level, written charters that outline which board-level committee oversee the company’s cyber risks and documenting board and committee-level discussion regarding cyber-risk oversight.
"Based on the evidentiary record before the Court, at least two board-level committees had been tasked with overseeing and had discussed the company’s cyber risks during the relevant time period, and the cybersecurity deficiencies alleged in the complaint either weren’t raised to the board or didn’t amount to a 'red flag,'" Peterman said.
Impact on other breach lawsuits
However, legal experts told SC Media that the applicability of the Delaware SolarWinds case to other private lawsuits and federal regulatory actions from agencies like the SEC is extremely narrow.
Tyson Benson, an in-house attorney for ZF-Group, said Caremark law only exists in Delaware state law, and the lawsuit and opinion would likely only apply to what are known as “shareholder derivative” lawsuits in the state, or lawsuits where shareholders of a company can sue executives for failing to properly manage the company. Further, Delaware state law is known to be more friendly to corporate interests than other courts.
“I don’t think this would impact any other cases if they were different from shareholder derivative actions. If they’re being brought under different legal theories or statutes, then this won’t really have any effect,” he said.
For example, both the looming SEC action and a similar lawsuit filed by shareholders in Texas rely on legal claims that SolarWinds violated provisions of the Securities and Exchange Commission Act covering securities fraud, not Caremark statutes.
The Texas suit was settled last year for $26 million before a judge could rule on larger questions around the company’s legal liability for the hack.
Because of this, the impact of the Delaware ruling and its effect on other legal actions against the company is likely to be limited, and there remain a number of other avenues for shareholders and victims to bring legal action against corporations over their security failures.
“Corporations can be liable under the law for a lot of reasons. You could be negligent or there could be some other type of proactive statutes out there that shows a corporation is liable for gross negligence, but this Delaware [case] is one specific subset of actions that shareholders can bring,” Benson said.
