Publication Date



Due to the proliferation of electronic data and
advancements in technology, data breaches have become
commonplace. Data breaches are a threat to
corporations of all sizes and can have devastating
impacts. Focusing solely on Delaware law, this Note
explores how doctrines such as the business judgment
rule, exculpation provisions, and heightened pleading
standards have left shareholders with limited recourse
in holding directors liable for the catastrophic
consequences of data breaches. Recognizing that
shareholders have been unsuccessful alleging
Caremark-type claims arising out of a data breach, this
Note argues that the expansion of bad faith in Walt
Disney provides alternative ground for shareholders to
hold directors liable for data breaches. Nevertheless, this
Note concedes that courts will be unlikely to accept that
argument. Courts are too wary of opening the floodgates
of director liability. Therefore, this Note argues that
there are certain risks—such as cybersecurity risks—to
which Caremark can be extended without eviscerating
the business judgment rule. This Note finally argues
that where Caremark applies, the standard should be
relaxed in the context of cybersecurity. In an age of data
breaches, the time has come for the Caremark standard
to have some teeth.