Delaware Court of Chancery Emphasizes the High Burden of Pleading Oversight Claim

The Delaware Court of Chancery issued a memorandum opinion on October 1, 2024, in In re TransUnion Derivative Stockholder Litigation,¹ in which the Court dismissed claims that the directors and officers of TransUnion (the "Company") breached their fiduciary duties by failing to prevent purported technical violations of law. In so doing, Vice Chancellor Lori W. Will provides useful reasoning integrating the range of possible oversight claims under a common framework. The Court's decision also provides a powerful summary of the "high bar" that a plaintiff must meet to impose legal liability when corporate compliance efforts fail to prevent a corporate trauma.

Background

In 2015, the Consumer Financial Protection Bureau (the "CFPB") launched a two-year investigation into TransUnion's advertising and marketing practices related to the Company's credit-report services.² The CFPB's investigation culminated in a 2017 consent order (the "Consent Order") outlining the remedial efforts the Company agreed to undertake.³ The relevant remediations included the Company's agreement to include a header with the phrase "What You Need to Know" in text "double the size of its disclosure about the utility of VantageScore," and a check box on the final page of its registration form for a free or discounted trial along with a "simple mechanism for a consumer to immediately cancel" the service if purchased.⁴

To implement its remedial efforts, the Company hired outside counsel, a former CFPB enforcement attorney.⁵ Management kept the Board apprised of the CFPB's investigation, the Consent Order, and the Company's efforts to comply with the Consent Order.⁶ Despite those efforts, in 2019 the CFPB notified the Company of three potential violations of the Consent Order: (1) the Company's failure to include the agreed-on text in certain advertisements placed on third-party website; (2) the Company's language regarding the utility of VantageScore differed from the language in the Consent Order; and (3) the "What You Need to Know" header was less than double the size of the other text.⁷

Despite the Company's efforts to comply with the Consent Order, the CFPB began enforcement proceedings against the Company, eventually filing suit in the U.S. District Court for the Northern District of Illinois seeking to enforce the Consent Order.⁸ That federal action remains pending.

Following an inspection of the Company's books and records, Plaintiffs filed a derivative action asserting two theories of liability: (1) a so-called Massey claim "that the Board 'allowed TransUnion's pursuit of profits to take precedence over its legal compliance" and (2) a "second prong" Caremark claim "for consciously disregarding TransUnion's non-compliance with the Consent Order."⁹ Rejecting each theory, the Court dismissed the complaint.

The Court's Decision¹⁰

A Unified Oversight Framework

Significantly, the Court addressed, and implicitly rejected, a recent trend to distinguish Massey claims from traditional oversight claims under Caremark.¹¹ Summarizing the history of Caremark claims, the Court explained that Massey presented an "extreme version" of an oversight claim.¹² The Court added:

But Massey did not create a separate claim untethered from those explored in Caremark and Stone. All flow from the most basic obligation of directors and officers: to ensure that, in seeking profit, a corporation conducts lawful business by lawful means. Loyal fiduciaries must endeavor in good faith to maintain the corporation's fidelity to its material legal duties. If they intentionally fail to do so, personal liability for breach of fiduciary duty may follow.¹³

The Court thus noted an oversight claim can fall into one of three scenarios reflecting "a continuum under Caremark and its progeny."¹⁴

The first scenario, the so-called Massey claim, lies on the most "extreme end of the spectrum," involving allegations "that directors and officers purposely caused the corporation to break the law in pursuit of greater profits."¹⁵ This claim requires "meaningful-not trifling or technical-violations of law integral to the company's operations."¹⁶

"The second scenario, a Caremark "prong one" claim, involves a claim "that the board knowingly failed to implement a system to monitor legal compliance."¹⁷

The third scenario, a Caremark "prong two" claim, "has shades of the other two" and involves a "conscious failure" to "monitor [a reporting system] and make a good-faith effort to address identified risks."¹⁸ Under this scenario, "the risks identified and ignored cannot be business matters on which deference to the directors' decision-making is owed. They must be legal violations so obvious and material that disregarding them amounts to bad faith."¹⁹

Under any of these three scenarios, the Court held that "Directors who try to fulfill their oversight duties in good faith are not liable under either formulation advanced by the plaintiffs."²⁰ Put another way, "a sincere effort by directors to fulfill their oversight duties removes the potential for personal liability."²¹

The Irreconcilability of Massey and Caremark Prong Two Claims

The Court explained that the two theories Plaintiffs advanced-a Massey claim and a Caremark prong two claim-cannot logically coexist.²² That is because a Massey claim is predicated on an affirmative decision to act in violation of the law, while a Caremark prong two claim is predicated on inaction in the face of red flags.²³

In this case, Plaintiffs argued that while the Board took steps to comply with the Consent Order, gaps existed and such gaps reflected an intentional decision to violate the Consent Order.²⁴ The Court rejected Plaintiffs' argument. The Court held that a plaintiff cannot convert "a weak 'prong two' theory . . . into Massey-like purposeful lawbreaking simply because the directors' good faith efforts ultimately fell short on positive law."²⁵ If allowed to succeed, such an approach would turn "Caremark jurisprudence on its head" despite consistent holdings by the Delaware courts that "imperfect attempts at compliance are not indicative of bad faith."²⁶

Technical Violations of Immaterial Law Should Not State an Oversight Claim in the Face of Board Engagement

After placing Plaintiffs' allegations under a Caremark prong two claim, the Court easily disposed of Plaintiffs' complaint.

The Court highlighted the efforts the Company and its Board of Directors took to implement the Consent Order, and held that "an inadequate, delayed, or misguided response to red flags cannot support a claim for breach of the duty of loyalty-no matter how it is categorized."²⁷

In particular, the Board received advice from counsel on the Company's compliance efforts-advice the Board was fully protected in relying upon under Section 141(e) of the Delaware General Corporation Law.²⁸

The Board also received reports from management on the Company's compliance efforts, including to correct issues as they developed, and the Company's response after the involvement of the CFPB's enforcement division.²⁹

And, as to the purported violations of the Consent Order, which were being litigated in the federal action, these matters "concern[ed] minor technical disagreements over whether TransUnion's changes went far enough."³⁰

Even assuming the Board should have acted earlier and knew of the CFPB's viewpoint and its escalating actions, the Court held the directors' "affirmative steps toward and regular updates about compliance undercut any inference that the Board acted in bad faith."³¹

Conclusion and Takeaways

TransUnion underscores "the wide[] gulf between imperfect compliance and purposeful lawbreaking,"³² with the former not giving rise to liability.

The decision also should provide assurance to directors that:

• The risk of oversight liability due to an utter failure to oversee business risk (as opposed to material legal compliance) should be significantly reduced, if not non-existent.
• Technical violations of law immaterial to the enterprise should be insufficient to establish oversight liability.
• Having a reporting system that provides regular updates to the board on the company's compliance efforts and actions taken in response to potential red flags should defeat a claim for failure of oversight, even when those efforts prove insufficient.

Public link

Please use the above public link if you want to share this noodl on another website.