In January 2018, the media began reporting on two security vulnerabilities affecting Intel Corporation's microprocessors - dubbed "Spectre" and "Meltdown". Following these disclosures, Intel's stock price fell and its market capitalization declined by some $20 billion. Several shareholders then filed derivative actions in the San Mateo County Superior Court. The trial court concluded that the plaintiff had failed to allege with requisite particularity that a pre-suit demand would have been futile.
Last week, the Court of Appeal affirmed the trial court's ruling in a refreshingly concise opinion. Tola v. Bryant, 2022 Cal. App. LEXIS 241. Because Intel is a Delaware corporation, the Court of Appeal applied the Delaware Supreme Court's test in United Food & Commercial Workers Union v. Zuckerberg, 262 A.3d 1034, 1058-59 (Del. 2021) for determining demand futility which requires the court to determine on a director-by-director basis:
- "whether the director received a material personal benefit from the alleged misconduct that is the subject of the litigation;"
- "whether the director faces a substantial likelihood of liability on any of the claims;" or
- "whether the director lacks independence from someone who received a material personal benefit from the alleged misconduct . . . who would face a substantial likelihood of liability on any of the claims."
The plaintiff's theory was that three of Intel's directors met the second criterion - they faced a substantial likelihood of liability because they failed to implement a system of controls to report cybersecurity issues. The Court of Appeal found this "Caremark" claim (referring to In re Caremark Int'l Inc., 698 A.2d 959 (Del. Ch. 1996)) as a "steep hill" that the plaintiff did not successfully climb. The Court of Appeal noted that Intel had an audit committee that met regularly and that the audit committee was tasked with investigating major financial risk exposures. Further, Intel had a protocol for reporting major risks to the board and that management had reported the security vulnerabilities to the board. The Court also found that plaintiff had failed to make detailed allegations that the vulnerabilities presented "the kind of acute risks, over a prolonged period of time, form which we could infer that Intel had no system of controls - ignored by the board in bad faith- to report major cybersecurity risks to the board".