Opinion
A161150
03-24-2022
Cotchett, Pitre & McCarthy, LLP, Mark C. Molumphy, Burlingame, Tyson C. Redenbarger, and Julia Q. Peng for Plaintiff and Appellant. Gibson Dunn & Crutcher LLP, Paul J. Collins, Palo Alto, for Defendant and Respondent Intel Corporation. Munger, Tolles & Olson LLP, Fred A. Rowley, Jr., Robert L. Dell Angelo, and John M. Gildersleeve, Los Angeles, for Defendants and Respondents Andy D. Bryant, Brian M. Krzanich, Robert H. Swan, Charlene Barshefsky, Aneel Bhusri, Reed E. Hundt, Omar Ishrak, Tsu-Jae King Liu, David S. Pottruck, Gregory D. Smith, Andrew Wilson, Frank D. Yeary, and David B. Yoffie.
Cotchett, Pitre & McCarthy, LLP, Mark C. Molumphy, Burlingame, Tyson C. Redenbarger, and Julia Q. Peng for Plaintiff and Appellant.
Gibson Dunn & Crutcher LLP, Paul J. Collins, Palo Alto, for Defendant and Respondent Intel Corporation.
Munger, Tolles & Olson LLP, Fred A. Rowley, Jr., Robert L. Dell Angelo, and John M. Gildersleeve, Los Angeles, for Defendants and Respondents Andy D. Bryant, Brian M. Krzanich, Robert H. Swan, Charlene Barshefsky, Aneel Bhusri, Reed E. Hundt, Omar Ishrak, Tsu-Jae King Liu, David S. Pottruck, Gregory D. Smith, Andrew Wilson, Frank D. Yeary, and David B. Yoffie.
BURNS, J.
In this shareholder derivative action, plaintiff Joseph Tola alleges that officers and directors of Intel Corporation breached their fiduciary duties, engaged in insider trading, and were unjustly enriched. Applying Delaware law, the trial court dismissed Tola's third amended complaint without leave to amend, having concluded that he failed to allege, with the requisite particularity, that it was futile to make a pre-suit demand on Intel's board of directors. Tola disputes this point and, alternatively, argues the trial court abused its discretion by denying his motion for reconsideration, which sought leave to amend. We disagree and affirm.
BACKGROUND
A.
Management of a corporation, including control of any claims it pursues, is vested in its board of directors. ( Bader v. Anderson (2009) 179 Cal.App.4th 775, 782, 101 Cal.Rptr.3d 821.) "When the board refuses to enforce corporate claims, however, the shareholder derivative suit provides a limited exception to the rule that the corporation is the proper party plaintiff." ( Ibid . )
Shareholders face a heavy burden when bringing a shareholder derivative lawsuit. ( Brehm v. Eisner (Del. 2000) 746 A.2d 244, 267.) By nature, a derivative suit intrudes on directors’ freedom to manage a corporation's affairs. ( Stone v. Ritter (Del. 2006) 911 A.2d 362, 366 ( Stone ).) Accordingly, a shareholder may not maintain a derivative lawsuit unless (1) the board has wrongfully refused the shareholder's demand to pursue a corporate claim, or (2) a demand would be futile because the board cannot make an impartial decision. ( Id . at pp. 366-367.) When, as here, the shareholder contends that a demand would be futile, she must plead particularized facts creating a reasonable doubt that the board can impartially consider its merits. ( Rales v. Blasband (Del. 1993) 634 A.2d 927, 934 ; accord, Del. Ch. Ct. Rules, rule 23.1; Leyte-Vidal v. Semel (2013) 220 Cal.App.4th 1001, 1009, 163 Cal.Rptr.3d 641.) The parties agree that Delaware law governs the issue.
B.
Intel, a Delaware corporation headquartered in California, designs and manufactures microprocessors. In June 2017, Google engineers alerted Intel's management to two security vulnerabilities—named "Spectre" and "Meltdown"—affecting Intel's microprocessors. The vulnerabilities could potentially have been exploited by hackers to gain unauthorized access to sensitive data stored on a user's device and potentially affected Intel microprocessors manufactured as far back as 1995 or 1996. When notified of the vulnerabilities, management formed a "Problem Response Team" to investigate and develop software solutions. Over the next six months, Intel made no public disclosures about Spectre or Meltdown. In January 2018, media reports described the security vulnerabilities affecting Intel's microprocessors. The next day, Intel acknowledged the vulnerabilities, and management's prior knowledge of them, in a press release and investor call. Intel stated it had "begun providing software and firmware updates to mitigate" the vulnerabilities and that it "had planned to disclose this issue [the following] week when more software and firmware updates [would] be available."
In the days following the January disclosures, Intel's stock price dropped (at least temporarily) by about $4 per share, from $46.85 to $42.50, which "eras[ed] over $20 billion in market capitalization."
C.
In 2018, Tola and several other Intel shareholders (collectively Tola) filed separate derivative shareholder lawsuits in the San Mateo County Superior Court. After the separate actions were ordered consolidated, Tola filed a consolidated shareholder derivative complaint, which alleged, among other things, that certain Intel officers and directors breached fiduciary duties owed to Intel and its shareholders.
The individual defendants named in Tola's derivative action are: (1) Brian Krzanich (who served as Intel's chief executive officer and as a director between 2013 and June 2018); (2) Andy Bryant (who is a director and chairman of the board); (3) Robert Swan (who, since January 2019, has served Intel as a director and its chief executive officer); (4) Aneel Bhusri (a director until 2019); (5) Reed Hundt (director); (6) Omar Ishrak (director); (7) Tsu-Jae King Liu (director); (8) David Pottruck (director through May 2018); (9) Gregory Smith (director); (10) Andrew Wilson (director); (11) Frank Yeary (director); (12) Charlene Barshefsky (director through May 2018); (13) David Yoffie (director through May 2018).
The trial court sustained demurrers (with leave to amend) to the first three iterations of Tola's complaint. After obtaining books and records from Intel, Tola filed the operative third amended complaint in December 2019.
In the operative complaint, Tola alleges that Krzanich and Swan (who was Intel's chief financial officer in 2017) "knowingly disregarded industry best practices, material risks to the Company's reputation and customer base, and their fiduciary duties of care and loyalty to the Company, by deliberately concealing and failing to disclose the significant vulnerabilities in the Company's processors for more than six months after they were initially discovered and reported to Intel by engineers at [Google]. Further, the Board of Directors willfully failed to exercise its fundamental authority and duty to govern Company management and establish standards and controls for Company compliance, in breach of the directors’ fiduciary duty of loyalty to the Company." Tola also alleges that the directors’ breaches of fiduciary duties "resulted in a Company-wide failure to maintain security standards and internal controls necessary to detect and prevent material risks to the Company, including risks related to security vulnerabilities in nearly all of Intel's chips, the Company's core product."
Tola alleges that these breaches caused Intel and its shareholders to "suffer[ ] injury in the amount of at least hundreds of millions of dollars."
D.
Five directors are the focus of this appeal. These directors—Bryant, Swan, Hundt, Liu, and Yeary—all served on the board, which was comprised of ten directors total, at the time that Tola filed the operative complaint. (See Braddock v. Zimmerman (Del. 2006) 906 A.2d 776, 786 ["demand inquiry must be assessed by reference to the board in place at the time when the amended complaint is filed"].)
Having abandoned other theories that he pursued below, Tola offers two theories for why these directors cannot impartially consider a demand. First, Bryant and Swan allegedly violated insider trading rules by selling Intel stock after learning of the security vulnerabilities but before the vulnerabilities were publicly disclosed. Second, the four directors (including Bryant) who served on the board both in 2017 and 2019 allegedly disregarded their fiduciary duty to monitor and oversee cybersecurity risks. Specifically, Tola alleges defendants failed to implement any controls to report cybersecurity issues to the board, and the defendants themselves have admitted that they did not discuss security vulnerabilities at a single board or committee meeting between June 2017 and January 8, 2018.
The trial court sustained defendants’ demurrer without leave to amend, concluding that Tola failed to plead demand futility with the requisite particularity. The trial court assumed that Bryant and Swan themselves could not impartially consider a demand. But the trial court rejected Tola's theory that the other three directors faced a substantial likelihood of liability for failing to implement any board-level monitoring system for cybersecurity issues. That theory, the trial court explained, was contradicted by Tola's allegations that Intel's audit committee had a duty to investigate major financial risk exposures and that directors on the audit committee had actual knowledge of the security vulnerabilities as early as June 2017.
The trial court entered judgment in defendants’ favor and dismissed the derivative complaint with prejudice. DISCUSSION
A.
Tola challenges the trial court's conclusion that he did not adequately plead demand futility. After reviewing the operative complaint's allegations de novo ( Apple Inc. v. Superior Court (2017) 18 Cal.App.5th 222, 240, 227 Cal.Rptr.3d 8 ), we conclude the trial court did not err.
1.
The Delaware Supreme Court recently adopted a universal test for assessing demand futility. ( United Food & Commercial Workers Union v. Zuckerberg (Del. 2021) 262 A.3d 1034, 1058.) In all shareholder-derivative suits, courts are to determine (on a director-by-director basis): (1) "whether the director received a material personal benefit from the alleged misconduct that is the subject of the litigation;" (2) "whether the director faces a substantial likelihood of liability on any of the claims;" or (3) "whether the director lacks independence from someone who received a material personal benefit from the alleged misconduct ... who would face a substantial likelihood of liability on any of the claims." ( Id . at p. 1059.) "If the answer to any of the questions is ‘yes’ for at least half of the members of the demand board, then demand is excused as futile." ( Ibid . )
We assume, without deciding, that Bryant and Swan cannot be impartial due to their alleged insider trading. The question thus becomes whether Tola adequately alleges that the remaining three directors face a substantial likelihood of liability for failing to oversee and monitor cybersecurity risk. 2.
Tola's theory is that Hundt, Liu, and Yeary face a substantial likelihood of liability—and therefore cannot impartially consider a demand—because they failed to implement any system of controls to report cybersecurity issues requiring the board's oversight. He relies on the seminal case In re Caremark International Inc. (Del. Ch. 1996) 698 A.2d 959 ( Caremark ).
This is a steep hill for Tola to climb. Under the Caremark standard, a director must make a good faith effort to oversee the company's operations and ensure that the company has a system of internal controls in place to inform the board of risks requiring their attention. ( Marchand v. Barnhill (Del. 2019) 212 A.3d 805, 821-822 ( Marchand ).) However, a claim that corporate board members have breached their duties to stockholders by failing to monitor corporate affairs is "possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment." ( Caremark, supra, 698 A.2d at p. 967.)
Caremark claims are difficult because a director is not liable unless she acts in bad faith. ( Stone, supra, 911 A.2d at p. 364 ; see also id . at p. 369.) Like many Delaware corporations, Intel exculpates directors from liability for actions they took in good faith. ( Id . at p. 367.) Accordingly, a plaintiff must show that the directors "knew that they were not discharging their fiduciary obligations" or that the directors "demonstrat[ed] a conscious disregard for their responsibilities" such as by "fail[ing] to act in the face of a known duty to act." ( Id . at p. 370 ; accord, Wood v. Baum (2008) 953 A.2d 136, 141 [when charter contains exculpatory provision limiting scope of directors’ liability, plaintiff must plead "particularized facts that demonstrate that the directors acted with scienter, i.e ., that they had ‘actual or constructive knowledge’ that their conduct was legally improper"].) " ‘[O]nly a sustained or systematic failure of the board to exercise oversight - - such as an utter failure to attempt to assure a reasonable information and reporting system exists - - will establish the lack of good faith that is a necessary condition to liability.’ " ( Stone, supra, 911 A.2d at p. 364, italics added.)
Tola's allegations fall short. The operative complaint alleges that the board "fail[ed] to implement a system of internal controls" and "willfully failed to exercise its ... duty to govern [Intel's] management and establish standards and controls for [its] compliance." But Tola does not support these conclusory allegations with sufficient particularized facts that support an inference of bad faith. Tola does not allege, for example, that, in 2017, Intel lacked an audit committee, that Intel's audit committee met only rarely, or particularized facts suggesting that Intel's board knew monitoring cybersecurity vulnerabilities was critical to Intel's operations yet simply chose to ignore the need for board-level reporting. (See, e.g., Guttman v. Jen-Hsun Huang (Del. Ch. 2003) 823 A.2d 492, 506-507.)
In fact, Tola concedes that Intel employed an outside auditor during the relevant time, that the board had set up an audit committee, that the audit committee met regularly with the outside auditors and management, and that the audit committee was explicitly tasked with investigating "major financial risk exposures." Tola also acknowledges that, in 2017, management responded to the security vulnerabilities by forming a "[p]roblem [r]esponse [t]eam," which addressed issues involving significant customer impact or Intel brand exposure.
Not only did Intel have a protocol for reporting major risks to the board, management reported the cybersecurity risks at issue here. When the security vulnerabilities became public in January 2018, Intel's board held a special telephonic meeting, within a week, and received an update from Intel's chief executive officer on the security vulnerabilities and the company's response. Intel's audit committee also met, within two weeks, to receive information from management about the actions taken by the problem response team with respect to Spectre and Meltdown. Representatives from Intel's outside auditor were also in attendance. On January 17, 2018, the board created a new subcommittee tasked solely with cybersecurity oversight. Four days later, the new subcommittee met and received a report from Swan, which concluded that, based on information known at the time, "a loss arising from [the vulnerabilities was] neither probable nor estimable."
Given the audit committee reporting protocol, the timeframe in which management responded to and reported the issues, and the nature of the vulnerabilities (which apparently were not exploited), we cannot infer that Hundt, Liu, and Yeary acted in bad faith. ( Marchand, supra , 212 A.3d at p. 821 ; accord, id . at p. 823 ["plaintiffs usually lose because they must concede the existence of board-level systems of monitoring and oversight such as a relevant committee, a regular protocol requiring board-level reports about the relevant risks, or the board's use of third-party monitors, auditors, or consultants"].)
The point is well illustrated by Marchand, supra, 212 A.3d 805, a rare example of a case in which a shareholder adequately pled demand futility under the Caremark standard. In Marchand , the company's sole product was ice cream. ( Id . at p. 809.) Over a period of five years, state regulators cited several of the company's factories multiple times for food safety violations. ( Id ., at pp. 811-812.) Despite the citations, management not only failed to fix the problem, it let the problem grow into a full blown crisis. Over a two-year period, regulators and the company's own inspectors found a potentially deadly bacteria—listeria—in multiple factories across several states. ( Id . at pp. 813-815.) The listeria problem continued to worsen until it spiraled out of control: listeria contaminated the ice cream, leading to a series of limited recalls and, eventually, a complete recall of all the company's products and a federal investigation. ( Ibid . ) Eight adults were sickened by listeria from the company's ice cream, and three of those people died. ( Id . at p. 814.) With its plants closed and its products pulled from the shelves, the company laid off a third of its workforce and suffered a liquidity crisis that forced it to accept private equity and cede power on the board to the investor. ( Id . at pp. 807, 815.) Although management was alerted to numerous red flags over several years, the board had no protocols to keep abreast of food safety problems and, until the first recall, never met to discuss listeria. ( Id ., at pp. 813-814.)
These detailed allegations, said the Marchand court, created a reasonable inference that the directors acted in bad faith. ( Marchand, supra , 212 A.3d at p. 809.) Notably, the Marchand plaintiffs did not simply allege that the board neglected to discuss a major problem with the company's sole product. What distinguishes Marchand from cases involving mere negligence is the magnitude and duration of the crisis, which demonstrated the board's conscious indifference to making sure it was informed of critical food safety issues. The detailed allegations of this years-long, snowballing catastrophe showed an utter lack of board-level reporting that no board acting in good faith would have allowed. Tola argues that this case is "on all fours" with Marchand . We strongly disagree. We may credit Tola's allegations that a security flaw in Intel's microprocessors could theoretically pose a grave threat to the company and that the board did not discuss these particular threats, Spectre and Meltdown, for seven months. But there are no detailed allegations that Spectre and Meltdown actually presented the kind of acute risks, over a prolonged period of time, from which we could infer that Intel had no system of controls—ignored by the board in bad faith—to report major cybersecurity risks to the board. The absence of board-level discussion about Spectre and Meltdown over the course of seven months does not, on its own, suggest " ‘an utter failure to attempt to assure a reasonable information and reporting system exists.’ " ( Stone, supra, 911 A.2d at p. 364, italics added.)
As explained, the board had a system of controls in place for reporting major financial risks to the directors, and it discussed and acted upon Spectre and Meltdown in 2018. Tola essentially alleges management should have reported the issue sooner, which is insufficient. (See Lyondell Chemical Co. v. Ryan (Del. 2009) 970 A.2d 235, 243 ["there is a vast difference between an inadequate or flawed effort to carry out fiduciary duties and a conscious disregard for those duties"].) Likewise, we cannot infer bad faith from the fact that the share price fell (and that the board put additional safeguards in place) when the news leaked. (See Stone, supra , 911 A.2d at p. 373 [courts must not "equate a bad outcome with bad faith"].)
In short, Tola failed to plead particularized facts supporting his Caremark theory of liability. At most, Tola alleged that two directors (Bryant and Swan) received a material personal benefit from alleged insider trading, which still leaves an impartial board majority to consider a demand. We need not consider Tola's additional claims of error. (See Aubry v. Tri-City Hospital Dist. (1992) 2 Cal.4th 962, 967, 9 Cal.Rptr.2d 92, 831 P.2d 317 ( Aubry ) ["judgment must be affirmed ‘if any one of the several grounds of demurrer is well taken’ "]; Williams v. Southern California Gas Co. (2009) 176 Cal.App.4th 591, 604, 98 Cal.Rptr.3d 258 ["[w]e affirm ... the trial court's decision and not the reason for that decision"].) B.
Tola maintains that the trial court abused its discretion in denying his request for leave to amend. We disagree.
1.
After the trial court entered its order dismissing the operative complaint without leave to amend, Tola filed a motion for reconsideration, seeking leave to file a fourth amended complaint. Tola purported to address the inconsistency, identified by the court in its demurrer ruling but disregarded in our analysis above, between his Caremark theory that the board was uninformed and his allegations that the audit committee "would have been privy" to the information about Spectre and Meltdown.
Tola proposed to amend the complaint to eliminate those inconsistencies and to focus on their "no oversight" theory—that, due to the board's failure to monitor cybersecurity risk, Intel's outside directors did not know about Spectre or Meltdown until they became public in 2018. However, the proposed fourth amended complaint carried forward similar allegations regarding the audit committee's duty to monitor major financial risks with management and Intel's outside auditor.
The trial court denied Tola's motion, noting that he "provide[d] no explanation for not presenting the requested relief" sooner and had not demonstrated "new or different facts." The court also concluded that, even putting inconsistencies aside, Tola did not sufficiently plead demand futility with the requisite particularity in the proposed fourth amended complaint.
2.
By failing to address the latter aspect of the court's ruling in his appellate briefs, Tola has forfeited any argument that the proposed fourth amended complaint included particularized facts sufficient to demonstrate Caremark demand futility. (See People v. Stanley (1995) 10 Cal.4th 764, 793, 42 Cal.Rptr.2d 543, 897 P.2d 481 [reviewing courts may disregard points missing cogent legal argument]; Goodman v. Kennedy (1976) 18 Cal.3d 335, 349, 134 Cal.Rptr. 375, 556 P.2d 737 [plaintiff generally bears burden to "show in what manner he can amend his complaint and how that amendment will change the legal effect of his pleading"].)
Although leave to amend is to be liberally granted, it is not error to deny leave to amend when there is no "reasonable possibility" that the plaintiff can state a cause of action. ( Aubry, supra, 2 Cal.4th at p. 967, 9 Cal.Rptr.2d 92, 831 P.2d 317.) Here, after Tola made four unsuccessful attempts at pleading demand futility with the requisite specificity, the trial court did not abuse its discretion in denying leave to amend. (See Ruinello v. Murray (1951) 36 Cal.2d 687, 690, 227 P.2d 251.)
DISPOSITION
The judgment is affirmed. Defendants are entitled to their costs on appeal. ( Cal. Rules of Court, rule 8.278(a)(2).)
We concur:
JACKSON, P.J.
SIMONS, J.