Firemen's Retirement System of St. Louis v. Arne M. Sorenson (Marriott International, Inc.) ( 2021 )


Menu:
  •   IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE
    FIREMEN’S RETIREMENT SYSTEM                 )
    OF ST. LOUIS, derivatively on behalf of     )
    Marriott International, Inc.,               )
    )
    Plaintiff,                      )
    )
    v.                                    )   C.A. No. 2019-0965-LWW
    )
    ARNE M. SORENSON, J.W.                      )
    MARRIOTT, JR., KATHLEEN K.                  )
    OBERG, DEBORAH MARRIOTT                     )
    HARRISON, BAO GIANG VAL                     )
    BAUDUIN, BRUCE HOFFMEISTER,                 )
    STEPHANIE C. LINNARTZ, ERIC                 )
    HIPPEAU, LAWRENCE W. KELLNER,               )
    GEORGE MUÑOZ, MARY K. BUSH,                 )
    DEBRA L. LEE, FREDERICK A.                  )
    HENDERSON, AYLWIN B. LEWIS,                 )
    BRUCE W. DUNCAN, W. MITT                    )
    ROMNEY, STEVEN S. REINEMUND,                )
    and SUSAN C. SCHWAB,                        )
    )
    Defendants,                     )
    )
    and                                    )
    )
    MARRIOTT INTERNATIONAL, INC., a             )
    Delaware Corporation,                       )
    )
    Nominal Defendant.              )
    MEMORANDUM OPINION
    Date Submitted: July 7, 2021
    Date Decided: October 5, 2021
    Samuel L. Closic and Eric Juray, PRICKETT, JONES & ELLIOTT, P.A.,
    Wilmington, Delaware; Brian J. Robbins, Craig W. Smith, Gregory E. Del Gaizo,
    and Emily R. Bishop, ROBBINS LLP, San Diego, California; Counsel for Plaintiff
    Firemen’s Retirement System of St. Louis
    Raymond J. DiCamillo and John M. O’Toole, RICHARDS, LAYTON & FINGER,
    P.A., Wilmington, Delaware; Jason J. Mendro and Jeffrey S. Rosenberg, GIBSON,
    DUNN & CRUTCHER LLP, Washington, D.C.; Adam H. Offenhartz and Laura
    Kathryn O’Boyle, GIBSON, DUNN & CRUTCHER LLP, New York, New York;
    Counsel for Defendants Arne M. Sorenson, J.W. Marriott, Jr., Kathleen K. Oberg,
    Deborah Marriott Harrison, Bao Giang Val Bauduin, Bruce Hoffmeister, Stephanie
    C. Linnartz, Eric Hippeau, Lawrence W. Kellner, George Muñoz, Mary K. Bush,
    Debra L. Lee, Frederick A. Henderson, Aylwin B. Lewis, Bruce W. Duncan, W. Mitt
    Romney, Steven S. Reinemund, and Susan C. Schwab, and Nominal Defendant
    Marriott International, Inc.
    WILL, Vice Chancellor
    In the fall of 2018, Marriott International, Inc. discovered a data security
    breach that had exposed the personal information of up to 500 million guests. An
    investigation revealed that the cyberattack was perpetrated through the reservation
    database of Starwood Hotels and Resorts—which Marriott had acquired two years
    prior—and had begun in 2014.        Marriott publicly announced the incident on
    November 30, 2018. A series of stockholder and consumer actions followed.
    The stockholder plaintiff in this action brought a derivative lawsuit against
    several key executives and Marriott’s directors for breaches of fiduciary duty. The
    plaintiff’s claims are based on the defendants’ conduct both before and after the
    acquisition of Starwood. Regarding the pre-acquisition time period, the plaintiff
    alleges that the defendants breached their fiduciary duties by failing to conduct
    adequate due diligence of Starwood’s cybersecurity technology. Regarding the post-
    acquisition period, the plaintiff alleges that the defendants continued to operate
    Starwood’s deficient systems, failed to timely disclose the data breach, and that the
    directors breached their duty of loyalty under Caremark. The defendants have
    moved to dismiss the complaint for failure to plead demand futility.
    In this decision, I conclude that demand was not excused because none of the
    director defendants faces a substantial likelihood of liability on a non-exculpated
    claim. First, the plaintiff’s claims regarding pre-acquisition due diligence are time
    1
    barred. They arose more than three years before the plaintiff’s complaint was filed
    and no basis for tolling applies. Second, none of the directors face a substantial
    likelihood of liability under Caremark. Cybersecurity has increasingly become a
    central compliance risk deserving of board level monitoring at companies across
    sectors. But the allegations in the complaint do not meet the high bar required to
    state a Caremark claim. The plaintiff has not shown that the directors completely
    failed to undertake their oversight responsibilities, turned a blind eye to known
    compliance violations, or consciously failed to remediate cybersecurity failures.
    Finally, the plaintiff’s claim based on unmet notification requirements is also
    unsupported by allegations of bad faith.
    The Marriott board therefore retained its ability to assess whether to pursue
    litigation on behalf of the company. Demand is not excused. The motion to dismiss
    is granted pursuant to Court of Chancery Rule 23.1.
    I.    BACKGROUND
    Unless otherwise noted, the following facts are drawn from the Amended
    Verified Stockholder Derivative Complaint and the documents it incorporates by
    2
    reference.1 Any additional facts are either not subject to reasonable dispute or are
    subject to judicial notice.2
    A.    The Starwood Acquisition
    Nominal defendant Marriott International, Inc. (the “Company”) is a
    Delaware corporation headquartered in Bethesda, Maryland.3 Founded in 1927,
    Marriott is one of the largest hospitality companies in the world.4 Marriott operates,
    1
    Verified Am. Deriv. Compl. (“Am. Compl.”) (Dkt. 33). See Winshall v. Viacom Int’l,
    Inc., 
    76 A.3d 808
    , 818 (Del. 2013) (“[A] plaintiff may not reference certain documents
    outside the complaint and at the same time prevent the court from considering those
    documents’ actual terms.” (quoting Fletcher Int’l, Ltd. v. ION Geophysical Corp., 
    2011 WL 1167088
    , at *3 n.17 (Del. Ch. Mar. 29, 2011))); Freedman v. Adams, 
    2012 WL 1345638
    , at *5 (Del. Ch. Mar. 30, 2012) (“When a plaintiff expressly refers to and heavily
    relies upon documents in her complaint, these documents are considered to be incorporated
    by reference into the complaint . . . .”). The parties agreed that documents produced by
    Marriott pursuant to 8 Del. C. § 220 would be deemed incorporated into any complaint the
    plaintiff filed. See Defs.’ Opening Br. 8 n.2 (Dkt. 40); Amalgamated Bank v. Yahoo! Inc.,
    
    132 A.3d 752
    , 797 (Del. Ch. 2016). Citations in the form “Defs.’ Ex. __” refer to exhibits
    to the Transmittal Declaration of John M. O’Toole, Esq. in Support of Defendants’
    Opening Brief in Support of their Motion to Dismiss the Verified Amended Stockholder
    Derivative Complaint (Dkt. 41, 66). Page numbers to these exhibits are designated by the
    last four digits of a Bates number, where appropriate.
    2
    See, e.g., In re Books–A–Million, Inc. S’holders Litig., 
    2016 WL 5874974
    , at *1 (Del. Ch.
    Oct. 10, 2016) (“This court may consider the Proxy Statement to establish what was
    disclosed to stockholders and other facts that are not subject to reasonable dispute.” (citing
    In re Gen. Motors (Hughes) S’holder Litig., 
    897 A.2d 162
    , 170 (Del. 2006)); Lima Delta
    Co. v. Glob. Aerospace, Inc., 
    2017 WL 4461423
    , at *4 (Del. Super. Oct. 5, 2017)
    (explaining that dockets, pleadings, and transcripts from a foreign action are subject to
    judicial notice).
    3
    Am. Compl. ¶ 19.
    4
    Id. ¶ 49.
    3
    manages, and franchises a broad portfolio of over 6,900 hotels and lodging
    facilities.5
    On November 16, 2015, Marriott announced its intent to acquire Starwood
    Hotels and Resorts Worldwide, Inc. (the “Acquisition”), a hotel and leisure company
    whose brands included W Hotels, St. Regis, and Le Meridien.6 At that time,
    Starwood had more than 1,270 properties providing approximately 360,000 rooms
    in 100 countries.7 Marriott and Starwood would together create a more globally
    diversified company operating or franchising more than 5,500 hotels and 1.1 million
    rooms worldwide.8
    In discussing the Acquisition, Marriott’s then-President and Chief Executive
    Officer, Arne M. Sorenson,9 described Starwood’s guest loyalty program, Starwood
    Preferred Guest, as the “central, strategic rationale for the transaction” and the “most
    important piece of the [A]cquisition.”10 Starwood Preferred Guest had a devoted
    5
    Id. ¶¶ 19, 69.
    6
    Id. ¶¶ 1, 104.
    7
    Defs.’ Ex. 29 at 8.
    8
    Id. at 97.
    9
    On February 16, 2021, Marriott announced that Sorenson passed away on February 15,
    2021. Marriott International, Inc. (Form 8-K) (Feb. 16, 2021). Sorenson had served as
    Marriott’s President from May 2009 and Chief Executive Officer from May 2012 until his
    passing. Am. Compl. ¶ 20.
    10
    Id. ¶ 78.
    4
    following of business travelers. Acquiring the program would expand Marriott’s
    client base, increase its brand loyalty, and enhance the Company’s ability to compete
    in an evolving global marketplace.11
    B.       Marriott’s Due Diligence and Starwood’s Data Security
    Eleven months of due diligence commenced in late 2015, with ten months
    passing between the signing of the Agreement and Plan of Acquisition on November
    15, 2015 and closing on September 23, 2016.12 During that time, the Company, and
    Sorenson in particular, publicly touted Marriott’s “extensive” diligence into
    Starwood and “joint integration planning” efforts.13
    In the midst of the Company’s diligence of Starwood, Marriott’s Board of
    Directors ranked cybersecurity as the number one risk facing Marriott in 2016.14
    The Board at that time consisted of 11 members: defendants Sorenson, J.W.
    Marriott, Jr. (the Company’s Executive Chairman and Chairman of the Board),
    Deborah Marriott Harrison (the Company’s Global Cultural Ambassador Emeritus),
    Lawrence W. Kellner, George Muñoz, Mary K. Bush, Debra L. Lee, Frederick A.
    Henderson, Steven S. Reinemund, Susan C. Schwab, and W. Mitt Romney (together,
    11
    Id. ¶¶ 75, 81; Defs.’ Ex. 29 at 97.
    12
    Am. Compl. ¶¶ 87, 109.
    13
    Id. ¶¶ 179-81.
    14
    Id. ¶ 100.
    5
    the “Pre-Acquisition Board”).15 Despite knowing that cybersecurity was a pervasive
    risk in the hospitality industry that could affect Marriott’s ability to achieve its
    goals,16 the Pre-Acquisition Board did not order any specific due diligence into
    cybersecurity in connection with the planned Acquisition.17
    On November 20, 2015—five days after Marriott and Starwood signed the
    merger agreement—Starwood disclosed that the point-of-sale systems at 54 of its
    hotels in North America had been infected by malware. 18 Several months later, an
    internal Marriott report summarizing the costs of integrating the Marriott Guest
    Loyalty and Starwood Preferred Guest databases noted that Starwood’s systems
    lacked certain protections such as tokenization—the process of replacing sensitive
    data with unique identification symbols—and point-to-point encryption across its
    point-of-sale systems.19 None of this information reached the Board before the
    Acquisition closed.
    15
    Id. ¶¶ 20-21, 23, 28-32, 35-37.
    16
    Id. ¶ 100.
    17
    Id. ¶ 5.
    18
    Id. ¶¶ 79, 88.
    19
    Id.; see Kevin Batchelor, What is Tokenization, and Why Is It So Important?, Forbes
    (Apr. 19, 2019).
    6
    C.       Starwood’s Information Security Systems Post-Closing
    Cybersecurity remained a “top level risk[]” for Marriott after the $13 billion
    20
    Acquisition of Starwood closed on September 23, 2016.               Cybersecurity was
    viewed by the Board as the second biggest risk facing Marriott for fiscal year 2017.21
    By then, Marriott’s data systems included Starwood’s legacy systems, some of
    which remained in use post-Acquisition.22
    The Board and Audit Committee were routinely apprised of cybersecurity
    issues after the Acquisition.23        On February 8, 2017, for example, the Audit
    Committee—comprised of director defendants Henderson, Bush, Aylwin B. Lewis,
    and Muñoz—was told by Marriott’s independent auditor Ernst & Young that audit
    committees were “expected to have an understanding of the business implications of
    cyber risks.”24 Internal Audit and Chief Audit Executive Keri Day also told the
    Audit Committee that Marriott had “established a Security Operations Center
    (SOC), an Incident Response (IR) plan, and related procedures” because its “incident
    20
    Am. Compl. ¶¶ 76, 121.
    21
    Id. ¶ 121.
    22
    Id. ¶¶ 126-27.
    23
    Id. ¶ 118.
    24
    Id. ¶ 118; Defs.’ Ex. 12 at 1238, 1240.
    7
    response plan [wa]s not up to date.”25 Day further reported that “[t]he Company
    [wa]s actively evaluating Starwood’s exposures to cybersecurity risks.”26
    At a regularly scheduled meeting on February 10, 2017, the Marriott Board—
    which now included former Starwood directors Bruce W. Duncan, Eric Hippeau,
    and Lewis (together with the Pre-Acquisition Board members, the “Post-Acquisition
    Board”)—was allegedly told for the first time about deficiencies in Starwood’s
    cybersecurity controls.27 During the February 10, 2017 meeting, defendant Bruce
    Hoffmeister, Marriott’s Global Chief Information Officer, gave a presentation titled
    “Marriott Cybersecurity Report” to the full Post-Acquisition Board.28 Hoffmeister
    discussed various steps that Marriott had taken to protect against data breaches,
    including the engagement of a “specialized security company” to manage its
    “Security Operations Center.”29 The “primary” step Marriott had taken to protect its
    own systems was tokenization.30
    Hoffmeister told the Board that a review of Starwood’s legacy data systems
    “revealed that, while there was a vibrant framework, tokenization was not adopted
    25
    Am. Compl. ¶ 119; Defs.’ Ex. 11 at 1118.
    26
    Am. Compl. ¶ 118; Defs.’ Ex. 11 at 1067.
    27
    Am. Compl. ¶¶ 123-24.
    28
    Id. ¶ 122; Defs.’ Ex. 14 at 1279.
    29
    Defs.’ Ex. 14 at 1282.
    30
    Am. Compl. ¶ 126; Defs.’ Ex. 13 at 1249.
    8
    as a matter of course.”31 He described early findings by PricewaterhouseCoopers
    (“PwC”), which Marriott had hired post-Acquisition to conduct a “Starwood
    Security Program Assessment.”32 Hoffmeister’s presentation explained that, in
    addition to not mandating tokenization, Starwood’s “[b]rand standards did not
    mandate [payment card industry (‘PCI’)] compliance . . . or point-to-point
    encryption.”33 The Payment Card Industry Data Security Standard (“PCI DSS”) is
    a set of security standards required by credit card companies to ensure the security
    of credit card transactions in the payment industry.34
    The Board was also informed about PwC’s four “Key Recommendations” for
    Marriott to “[u]pdate Starwood’s brand standards,” including mandating PCI and
    setting clear cybersecurity expectations.35 Consistent with PwC’s recommendation,
    Hoffmeister advised the Board on February 10, 2017 that there would be efforts to
    implement tokenization across Starwood’s data systems.36
    31
    Am. Compl. ¶ 124. Defs.’ Ex. 13 at 1250.
    32
    Am. Compl. ¶ 124; Defs.’ Ex. 14 at 1287-88.
    33
    Am. Compl. ¶¶ 124, 126; Defs.’ Ex. 13 at 1249-50; Defs.’ Ex. 14 at 1288.
    34
    Am. Compl. ¶ 53.
    35
    Id. ¶ 125; Defs.’ Ex. 14 at 1287-88.
    36
    Defs.’ Ex. 13 at 1250.
    9
    D.     Ongoing Migration of Starwood’s Systems
    The full Post-Acquisition Board was next updated on cybersecurity at a
    regularly scheduled meeting held on February 9, 2018.37 At that meeting, defendant
    Chief Financial Officer Kathleen K. Oberg advised the Board that Marriott had
    undertaken several “Key Mitigating Activities” to address the Company’s top risks
    including cybersecurity.38 Those activities included adopting new technologies to
    strengthen cybersecurity and “[m]igration of Starwood systems to the Marriott
    established technology standards” with a September 2019 estimated completion
    date.39 In addition, Marriott had “implement[ed] patching compliance tools and
    reporting framework within Starwood environments.”40 On May 3, 2018, Ernst &
    Young presented to the Audit Committee an assessment of “the effectiveness of the
    Company’s controls over IT risks,” which included “testing the conversion of
    Starwood legacy activities” to new systems.41
    On August 9, 2018, Hoffmeister updated the full Board on “Noteworthy
    Security Events/Incidents,” including 4 cybersecurity events which involved legacy
    37
    Am. Compl. ¶ 127; Defs.’ Ex. 16 at 1394.
    38
    Am. Compl. ¶ 130.
    39
    Id. ¶ 127; Defs.’ Ex. 15 at 1386.
    40
    Am. Compl. ¶ 127; Defs.’ Ex. 15 at 1386.
    41
    Defs.’ Ex. 17 at 1496.
    10
    Starwood systems.42 Those incidents included a cyberattack on a legacy Starwood
    franchise network and malware found on a legacy Starwood server utilized by the
    Marriott Law Department.43 Hoffmeister “confirmed there were no successful
    attempts to download [or] install” the malware onto that server.44 Hoffmeister also
    reported that the Company had “engaged a consultant to execute a cybersecurity
    assessment.”45
    E.        Discovery of a Starwood Guest Reservation Database Breach
    On September 7, 2018, Marriott received an alert that an unknown user had
    run a query in Starwood’s guest reservation database.46 A third party contractor that
    managed the guest reservation database informed Marriott’s Information
    Technology department about the incident the following day.47 Ten days later, on
    September 17, 2018, outside investigators engaged by Marriott uncovered malware
    on Starwood’s system that had the potential to access, surveil, and gain
    42
    Am. Compl. ¶ 128; Defs.’ Ex. 19 at 1741; Defs.’ Ex. 20 at 1783-90. Lewis was absent
    from the meeting. Defs.’ Ex. 19 at 1741.
    43
    Am. Compl. ¶ 128; Defs.’ Ex. 20 at 1783, 1790. No guest data was lost from the
    franchise network attack. Id. at 1790.
    44
    Id. at 1783.
    45
    Defs.’ Ex. 19 at 1746.
    46
    Am. Compl. ¶¶ 8, 133.
    47
    Id. at ¶ 133.
    11
    administrative control over the system computer.48                Marriott’s Information
    Technology department informed Sorenson about the ongoing investigation the
    same day.49 On September 18, 2018, Sorenson notified the Board.50 The Company
    notified the FBI of the intrusion on October 29, 2018 after Marriott’s investigators
    found evidence of other malware in Starwood’s database, including malware that
    hackers use to search a device for usernames and passwords.51
    The Company’s investigation continued into November 2018, with the Board
    and Audit Committee receiving regular updates from management and privileged
    briefings from Marriott’s General Counsel.52 In early November 2018, Marriott
    learned that the breach began as far back as July 2014.53 On November 13, 2018,
    “[Marriott’s] investigators discovered evidence that two compressed encrypted files
    had been deleted from a device they were examining.”54 On November 19, 2018,
    48
    Id.
    49
    Id. ¶ 136.
    50
    Id.
    51
    Id. ¶¶ 137-38.
    52
    E.g., id. ¶¶ 139-42; Defs.’ Ex. 21 at 1946; Ex. 22 at 2079; Ex. 23 at 2084; see also Defs.’
    Exs. 25-27.
    53
    Am. Compl. ¶ 139.
    54
    Defs.’ Ex. 28 at 2743.
    12
    the Company discovered that those files contained customers’ personal
    information.55
    Eleven days later, on November 30, 2018, the Company publicly announced
    the data security incident.56 Marriott’s press release explained that there had been
    unauthorized access to the Starwood network since 2014 that exposed the personal
    information of approximately 500 million guests.57 The exploited information
    included guests’ names, passport numbers, birth dates, email and mailing addresses,
    payment card details, and Starwood Preferred Guest account information.58 The
    cyber attack resulted in one of the biggest data breaches in history.59
    55
    Am. Compl. ¶ 140; Defs.’ Ex. 28 at 2743.
    56
    Am. Compl. ¶¶ 140-41, 143.
    57
    Id. ¶ 143; see also Defs.’ Ex. 28 at 2744 (Sorenson stating that the Breach involved less
    than 383 million unique guests).
    58
    Am. Compl. ¶ 143.
    59
    Id. ¶ 217 (calling the incident the “second largest data breach in history”); see Aisha Al-
    Muslim, Dustin Volz, and Kimberly Chin, Marriott Says Starwood Data Breach Affects
    Up to 500 Million People, Wall St. J. (Nov. 30, 2018); Nicole Perlroth, Amie Tsang, and
    Adam Satariano, Marriott Hacking Exposes Data of Up to 500 Million Guests, N.Y. Times
    (Nov. 30, 2018) (“The assault . . . was one of the largest known thefts of personal records,
    second only to a 2013 breach of Yahoo that affected three billion user accounts and larger
    than a 2017 episode involving the credit bureau Equifax.”).
    13
    Marriott’s stock price dropped by more than 5.5% following the
    announcement.60 In the weeks that followed, the stock price dropped $15.45 per
    share (more than 12%) from its high on November 29, 2018.61
    F.   Federal Lawsuits and Regulatory Investigations
    Numerous lawsuits and regulatory investigations followed Marriott’s
    November 30, 2018 announcement. Attorneys general of all 50 states and the
    District of Columbia, the Securities and Exchange Commission, the Federal Trade
    Commission, and certain committees of the U.S. Senate and House of
    Representatives, among others, opened investigations into the data breach.62
    Marriott also faced class action lawsuits for violations of federal securities laws,
    violations of state and federal consumer protection laws, and violations of state
    disclosure laws. Those lawsuits, along with a lawsuit by a financial institution
    accusing Marriott of failing to perform adequate due diligence during the
    acquisition, were consolidated for multi-district litigation (the “Federal Action”) in
    the United States District Court for the District of Maryland.63
    60
    Am. Compl. ¶ 151.
    61
    Id.
    62
    Id. ¶¶ 14, 152-54.
    63
    In re Marriott Int’l Inc., Customer Data Sec. Breach Litig., 
    2021 WL 2401641
    , at *1-3
    (D. Md. June 11, 2021).
    14
    With respect to the consumer class action, the District of Maryland denied, in
    part, Marriott’s motion to dismiss certain “bellwether” claims that the parties had
    selected to test the sufficiency of the pleadings. In doing so, the court held that the
    consumer plaintiffs plausibly stated claims that Marriott had violated the Maryland
    Personal Information Privacy Act’s requirement to provide “timely notice to
    customers affected by [a] breach” by “fail[ing] to disclose the data breach for more
    than two months.”64 The court similarly denied Marriott’s motion under Michigan’s
    Identity Theft Protection Act, which also required timely notice to consumers.65
    As for the federal securities law claims, the District of Maryland held that the
    statements challenged by the plaintiffs—including statements about due diligence
    and integration, risk factors, and protection of customer data—were not materially
    false or misleading and dismissed those claims with prejudice.66 Delaware state law
    claims for breach of fiduciary duty, waste of corporate assets, and unjust enrichment
    were also dismissed without prejudice.67
    In re Marriott Int’l Inc. Customer Data Sec. Breach Litig., 
    440 F. Supp. 3d 447
    , 488 (D.
    
    64 Md. 2020
    ).
    65
    Id. at 490.
    66
    Marriott, 
    2021 WL 2401641
    , at *6-7.
    67
    Id. at *19.
    15
    G.     This Derivative Litigation
    The plaintiff filed this derivative action on December 3, 2019 after obtaining
    roughly 3,000 pages of documents from the Company pursuant to 8 Del. C. § 220.68
    The plaintiff’s books and records request was limited to Board-level “cybersecurity”
    documents since May 23, 2014.69 On March 16, 2020, the plaintiff filed an amended
    complaint, the operative complaint in this action (the “Complaint”).70
    The Complaint asserts a single claim for breach of fiduciary duty against 13
    of the 14 directors who served on the Board when the Complaint was filed (i.e., the
    Post-Acquisition Board), several officers, and one former director (Romney).71 The
    claim is based on allegations that the individual defendants breached their fiduciary
    duties by (1) failing to “undertake cybersecurity and technology due diligence”
    during the Acquisition; (2) failing to implement adequate internal controls after the
    Acquisition; and (3) concealing the data security incident until November 30, 2018.72
    68
    Defs.’ Opening Br. 16.
    69
    Am. Compl. ¶ 107; see Pl.’s Answering Br. 23 n.10 (Dkt. 51). The production did not
    include officer-level documents. Id.; Mot. to Dismiss Hr’g Tr. 55 (noting that the plaintiff
    did not press to receive a beneath-the-board Section 220 production).
    70
    Dkt. 33.
    71
    Am. Compl. ¶¶ 20-37. The four officer defendants are Oberg, Hoffmeister, Bao Giang
    Val Bauduin (Marriott’s Controller and Chief Accounting Officer), and Stephanie C.
    Linnartz (Marriott’s Chief Commercial Officer and Executive Vice President).
    Am. Compl. ¶¶ 22, 24-26.
    72
    Id. ¶¶ 20-37, 246-47. The Complaint also advances other theories for breach of fiduciary
    duty such as “violating the Company’s Guidelines” and suggests that certain defendants
    16
    On April 30, 2020, the defendants moved to dismiss the Complaint.73 After
    the reassignment of this matter from then-Chancellor Bouchard, I heard re-argument
    on the motion to dismiss on July 7, 2021.74
    II.      ANALYSIS
    The defendants have moved to dismiss the Complaint under Court of
    Chancery Rule 23.1 for failure to make a demand on the Board. For the reasons
    explained below, I conclude that demand was not excused. The Complaint is
    therefore dismissed in its entirety.
    A.     The Legal Standard for Demand Excusal
    “The decision whether to initiate or pursue a lawsuit on behalf of the
    corporation is generally within the power and responsibility of the board of
    directors.”75 A stockholder plaintiff can pursue claims belonging to the corporation
    if (1) the corporation’s directors wrongfully refused a demand to authorize the
    could not impartially consider a demand because of the Securities Class Action. See Am.
    Compl. ¶ 238. But these issues were not briefed or pressed at argument. Issues not briefed
    are waived. See, e.g., Emerald P’rs v. Berlin, 
    726 A.2d 1215
    , 1224 (Del. 1999). The
    plaintiff also withdrew its assertions of breach of fiduciary duty based on disclosure
    violations after overlapping claims were dismissed in the Federal Action. See Mot. to
    Dismiss Hr’g Reargument Tr. at 67 (hereinafter “Reargument Hr’g Tr.”) (Dkt. 87);
    Marriott, 
    2021 WL 2407518
    , at *45.
    73
    Dkt. 39.
    74
    Dkt. 87.
    In re Citigroup Inc. S’holder Deriv. Litig., 
    964 A.2d 106
    , 120 (Del. Ch. 2009) (citing 8
    75
    Del. C. § 141(a)).
    17
    corporation to bring the suit or (2) a demand would have been futile because the
    directors were incapable of impartially considering the demand.76 Because the
    plaintiff did not make a demand on Marriott’s Board, the Complaint must plead
    particularized factual allegations establishing that demand was excused.77
    The parties initially debated whether the Aronson or Rales standard for
    assessing demand excusal should apply.78 The defendants argued that the Rales
    standard applied because the plaintiff’s claims are predicated upon the Board’s
    alleged failure to act and not a challenge to an affirmative decision.79 The plaintiff
    agreed that Rales applied other than to the claim challenging the Board’s decision to
    complete the Acquisition without conducting cybersecurity due diligence, which it
    argued should be analyzed under Aronson.80
    That question became moot after the Delaware Supreme Court’s decision in
    United Foods & Commercial Workers Union v. Zuckerberg.81 There, the Court held
    that it is “no longer necessary to determine whether the Aronson test or the Rales
    76
    See Rales v. Blasband, 
    634 A.2d 927
    , 932 (Del. 1993).
    77
    Ct. Ch. R. 23.1; see, e.g., Guttman v. Huang, 
    823 A.2d 492
    , 499 (Del. Ch. 2003).
    78
    See Aronson v. Lewis, 
    473 A.2d 805
    , 814 (Del. 1984) overruled on other grounds by
    Brehm v. Eisner, 
    746 A.2d 244
     (Del. 2000); Rales 
    634 A.2d at 932-935
    .
    79
    Defs.’ Reply Br. 5 (Dkt. 65).
    80
    Pl.’s Answering Br. 20-22.
    81
    
    2021 WL 4344361
     (Del. 2021).
    18
    test governs a complaint’s demand-futility allegations.”82 Instead, the Court adopted
    a three-part “universal test” for assessing demand futility that is “consistent with and
    enhances” Aronson, Rales, and their progeny, which “remain good law.”83 Going
    forward:
    Delaware courts should ask the following three questions on a director-
    by-director basis when evaluating allegations of demand futility:
    (i)   whether the director received a material personal benefit from the
    alleged misconduct that is the subject of the litigation demand;
    (ii) whether the director faces a substantial likelihood of liability on
    any of the claims that would be the subject of the litigation demand;
    and
    (iii) whether the director lacks independence from someone who
    received a material personal benefit from the alleged misconduct that
    would be the subject of the litigation demand or who would face a
    substantial likelihood of liability on any of the claims that are the
    subject of the litigation demand.84
    Demand is excused as futile if “the answer to any of the questions is ‘yes’ for at least
    half of the members of the demand board.”85 The “analysis is conducted on a claim-
    by-claim basis.”86
    82
    Id. at *17.
    83
    Id.
    84
    Id.
    85
    Id.
    86
    Beam v. Stewart, 
    833 A.2d 961
    , 977 (Del. Ch. 2003).
    19
    While engaging in this analysis, I confine myself to the well-pleaded
    allegations of the Complaint, the documents incorporated into the Complaint by
    reference, and facts subject to judicial notice.87 All reasonable inferences from the
    allegations in the Complaint are drawn in favor of the plaintiff.88 “Rule 23.1 is not
    satisfied by conclusory statements or mere notice pleading.”89 Instead, “[w]hat the
    pleader must set forth are particularized factual statements that are essential to the
    claim.”90
    B.      The Demand Excusal Analysis in This Case
    “The court ‘counts heads’ of the members of a board to determine whether a
    majority of its members are disinterested and independent for demand futility
    purposes.”91 The Board in place when this litigation was filed had 14 members: the
    Post-Acquisition Board members (Sorenson, Marriott, Jr., Harrison, Kellner,
    Muñoz, Bush, Lee, Henderson, Reinemund, Schwab, Duncan, Hippeau, and Lewis),
    excluding Romney who was replaced by non-party Margaret M. McCarthy
    87
    See, e.g., White v. Panic, 
    783 A.2d 543
    , 546-47 (Del. 2001); see also Gen. Motors, 
    897 A.2d at 170
    .
    88
    Brehm, 
    746 A.2d at 255
    .
    89
    
    Id. at 254
    .
    90
    
    Id.
    91
    See In re Zimmer Biomet Hldgs. Inc. Deriv. Litig., 
    2021 WL 3779155
    , at *10 (Del. Ch.
    Aug. 25, 2021).
    20
    (together, the “Demand Board”).92 The plaintiff does not challenge the impartiality
    of McCarthy. Nor does the plaintiff claim that any director received a material
    personal benefit from the challenged conduct.
    The plaintiff only alleges that four members of the Demand Board—
    Sorenson, Marriott, Jr., Harrison, and Reinemund—lack (or lacked) independence.93
    Even if the plaintiff could sufficiently demonstrate that these four directors lacked
    independence, it must also impugn the disinterestedness of at least three others to
    show that a majority of the Demand Board could not consider a demand.94 The
    plaintiff attempts to make that showing by arguing that the Post-Acquisition Board
    members all face a substantial likelihood of personal liability.95
    “To establish a substantial likelihood of liability at the pleading stage, a
    plaintiff must ‘make a threshold showing, through the allegation of particularized
    facts, that their claims have some merit.’”96 Because Marriott’s certificate of
    incorporation contains a provision exculpating its directors for breaches of the duty
    92
    Am. Compl. ¶¶ 20-21, 23, 27-37, 227.
    93
    Pl.’s Answering Br. 59.
    94
    See Zuckerberg, 
    2021 WL 4344361
    , at *17.
    95
    Pl.’s Answering Br. 20-21.
    96
    In re TrueCar, Inc. S’holder Deriv. Litig., 
    2020 WL 5816761
    , at *12 (Del. Ch. Sept. 30,
    2020) (quoting Rales, 
    634 A.2d at 934
    ).
    21
    of care, as permitted under 8 Del. C. § 102(b)(7),97 “the plaintiff[] must plead with
    particularity facts that support a meritorious claim for breach of the duty of
    loyalty.”98 The Complaint focuses on three areas of potential liability based on the
    Board’s alleged failure to: (1) conduct pre-Acquisition due diligence into Starwood’s
    cybersecurity; (2) remedy deficiencies in Starwood’s information protection systems
    post-Acquisition; and (3) timely disclose the data security incident.
    The outcome of my analysis on each issue is that none of the Post-Acquisition
    Board members face a substantial likelihood of liability for a non-exculpated claim.
    Any claim based on pre-Acquisition due diligence is time-barred. The remaining
    claims fall short of pleading a breach of the directors’ duty of loyalty. At least 10 of
    the 14 Demand Board members were therefore both disinterested and independent
    with respect to a pre-suit litigation demand. I need not decide whether the remaining
    four directors lacked independence.
    1.        The Plaintiff’s Challenge to Pre-Acquisition Due Diligence is
    Time Barred.
    The plaintiff asserts that the 11 members of the Pre-Acquisition Board face a
    substantial likelihood of personal liability for their “decision to complete the
    97
    Defs.’ Ex. 4 at 12.
    98
    Zimmer, 
    2021 WL 3779155
    , at *12; see Zuckerberg, 
    2021 WL 4344361
    , at *8-15
    (holding that exculpated care claims do not satisfy the second prong of Aronson and do not
    render a director incapable of impartially considering a litigation demand).
    22
    Acquisition without conducting any due diligence into Starwood’s cybersecurity.”99
    The defendants contend that the claim is time barred.100 Delaware’s three-year
    statute of limitations applies by analogy to equitable claims seeking legal relief.101
    Absent tolling, the limitations period “begins to run from the time of the [allegedly]
    wrongful act, without regard for whether the plaintiff became aware of the
    wrongdoing at that time.”102
    Here, the plaintiff’s breach of fiduciary duty claim seeking monetary damages
    is subject to the analogous three-year statute of limitations.103 The alleged wrongful
    act—the Pre-Acquisition Board’s approval of the Acquisition, allegedly without
    adequate cybersecurity due diligence—occurred before Marriott announced that
    approval on December 22, 2015.104 At the latest, the statute of limitations began to
    99
    Pl.’s Answering Br. 21 (emphasis removed).
    100
    See Defs.’ Reply Br. 8 n.3; Defs.’ Supp. Br. 5 (Dkt. 81).
    101
    See Kraft v. Wisdom-Tree Invs., Inc., 
    145 A.3d 969
    , 979-81, 983 (Del. Ch. 2016)
    (explaining that for equitable claims seeking legal relief, such as “a breach of fiduciary
    duty action seeking monetary damages,” the “analogous limitations period [will] operate
    as a strong presumption of laches”); see also 10 Del. C. § 8106.
    102
    Kraft, 145 A.3d at 989 (citing Wal-Mart Stores, Inc. v. AIG Life Ins. Co., 
    860 A.2d 312
    ,
    319 (Del. 2004)); see also Tilden v. Cunningham, 
    2018 WL 5307706
    , at *14 (Del. Ch. Oct.
    26, 2018) (“[T]he law in Delaware is crystal clear that a claim accrues as soon as the
    wrongful act occurs.”).
    103
    See Kraft, 145 A.3d at 983.
    Defs.’ Ex. 29 at 97 (explaining that the Board approved the merger agreement on
    104
    November 15, 2015 and recommended stockholder approval).
    23
    run on September 23, 2016 when the Acquisition closed.105 The plaintiff filed this
    action more than three years later on December 3, 2019. The plaintiff’s due
    diligence-based claim is therefore barred as untimely “absent tolling or other
    extraordinary circumstances.”106 The plaintiff contends that the defendants waived
    their untimeliness defenses and also advances two tolling arguments. None of the
    plaintiff’s arguments have merit.
    a.     Waiver
    The plaintiff first contends that defendants waived their untimeliness
    argument because it was not raised in their opening brief.107 “Under the briefing
    rules, a party is obliged in its motion and opening brief to set forth all of the grounds,
    authorities and arguments supporting its motion.”108
    No such waiver occurred.           As I wrote to counsel when requesting
    supplemental briefing, it was not apparent from the Complaint that the plaintiff was
    105
    Am. Compl. ¶ 104; see Mot. to Dismiss Hr’g Tr. at 51-52, 54 (“The Court: [W]hat are
    you alleging is the wrongful act that would have triggered the statute of limitations? Is it
    the acquisition or is it the board approval? [Counsel]: It is the acquisition, Your Honor.
    It is not the board approval.”).
    106
    Kraft, 145 A.3d at 982-83.
    107
    Pl.’s Supp. Br. 2 (Dkt. 82).
    108
    Franklin Balance Sheet Inv. Fund v. Crowley, 
    2006 WL 3095952
    , at *4 (Del. Ch. Oct.
    19, 2006) (citing Ct. Ch. R. 7(b), 171); see Thor Merritt Square, LLC v. Bayview Malls
    LLC, 
    2010 WL 972776
    , at *5 (Del. Ch. Mar. 5, 2010) (“The failure to raise a legal issue in
    an opening brief generally constitutes a waiver of the ability to raise that issue in connection
    with a matter under submission to the court.”).
    24
    challenging the closing of the Acquisition as an affirmative act of the Board.109 The
    plaintiff’s answering brief squarely presented the argument that the Board’s
    “decision to complete the acquisition without conducting . . . due diligence into
    Starwood’s cybersecurity” was itself a breach of the duty of loyalty.110            The
    defendants raised the untimeliness of that “reformulated” claim in their reply
    brief,111 which appropriately “consisted of material necessary to respond to the
    answering brief.”112
    b.   Equitable Tolling and Fraudulent Concealment
    The plaintiff also argues that the claim is not time-barred because the statute
    of limitations was tolled pursuant to fraudulent concealment and equitable tolling.113
    The doctrines of fraudulent concealment and equitable tolling “permit[] tolling of
    the limitations period where ‘the facts underlying the claim [are] so hidden that a
    reasonable plaintiff could not timely discover them.’”114 Fraudulent concealment
    may be demonstrated where a defendant conceals information through an affirmative
    109
    Dkt. 78 at 2-3.
    110
    Pl.’s Answering Br. 21-22; compare Am. Compl. ¶ 228.
    111
    Defs.’ Reply Br. 8 n.3.
    112
    Crowley, 
    2006 WL 3095952
    , at *4.
    113
    Pl.’s Supp. Br. 5.
    114
    Weiss v. Swanson, 
    948 A.2d 433
    , 451 (Del. Ch. 2008) (quoting In re Dean Witter P’ship
    Litig., 
    1998 WL 442456
    , at *6 (Del. Ch. July 17, 1998)).
    25
    act of “actual artifice” that prevents a plaintiff from gaining knowledge of the facts
    or misdirects a plaintiff from the truth.115 Equitable tolling can toll the statute of
    limitations for self-dealing claims, even without actual concealment, where a
    plaintiff relies “on the competence and good faith of a fiduciary.”116
    The plaintiff asserts that the defendants cannot “point to a single allegation in
    the Complaint” demonstrating that stockholders were on notice that the Pre-
    Acquisition Board did not conduct cybersecurity due diligence.117 But it is the
    plaintiff’s burden to plead specific facts demonstrating that the statute of limitations
    was tolled before this litigation was filed.118 Assuming the facts alleged in the
    Complaint as true, neither tolling doctrine is applicable.
    The plaintiff does not allege any affirmative acts of concealment that could
    support the application of fraudulent concealment. “Mere silence is insufficient
    . . . .”119 The only acts that the plaintiff cites are public statements by Sorenson and
    115
    
    Id.
     (quoting In re Tyson Foods, Inc., 
    919 A.2d 563
    , 585 (Del. Ch. 2007)); State v.
    Pettinaro Enters., 
    870 A.2d 513
    , 531 (Del. Ch. 2005) (“Fraudulent concealment may be
    found to exist where a defendant knowingly acted to prevent a plaintiff from learning facts
    or otherwise made misrepresentations intended to ‘put the plaintiff off the trail of inquiry.’”
    (quoting Halpern v. Barran, 
    313 A.2d 139
    , 143 (Del. Ch. 1973))).
    116
    Weiss, 
    948 A.2d at 451
    .
    117
    Pl.’s Supp. Br. 7.
    118
    Weiss, 
    948 A.2d at 451
    .
    119
    Krahmer v. Christie’s Inc., 
    911 A.2d 399
    , 407 (Del. Ch. 2006).
    26
    others touting Marriott’s “extensive” due diligence of Starwood.120 There is no
    reason to doubt the truth of those statements generally. The plaintiff points to no
    representation that Marriott was undertaking cybersecurity diligence in particular.
    Nor does the plaintiff allege specific facts that would suggest Marriott’s statements
    were meant to throw stockholders “off the trail of inquiry.”121
    As to equitable tolling, there are no allegations in the Complaint that permit a
    reasonable inference of wrongful self-dealing. In fact, the plaintiff does not allege
    that any of the individual defendants benefitted from the conduct challenged in the
    Complaint. For claims that do not involve self-dealing, “equitable tolling operates
    in much the same way as the doctrine of fraudulent concealment,” and an affirmative
    act of concealment is required.122 Again, the plaintiff has not made that showing.
    120
    Pl.’s Supp. Br. 5 (citing Am. Compl. ¶¶ 12, 104, 174, 179, 180-83). The court need not
    consider similar statements about the Company’s general due diligence in Marriott’s Form
    S-4, filed in connection with the Acquisition. See Pl.’s Supp. Br. 7 (asking that the court
    decline to take judicial notice of the Form S-4).
    121
    Pettinaro Enters., 
    870 A.2d at 531
    .
    122
    Litman v. Prudential-Bache Props., Inc., 
    1994 WL 30529
    , at *3 (Del. Ch. Jan. 14, 1994).
    In Litman, then-Vice Chancellor Chandler discussed then-Chancellor Allen’s decision in
    Kahn v. Seaboard Corp., 
    625 A.2d 269
     (Del. Ch. 1993), where the court explained that
    affirmative acts of concealment may not be necessary to apply the doctrine of equitable
    tolling if “the parties to the litigation stand in a fiduciary relationship to each other and
    where the plaintiff alleges self-dealing.” Litman, 
    1994 WL 30529
    , at *3 (emphasis added).
    Litman held that “[i]n situations that do not involve self-dealing, equitable tolling . . .
    operate[s] to toll a limitations period when the defendant has engaged in certain acts that
    would prevent the plaintiff from discovering the alleged wrong.” 
    Id.
    27
    c.       Tolling During Inspection Demand
    Finally, the plaintiff argues the statute of limitations was tolled while the
    plaintiff pursued an inspection demand pursuant to 8 Del. C. § 220. Even if the
    analogous statute of limitations began to run on September 23, 2016 when the
    Acquisition closed, it was not tolled by the plaintiff’s January 4, 2019 books and
    records demand.123 The plaintiff relies on precedent where the court has tolled the
    statute of limitations during the pendency of Section 220 litigation.124 The plaintiff
    does not, however, cite any authority to support the notion that service of a books
    and records demand alone tolls the statute of limitations for a subsequent plenary
    lawsuit.
    In Technicorp, the court explained that “the institution of other litigation to
    ascertain the facts involved in the later suit will toll the statute of limitations while
    that litigation proceeds.”125 Likewise, in Sutherland, the court noted that the Section
    220 lawsuit tolled the applicable three-year statute of limitations . . . during the
    123
    Am. Compl. ¶¶ 79, 218; see supra 23-24. No allegation that the Board undertook the
    “wrongful act” of closing the Acquisition is found in the Complaint. The Board’s
    recommendation that stockholders approve the Acquisition is the last affirmative act of the
    Board in the pre-Acquisition time period.
    124
    See Technicorp Int’l II v. Johnston, 
    2000 WL 713750
    , at *9 (Del. Ch. May 31, 2000);
    Sutherland v. Sutherland, 
    2009 WL 857468
    , at *4-5 (Del. Ch. Mar. 23, 2009).
    125
    
    2000 WL 713750
    , at *9.
    28
    pendency of the plaintiff’s Section 220 action”126 Here, despite the running of the
    statute of limitations during its Section 220 investigation, the plaintiff did not file a
    Section 220 lawsuit. Further, “there is no hard and fast rule tolling the running of
    the statute of limitations during the pendency of books and records litigation.”127
    Nor did the plaintiff obtain a tolling agreement with the defendants while its
    investigation continued.128
    Tolling considerations are different for a Section 220 demand and a Section
    220 lawsuit. The former has no formal schedule. A stockholder could serve a
    Section 220 demand that fails to satisfy even the basic statutory requirements of
    Section 220(b) and use the demand effectively as a placeholder. A Section 220
    126
    
    2009 WL 857468
    , at *5.
    127
    Sutherland, 
    2009 WL 1177047
    , at *1; see also Sutherland v. Sutherland, 
    2010 WL 1838968
    , at *5 n.19 (Del. Ch. May 3, 2010) (explaining that a court should consider
    whether the plaintiff “was, or should have been, aware of [the derivative] claims during the
    pendency of the § 220 Action”). In Gotham P’rs, L.P. v. Hallwood Realty P’rs, L.P., the
    court explained that a plaintiff could defeat a laches defense by showing “that it asserted
    its rights in a timely manner by making [a] demand [under Section 220] and filing th[at]
    action.” 
    714 A.2d 96
    , 104-05 (Del. Ch. 1998) (emphasis added). The court did not say
    that a timely demand alone would toll the statute of limitations until a subsequent plenary
    action was filed. Rather, the court was discussing how a stockholder can demonstrate that
    it asserted its rights or claim—both through a books and records demand and in pursuing
    litigation—in a manner that defeats a laches defense. 
    Id.
    128
    As a result, there is no basis to apply the doctrine of equitable estoppel, as the plaintiff
    suggests. See Pl.’s Supp. Br. 10-11. The plaintiff asserts that the defendant “slow-rolled”
    the process of producing documents in response to its Section 220 demand, leading the
    plaintiff to rely on that conduct to its detriment. 
    Id.
     But the plaintiff had the right to file
    Section 220 litigation, a plenary suit, or demand a tolling agreement.
    29
    lawsuit, by contrast, is a summary proceeding with “expedited discovery and a
    prompt hearing.”129        Unlike a demand, a Section 220 action presents “strong
    evidence that [a] plaintiff was aggressively asserting its claims.” 130 There may be
    an instance where a stockholder’s dogged pursuit of its statutory books and records
    rights provides a basis for tolling. But this lawsuit, where the stockholder took
    nearly 11 months between serving a demand and filing a plenary lawsuit, is not it.
    2.     The Plaintiff’s Challenges to Cybersecurity Oversight Post-
    Closing Do Not Excuse Demand.
    The plaintiff next argues that a majority of the Demand Board faces a
    substantial likelihood of liability for their “conscious and bad faith decision not to
    remedy Starwood’s severely deficient information protection systems post-
    Acquisition.”131 As often stated, oversight liability under Caremark is “possibly the
    most difficult theory in corporation law upon which a plaintiff might hope to win a
    judgment.”132 To prevail, the plaintiff must plead particularized facts showing that
    either (1) “the directors utterly failed to implement any reporting or information
    system or controls” or (2) “having implemented such a system or controls,
    129
    Cutlip v. CBA Int'l, Inc. I, 
    1995 WL 694422
    , at *1 (Del. Ch. Oct. 27, 1995).
    130
    Gotham P’rs, 
    714 A.2d at 105
    .
    131
    Pl.’s Answering Br. 34.
    132
    In re Caremark Int’l Inc. Deriv. Litig., 
    698 A.2d 959
    , 967 (Del. Ch. 1996).
    30
    consciously failed to monitor or oversee its operations thus disabling themselves
    from being informed of risks or problems requiring their attention.”133
    Compliance risk oversight generally falls within the governance
    responsibilities of the board of directors.134          Key enterprise risks affecting a
    corporation’s “mission critical” components has been a focus of Delaware courts in
    assessing potential oversight liability, particularly where a board has allegedly failed
    to implement reporting systems or controls to monitor those risks.135 Cybersecurity,
    however, is an area of consequential risk that spans modern business sectors. In the
    past several years alone, cyberattacks have affected thousands of companies and
    government agencies. High-profile data breaches have exposed customer data at
    businesses from Yahoo! to Target and Home Depot.136 Targeted attacks have shut
    133
    Stone v. Ritter, 
    911 A.2d 362
    , 370 (Del. Ch. 2006).
    134
    See Okla. Firefighters Pension & Ret. Sys. v. Corbat, 
    2017 WL 6452240
    , at *18 (Del.
    Ch. Dec. 18, 2017) (“[E]valuation of risk is a core function of the exercise of business
    judgment.”); Marchand v. Barnhill, 
    212 A.3d 805
    , 824 (Del. 2019) (describing the board’s
    duty to “put in place a reasonable system of monitoring and reporting about the
    corporation’s central compliance risk”).
    135
    See, e.g., Marchand, 212 A.3d at 824 (finding that board-level monitoring on food safety
    was needed where “food safety . . . essential and mission critical” to an ice cream
    manufacturer); In re Boeing Co. Deriv. Litig., 
    2021 WL 4059934
    , at *26 (Del. Ch. Sept. 7,
    2021) (finding airplane safety “mission critical” to an airplane manufacturer’s business);
    see also In re Clovis Oncology, Inc. Deriv. Litig., 
    2019 WL 4850188
    , at *14-15 (Del. Ch.
    Oct. 1, 2019) (denying motion to dismiss in the context of Caremark’s second prong where
    red flags about a “monoline” company’s single promising drug were ignored).
    Stockholder litigation followed. See, e.g., In re Home Depot, Inc. S’holder Deriv. Litig.,
    136
    
    223 F. Supp. 3d 1317
     (N.D. Ga. 2016); Davis v. Steinhafel, Lead Case No. 14-cv-203
    (PAM/JJK) (D. Minn. July 7, 2016) (ORDER); Okla. Firefighters Pension & Ret. Sys. v.
    31
    down hospitals and taken offline major fuel pipelines.137 Regulators in the United
    States and abroad have become more active in issuing cybersecurity guidance and
    undertaking enforcement activities in response.138 The President of the United States
    has named cybersecurity a “top priority and essential to national and economic
    security.”139
    Delaware courts have not broadened a board’s Caremark duties to include
    monitoring risk in the context of business decisions.140 Oversight violations are
    Brandt, C.A. No. 2017-0133-SG (Del. Ch. Feb. 23, 2017); In re Yahoo! Inc., S’holder
    Litig., No. 17-CV-307054 (Cal. Super. Ct. Mar. 2, 2018).
    137
    See Robert McMillan and Melanie Evans, Ransomware Attack Hits Universal Health
    Services, Wall St. J. (Sept. 30, 2020); Christopher Bing and Stephanie Kelly, Cyber Attack
    Shuts Down U.S. Fuel Pipeline ‘Jugular,’ Biden Briefed, Reuters (May 8, 2021).
    138
    See, e.g., 
    Cal. Civ. Code §§ 1798.110
    , 1798.150 (West 2021) (imposing data collection
    obligations on companies doing business in California and providing consumers with a
    private right of action to address harms caused by data breaches); European Union General
    Data Protection Regulation, Council Regulation 2016/679 (mandating data security
    measures and breach notification); Commission Statement and Guidance on Public
    Company Cybersecurity Disclosures, 
    83 Fed. Reg. 8,166
     (Feb. 22, 2018) (Sec. & Exch.
    Comm’n) (“[T]he Commission believes that the development of effective disclosure
    controls and procedures is best achieved when a company’s directors, officers, and other
    persons responsible for developing and overseeing such controls and procedures are
    informed about the cybersecurity risks and incidents that the company has faced or is likely
    to face.”); Jared Ho, Corporate Boards: Don’t Underestimate Your Role in Data Security
    Oversight, Fed. Trade Comm’n (Apr. 28, 2021).
    139
    Exec. Order No. 14,208, 86 Fed. Reg. at 26,633 (2021).
    140
    See, e.g., Reiter v. Fairbank, 
    2016 WL 6081823
    , at *8 (Del. Ch. Oct. 18, 2016) (“This
    Court has been careful to distinguish between failing to fulfill one’s oversight obligations
    with respect to fraudulent or criminal conduct as opposed to monitoring the business risk
    of the enterprise.”); In re Goldman Sachs Grp., Inc. S’holder Litig., 
    2011 WL 4826104
    , at
    *21 (Del. Ch. Oct. 12, 2011) (stating that the Court of Chancery has “not definitively stated
    whether a board’s Caremark duties involve a duty to monitor business risk”); Corbat, 2017
    32
    typically found where companies—particularly those operating within a highly-
    regulated industry—violate the law or run afoul of regulatory mandates.141 But as
    the legal and regulatory frameworks governing cybersecurity advance and the risks
    become manifest, corporate governance must evolve to address them.142                  The
    corporate harms presented by non-compliance with cybersecurity safeguards
    increasingly call upon directors to ensure that companies have appropriate oversight
    systems in place.
    The growing risks posed by cybersecurity threats do not, however, lower the
    high threshold that a plaintiff must meet to plead a Caremark claim. For either prong
    of Caremark, “a showing of bad faith conduct . . . is essential to establish director
    WL 6452240, at *18 (stating that a “failure to monitor or properly limit business risk” is a
    “theory of director liability that this Court has never definitively accepted”); In re
    Facebook, Inc. Section 
    220 Litig., 2019
     WL 2320842, at *14 (Del. Ch. May 30, 2019)
    (“The legal academy has observed that Delaware courts are more inclined to find Caremark
    oversight liability at the board level when the company operates in the midst of obligations
    imposed upon it by positive law yet fails to implement compliance systems, or fails to
    monitor existing compliance systems, such that a violation of law and resulting liability
    occurs.”).
    141
    E.g., La. Mun. Police Empls.’ Ret. Sys. v. Pyott, 
    46 A.3d 313
    , 355 (Del. Ch. 2012)
    (finding it was reasonable to infer directors approved a business plan allowing for illegal
    off-label marketing); In re Massey Energy Co., 
    2011 WL 2176479
    , at *20-21 (Del. Ch.
    May 31, 2011) (“[A] fiduciary of a Delaware corporation cannot be loyal to a Delaware
    corporation by knowingly causing it to seek profit by violating the law.”).
    142
    See Leo E. Strine, Jr., Kirby M. Smith & Reilly S. Steel, Caremark and ESG: Perfect
    Together: A Practical Approach to Implementing an Integrated, Efficient and Effective
    Caremark and EESG Strategy, 
    106 Iowa L. Rev. 1885
    , 1893 (describing “the first principle
    of corporate law: corporations may only conduct lawful business by lawful means”).
    33
    oversight liability.”143 Only a “sustained or systemic failure of the board to exercise
    oversight . . . will establish the lack of good faith that is a necessary condition to
    liability.”144 The Complaint in this case falls well short of demonstrating that the
    Post-Acquisition Board members face a substantial likelihood of liability for a
    sustained, bad faith failure of oversight. Demand is therefore not futile on that basis.
    a.       Cybersecurity Reporting Systems and Controls
    To the extent the plaintiff attempts to put forward a claim under Caremark’s
    first prong, I find that effort unpersuasive. Delaware law imposes on directors a duty
    to ensure that board-level monitoring and reporting systems are in place. But
    because doing so is a disinterested business judgment, “directors have great
    discretion to design context- and industry-specific approaches tailored to their
    companies’ businesses and resources.”145          For directors to face liability under
    Caremark’s first prong, a plaintiff must show that the director “made no good faith
    effort to ensure the company had in place any ‘system of controls.’”146
    143
    Stone, 
    911 A.2d at 370
    .
    144
    Caremark, 
    698 A.2d at 971
    .
    145
    Marchand, 212 A.3d at 821; Citigroup, 
    964 A.2d at 125
     (explaining that although
    “directors of Delaware corporations have certain responsibilities to implement and monitor
    a system of oversight” that “obligation does not eviscerate the core protections of the
    business judgment rule”).
    146
    Marchand, 212 A.3d at 822.
    34
    Marriott’s Board consistently ranked cybersecurity as a primary risk facing
    the Company.147 The plaintiff does not, however, assert that the Post-Acquisition
    Board “utterly failed” to implement any reporting system or internal controls to
    address it.148 Instead, the Complaint and documents incorporated into it demonstrate
    that the directors surpassed Caremark’s baseline requirement that they “try” in good
    faith to put a “reasonable compliance and reporting system in place.”149
    The Complaint, for example, describes how the Board and Audit Committee
    were “routinely apprised” on cybersecurity risks and mitigation, provided with
    annual reports on the Company’s Enterprise Risk Assessment that specifically
    evaluated cyber risks, and engaged outside consultants to improve and auditors to
    audit corporate cybersecurity practices.150 The Complaint also describes internal
    controls over the Company’s public disclosure practices.151 And when management
    received information that the plaintiff describes as “red flags” indicating
    147
    E.g., Am. Compl. ¶¶ 100, 118.
    148
    See Rojas v. Ellison, 
    2019 WL 3408812
    , at *9 (Del. Ch. July 29, 2019); Horman v.
    Abney, 
    2017 WL 242571
    , at *8 & n.46 (Del. Ch. Jan. 19, 2017) (noting that, in the
    Caremark context, “utterly failed” is a “linguistically extreme formulation” that means
    “absolute, total” (citations omitted)).
    149
    Marchand, 212 A.2d at 821.
    150
    See Am. Compl. ¶¶ 118-130; supra notes 6-10 (describing ongoing updates to
    directors on information protection and cybersecurity).
    151
    Am. Comp. ¶¶ 42-44.
    35
    vulnerabilities, the reports were delivered to the Board.152 To the extent that the
    plaintiff contends the Post-Acquisition Board faces liability under the first prong of
    Caremark, that argument is meritless.153 The Complaint itself shows that the Board
    has systems in place to assess cybersecurity risks.
    b.     No Failure to Monitor or Oversee Operations
    The plaintiff’s primary argument is that the Post-Acquisition Board faces a
    substantial likelihood of liability under the second prong of Caremark for
    consciously disregarding “red flags” indicating that Marriott was violating positive
    law.154 For purposes of Caremark, a plaintiff must plead that the board knew about
    “red flags” alerting them to corporate misconduct and “consciously failed to act after
    learning about evidence of illegality.”155 The plaintiff has not, however, pleaded
    152
    Compare Marchand, 212 A.2d at 809 (“Consistent with this dearth of any board-level
    effort at monitoring, the complaint pleads particularized facts supporting an inference that
    during a crucial period when yellow and red flags about food safety were presented to
    management, there was no equivalent reporting to the board.”).
    153
    See Home Depot, 223 F. Supp. 3d at 1326 (applying Delaware law and finding, in the
    context of a data security incident, that allegations of “numerous instances where the Audit
    Committee received regular reports from management on the state of [the company’s] data
    security, and the Board in turn received briefings from both management and the Audit
    Committee” led to the conclusion that “the Board was fulfilling its duty of loyalty to ensure
    that a reasonable system of reporting existed”); see also Corporate Risk Hlds. LLC v.
    Rowlands, 
    2018 WL 9517195
    , at *4 (S.D.N.Y. Sept. 28, 2018) (finding swift efforts “to
    address [security] breach with contingency plans to ascertain and mitigate the harm”
    foreclosed claim under the “first category of Caremark liability”).
    154
    Pl.’s Answering. Br. 34-35.
    155
    Pyott, 
    46 A.3d at 341
    ; see also Melbourne Mun. Firefighters’ Pension Tr. v. Jacobs,
    
    2016 WL 4076369
    , at *12 (Del. Ch. Aug. 1, 2016) (distinguishing Pyott and Massey
    36
    with particularity that the Post-Acquisition Board learned of legal or regulatory
    violations. And even if it had, the Board did not consciously choose to remain idle.
    i.       No known violations of law
    The plaintiff argues that the Post-Acquisition Board knew that Starwood’s
    systems violated the law because it learned in February 2017 that Starwood’s
    “[b]rand standards did not mandate PCI compliance, tokenization, or point-to-point
    encryption.”156 But the PCI DSS standards are required by financial institutions with
    which companies contract, not mandated by law.157 Nor is tokenization, which can
    reduce the amount of cardholder data in a digital environment and streamline PCI
    DSS compliance efforts.158 Pleading non-compliance with non-binding industry
    because “the Board, at all times, was under the impression that its conduct did not violate
    applicable . . . laws”); South v. Baker, 
    62 A.3d 1
    , 14-15 (Del. 2012) (explaining that a
    plaintiff who cannot plead actual director involvement in “decisions that violated positive
    law” can “plead that the board consciously failed to act after learning about evidence of
    illegality—the proverbial ‘red flag’”); see generally Elizabeth Pollman, Corporate
    Disobedience, 
    68 Duke L.J. 709
    , 723 (2019).
    156
    Am. Compl. ¶ 124.
    157
    Those standards, set by the PCI Security Standards Council, founded by American
    Express, Discover, JCB International, Mastercard and Visa, are intended to reduce credit
    card     fraud.   See     PSI    Security    Standards     Council,    PCI     Security
    https://www.pcisecuritystandards.org/pci_security/.
    158
    See PCI Security Standards Council, Tokenization Product Security Guidelines (Apr.
    2015) https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_
    Guidelines.pdf.
    37
    standards, like the PCI DSS, is not the same as pleading that directors knowingly
    permitted a company to violate positive law.159
    The plaintiff also argues that the failure to improve Starwood’s deficient
    systems risked the violation of various laws, including the FTC Act, state privacy
    acts and unfair competition laws, and “international regulatory standards.”160
    Simply listing statues “in vague, broad terms” without alleging what law was
    violated and how is insufficient to state a Caremark claim.161 The only law the
    parties specifically address in their briefs is the FTC Act. The plaintiff asserts that
    the Board’s knowledge of PCI DSS non-compliance is enough to support a
    reasonable inference that its members knew Starwood’s cybersecurity practices fell
    short of the FTC’s heightened requirements.162 The defendants respond that the FTC
    only “recommends” data security practices and requires companies to maintain
    159
    Wilkin v. Narachi, 
    2018 WL 1100372
    , at *12 (Del. Ch. Feb. 28, 2018) (“Pleading
    violations of nonbinding recommendations does not constitute pleading a violation of
    positive law such that the board faces a substantial likelihood of liability and cannot
    consider demand.”).
    160
    Am. Compl. ¶¶ 58-63.
    161
    See Narachi, 
    2018 WL 1100372
    , at *12 (finding demand not excused where the plaintiff
    listed various statutes and regulations but did not specify what law was violated because
    “[m]erely discussing these statutes in vague, broad terms does not support a finding that
    Director Defendants’ decisions somehow violated these statutes”); Desimone v. Barrow,
    
    924 A.2d 908
    , 928 (Del. Ch. 2007) (“I do not accept cursory contentions of wrongdoing
    as a substitute for the pleading of particularized facts. Mere notice pleading is insufficient
    to meet the plaintiff's burden to show demand excusal in a derivative case.”).
    162
    Pl.’s Answering Br. 41 n.18.
    38
    “reasonable” cybersecurity practices.163          Whether the FTC expects PCI DSS
    standards or tokenization, however, does not change the fact that there are no
    allegations in the Complaint that the Post-Acquisition Board knew about the FTC’s
    requirements or that Marriott was violating them. A Caremark claim requires that a
    plaintiff demonstrate scienter.164 The plaintiff here has not.
    In short, there is no known illegal conduct, lawbreaking, or violations of a
    regulatory mandate alleged in the Complaint that could support a finding that the
    Post-Acquisition Board faces a substantial likelihood of liability for failed oversight.
    That reality distinguishes this case from those relied upon by the plaintiff. In
    Massey, the plaintiffs pleaded “a myriad of particularized facts” demonstrating the
    board’s knowledge of serious violations of mining safety laws and that the directors
    knowingly “caus[ed] [the company] to seek profit” through unlawful acts.165 In
    163
    Am. Compl. ¶¶ 57-59; Statement of the FTC, FTC v. LifeLock (Dec. 17, 2015)
    (explaining that “the reasonableness of security will depend on the facts and circumstances
    of each case”).
    164
    E.g., Hays v. Almeida, 
    2019 WL 3389172
    , at *3 (Del. Ch. July 26, 2019) (ORDER)
    (rejecting the argument that directors faced oversight liability where “the complaint [did]
    not allege that the directors knew that Walgreens was violating the law or even engaging
    in the conduct that risked violating the law”); Teamsters Local 443 Health Servs. & Ins.
    Plan v. Chou, 
    2020 WL 5028065
    , at *16 (Del. Ch. Aug. 24, 2020) (“Because a Caremark
    claim must plead bad faith, ‘a plaintiff must allege facts that allow a reasonable inference
    that the directors acted with scienter which, in turn, requires not only proof that a director
    acted inconsistently with his fiduciary duties, but also most importantly, that the director
    knew he was so acting.’” (quoting Corbat, 
    2017 WL 6452240
    , at *14)).
    165
    Massey, 
    2011 WL 2176479
    , at *20.
    39
    Westmoreland, the United States Court of Appeals for the Seventh Circuit found that
    the plaintiffs pleaded particularized facts that the board “took no action to ensure the
    company’s timely compliance with the law,” despite the repeated warnings from the
    FDA—which were passed along to the board—that the company was in violation of
    FDA regulations.166 And in Abbott Labs, the Seventh Circuit likewise found that a
    board’s failure to rectify known, ongoing, and pervasive violations of FDA
    regulations could constitute bad faith and excuse demand.167 The plaintiff in this
    action has not pleaded particularized facts that the Post-Acquisition Board
    knowingly permitted Marriott to violate the law.168
    166
    Westmoreland Cty. Emp. Ret. Sys. v. Parkinson, 
    727 F.3d 719
    , 726-29 (7th Cir. 2013).
    167
    In re Abbott Lab’ys Deriv. S’holders Litig., 
    325 F.3d 795
    , 808-09 (7th Cir. 2003).
    168
    In October 2020, the United Kingdom Information Commissioner’s Office fined
    Marriott £18.4 million ($24.0 million) in connection with the cyberattack for violating the
    General Data Protection Regulation (GDPR). See ICO Fines Marriott 18.4 Million Pounds
    for Failing to Secure Customer Data, Reuters (Oct. 30, 2020); see Am. Compl. ¶¶ 164-65.
    The GDPR was adopted on April 14, 2016 and became enforceable on March 25, 2018.
    See GDPR, supra note 137. The GDPR requires, among other things, that customers
    handling European Union citizens’ data implement reasonable data protection measures to
    protect consumers’ personal data and privacy from loss or exposure. See GDPR Art. 5;
    Am. Compl. ¶ 62. The plaintiff alleges that “the defendants failed to comply with various
    provisions of the GDPR which required Marriott to implement appropriate technical and
    organizational measures to ensure a level of security appropriate to the risk.” Am. Compl.
    ¶ 163. But the Complaint lacks any particularized facts suggesting that the Post-
    Acquisition Board intentionally violated the GDPR or knowingly permitted GDPR
    violations to continue unabated. There are no allegations suggesting that Marriott’s
    directors “viewed themselves or [Marriott] as above the law.” Corbat, 
    2017 WL 6452240
    ,
    at *24 (explaining that alleged “failed” efforts “to comply with the wide range of laws and
    regulations that govern large financial institutions” are “not enough to support a plausible
    inference of bad faith” and that [b]ad results alone do not imply bad faith.”); In re Walt
    Disney Co. Deriv. Litig., 
    906 A.2d 27
    , 67 (Del. 2006) (noting that “a failure to act in good
    40
    ii.      No conscious disregard of “red flags”
    The plaintiff also contends that the Post-Acquisition Board faces a substantial
    risk of liability for ignoring several “red flags” about Starwood’s inadequate data
    protection systems post-closing. Those “red flags” are not of illegality, as previously
    discussed.169 The plaintiff does not allege that the directors were told, for example,
    that Starwood’s standards ran afoul of regulatory or legal requirements. The so-
    called “red flags” were updates to the Board about aspects of Starwood’s
    cybersecurity measures that needed improvement.170
    The purported “red flags” the plaintiff focuses on are as follows. First, five
    members of the Demand Board learned at a February 8, 2017 Audit Committee
    meeting that Internal Audit rated Marriott as “Needs Improvement” for
    cybersecurity and that its “incident response plan [wa]s not up to date.”171 Second,
    the Board was told by Hoffmeister on February 10, 2017 that Starwood’s data
    faith may be shown . . . where the fiduciary acts with the intent to violate applicable positive
    law” or “where the fiduciary intentionally fails to act in the face of a known duty to act,
    demonstrating a conscious disregard for his duties” (citation omitted)). Although not
    briefed by the parties in any event, the ICO fine is not a basis to find that the Post-
    Acquisition Board faces a substantial likelihood of liability for a bad faith oversight
    violation.
    169
    See supra Section II.B.2.b.i.
    170
    See Citigroup, 
    964 A.2d at 124-26
    ; see infra note 184.
    171
    Am. Compl. ¶¶ 118-19.
    41
    security standards did not mandate PCI compliance or tokenization.172 And third,
    PwC told the Board that Starwood’s “[d]ecentralized technology management
    model” created a “greater opportunity for deviation from the expected published
    standard.”173 These “red flags” were effectively ignored, the plaintiff asserts,
    because the Board waited a year before taking up Starwood’s information protection
    systems again.174
    Even if the gaps in Starwood’s data security evidenced the sort of compliance
    failure that could support a viable claim under the second prong of Caremark, the
    Complaint lacks particularized allegations that the Board consciously overlooked or
    failed to address them.175         As the defendants point out, no “red flags” were
    deliberately disregarded.176         Rather, management told the Board that it was
    addressing or would address the issues presented.177
    At the same February 10, 2017 meeting where the Board learned about
    Starwood’s PCI non-compliance, Hoffmeister reported there “would be efforts made
    172
    Id. ¶ 124.
    173
    Id.
    174
    Id. ¶ 130; Defs.’ Ex. 15 at 1386.
    175
    See Desimone, 
    924 A.2d at 940
     (“Delaware courts routinely reject the conclusory
    allegation that because illegal behavior occurred, internal controls must have been
    deficient, and the board must have known so.”).
    176
    Defs.’ Opening Br. 39-40.
    177
    Defs.’ Reply Br. 15.
    42
    immediately to remedy” Starwood’s lack of tokenization.178              In addition, the
    presentation given to the Board confirmed that the Company had a plan in place to
    “consolidate Marriott + Starwood [s]ecurity.”179 The Board was also told about
    several recommendations that PwC had made to appropriately update Starwood’s
    brand       standards     and   detailed    “Intended   Actions”   to    address    those
    recommendations.180 These facts are not reflective of a board that has decided to
    turn a blind eye to potential corporate wrongdoing.181
    Perhaps the entirety of Starwood’s deficiencies were not addressed
    “immediately,” as Hoffmeister told the Board they could be. And, with hindsight
    knowledge of the extent of the data breach, the implementation plan was probably
    too slow. It wasn’t until the following year on February 9, 2018 that the Board was
    178
    Am. Compl. ¶ 126.
    179
    Id. ¶¶ 122, 124; Defs.’ Ex. 14 at 1284-85.
    180
    Am. Compl. ¶ 125.
    181
    See Corbat, 
    2017 WL 6452240
     at *17 (finding no substantial likelihood of liability for
    bad faith failed oversight where the board was presented with an action plan by
    management and outside advisors); id. at *22 (finding no particularized allegations of
    board inaction where the company “dealt with [a] red flag in a manner that cannot be said
    to reflect bad faith”); Reiter, 
    2016 WL 6081823
    , at *13 (declining to draw inference that
    directors knew they were breaching fiduciary duties by allowing corporate violations of
    law where “the same reports that described the Company's heightened compliance risk
    simultaneously explained to the directors in considerable detail on a regular basis the
    initiatives management was taking to address those problems and to ameliorate . . .
    compliance risk”).
    43
    next updated about those migration efforts.182 But, the plaintiff does not allege that
    the full Board had any reason to suspect that management was not promptly acting
    on PwC’s recommendations.183 As the documents incorporated into the Complaint
    confirm, management had “enhance[ed] monitoring,” “[e]xpand[ed] enterprise
    security logging and event management,” and “[e]xpand[ed] the use of third party
    monitoring” among other numerous actions between February 2017 and 2018.184 An
    attempted yet failed remediation effort generally cannot implicate bad faith.185
    Finally, the plaintiff asserts that the Post-Acquisition Board is exposed to
    Caremark liability for its failure to immediately discontinue use of the Starwood
    guest reservation system after learning, in September 2018, that it was infected with
    182
    Id. at 1366, 1386 (Oberg’s Enterprise Risk Assessment presentation, detailing a detailed
    “Cybersecurity Risk Scorecard” that described current risk mitigation efforts and tracked
    performance, including the anticipated “[m]igration of Starwood systems to the Marriott
    established technology standards” for end user devices by September 2019).
    183
    See Horman, 
    2017 WL 242571
    , at *13 (“Delaware courts have consistently rejected . . .
    the inference that directors must have known about a problem because someone was
    supposed to tell them about it.” (quoting Cottrell v. Duke, 
    829 F.3d 983
    , 995 (8th Cir. 2016)
    (alteration in original))).
    184
    Defs.’ Ex. 30 at 1372.
    185
    See Richardson v. Clark, 
    2020 WL 7861335
    , at *11 (Del. Ch. Dec. 31, 2020); see also
    Jacobs, 
    2016 WL 4076369
    , at *9 (“Simply alleging that a board incorrectly exercised its
    business judgment and made a ‘wrong’ decision in response to red flags . . . is not enough
    to plead bad faith.”); Home Depot, 223 F. Supp. 3d at 1326-27 (finding no substantial
    likelihood of liability for Caremark violation based on allegation that implementation to
    remedy deficiency in company’s data security was not completed fast enough where
    allegations did not demonstrate bad faith).
    44
    malware that could allow attackers to access customer data.186 The plaintiff does not
    allege that the Board learned on September 17, 2018 that an immediate shutdown of
    the system was necessary to protect consumer data but chose to continue its use
    nonetheless. According to the Complaint, Marriott did not learn about the extent of
    the breach and that customer data had been accessed until November 2018.187 The
    Complaint and documents incorporated into it demonstrate that the Board continued
    to receive detailed updates on the “incredible amount of work” management and
    forensic specialists performed throughout November 2018 to investigate and address
    the problem.188 There are no facts pleaded to suggest that the directors’ ignorance
    on the extent of the breach in September 2018 is the result of a breach of fiduciary
    duty.189 The plaintiff has therefore failed to demonstrate that a majority of the
    Demand Board faces a substantial likelihood of liability for consciously disregarding
    “red flags.”
    186
    Pl.’s Answering Br. 13-14, 37.
    187
    Am. Compl. ¶¶ 139-41.
    188
    Defs.’ Ex. 21 at 1946-47; Defs.’ Exs. 25-27.
    189
    See Horman, 
    2017 WL 242571
    , at *15 (explaining that the size of the ultimate harm is
    “not a sufficient basis on which to rest liability” absent facts showing a “board’s ignorance
    can only be explained by a breach of fiduciary duty” (quoting David B. Shaev Profit
    Sharing Acct. v. Armstrong, 
    2006 WL 391931
    , at *6 (Del. Ch. Feb. 13, 2006)).
    45
    iii.    Notification Requirements Regarding the Breach
    The plaintiff’s final theory of liability for the Demand Board is another
    variation of alleged failure to comply with positive law—this time, based on the
    timing of Marriott’s disclosure of the data breach. The plaintiff contends that
    Marriott was “required by various state laws to expeditiously disclose the data
    breach” and that the Board “knew they were required by their fiduciary duties to
    cause Marriott to disclose this information” in compliance with those laws.190 By
    not alerting the public about the incident until November 30, 2018—despite the
    Board first learning of malware on September 18, 2018—the plaintiff alleges that
    notification laws were violated.
    The plaintiff’s argument suffers from many of the same flaws as those
    regarding PCI DSS and tokenization. To start, the plaintiff does not allege that the
    directors were informed about the applicable notification laws. Directors cannot be
    liable under the second prong of Caremark for legal violations that they did not know
    about.191
    Of the notification laws of 31 states and territories that the plaintiff asserts
    were violated by Marriott’s “83-day delay” in notifying individuals affected by the
    190
    Pl.’s Answering Br. 55.
    191
    See Horman, 
    2017 WL 242571
    , at *11 (explaining that directors are liable if they
    “become aware of the red flags and do nothing in response”).
    46
    breach,192 only three statutes—of Delaware, Maryland, and Michigan—are
    addressed in the parties’ briefs. Those laws each concern notification requirements
    in the event of the disclosure of personal data.193 Maryland’s Personal Information
    Privacy Act requires a business that has discovered or has been notified of a security
    breach to conduct a prompt investigation to determine if “Personal Information” has
    or will be misused.194 If it has, the business is required to notify the affected
    individuals “as soon as reasonably practicable.”195 Michigan’s notification law
    likewise defines a “security breach” as the “unauthorized access and acquisition of
    data that compromises the security or confidentiality of personal information.”196
    192
    Am. Compl. ¶ 172.
    193
    At argument, the plaintiff explained that it focused on Maryland and Michigan because
    those states’ notification laws were selected as bellwether claims in the Federal Action and
    on Delaware given the action in this court. See Reargument Hr’g Tr.; Pl.’s Answering Br.
    56 n.26; Defs.’ Opening Br. 49-50; Defs.’ Reply Br. 21 n.8.
    194
    
    Md. Code Ann., Com. Law § 14-3504
    (b)(1) (West 2021). “Personal Information” is
    defined to include:
    An individual’s first name or first initial and last name in combination with
    any one or more of the following data elements, when the name or the data
    elements are not encrypted, redacted, or otherwise protected by another
    method that renders the information unreadable or unusable: . . . a passport
    number . . . [a]n account number, a credit card number, or a debit card
    number, in combination with any required security code, access code, or
    password, that permits access to an individual’s financial account.
    
    Id.
     § 14-3501(e)(1)(i).
    195
    Id. §§ 14-3504(b)(2), 14-3504(c)(2).
    196
    
    Mich. Comp. Laws Ann. § 445.63
    (b) (West 2021). “Personal information” is defined
    to include:
    47
    Delaware’s Consumer Security Breach Act also requires notification “without
    unreasonable delay” when a resident’s “personal information was breached or is
    reasonably believed to have been breached.”197
    The plaintiff points to the fact that consumer class action claims based on the
    Maryland and Michigan notification statutes survived a motion to dismiss in the
    Federal Action as a basis for finding liability here.198 Those claims were not,
    however, brought against the members of the Demand Board and cannot implicate
    their liability. 199 Under the heightened pleading standards of Rule 23.1, the lack of
    particularized allegations indicating that the directors consciously disregarded or
    intentionally violated positive law is dispositive.
    [T]he first name or first initial and last name linked to 1 or more of the
    following data elements of a resident of this state: (i) Social security
    number[;] (ii) Driver license number or state personal identification card
    number[;] (iii) Demand deposit or other financial account number, or credit
    card or debit card number, in combination with any required security code,
    access code, or password that would permit access to any of the resident's
    financial accounts.
    
    Id.
     § 445.63(r).
    197
    6 Del. C. § 12B-102(a).
    198
    Marriott, 440 F. Supp. 3d at 487, 490.
    199
    See generally id. Cf. Pfeiffer v. Toll, 
    989 A.2d 683
    , 690 (Del. Ch. 2010), abrogated on
    other grounds by Kahn v. Kohlberg Kravis Roberts & Co. L.P., 
    23 A.3d 831
     (Del. 2011)
    (finding demand futile based, in part, on federal court decision holding that the same
    individual defendants acted with scienter regarding “the same trades at issue” in the
    Delaware action).
    48
    Regardless, there are no allegations that the Board knew personal data was
    accessed such that the notification obligations had been triggered prior to November
    2018.200 The plaintiff suggests that it “strains credulity” to conclude the Board did
    not know personal information was accessed given the severity of the breach.201 But
    as the defendants point out, discovering malware is not the same as discovering that
    personal information has been accessed.202            The Complaint plainly states that
    Marriott first discovered that “customers’ personal information” was potentially
    accessed on November 19, 2018.203 Marriott’s notification of interested parties 10
    days later and public announcement of its investigatory findings on the eleventh day
    are not obvious violations of notification laws that suggest bad faith on the part of
    the Board.204
    200
    See supra note 164 (discussing the scienter requirement for an oversight claim).
    201
    Pl.’s Answering Br. 57.
    202
    Am. Compl. ¶¶ 140, 217; Defs.’ Reply Br. 20.
    203
    Am. Compl. ¶ 140.
    204
    Id. ¶¶ 142-43. The plaintiff originally argued that the members of the Audit Committee
    face a substantial likelihood of liability for issuing a Form 10-Q on November 6, 2018 that
    “remained silent as to the Breach.” Id. ¶¶ 139, 248; Pl.’s Answering Br. 56. After the
    District Court in the Federal Action dismissed securities law claims for allegedly false and
    misleading disclosures with prejudice, the plaintiff here determined not to press its
    disclosure claims. See Mot. to Dismiss Hr’g Tr. 59. Had they not, the claim likely would
    have failed because the plaintiff does not ascribe any bad faith actions or motives to the
    Audit Committee members who approved the Form 10-Q. The claim would, at most,
    implicate the directors’ “‘erroneous judgment’ concerning the proper scope and content of
    the disclosure.” Orman v. Cullman, 
    794 A.2d 5
    , 41 (Del. Ch. 2002) (quoting
    Crescent/Mach I P’rs, L.P. v. Turner, 
    846 A.2d 963
    , 987 (Del. Ch. 2000)); see also
    49
    *             *             *
    The data breach that is at the center of this case was momentous in scale and
    put the data of hundreds of millions of people at risk. Critically, however, the
    corporate trauma that came to fruition was at the hands of a hacker. Marriott was
    the victim of an illegal act rather than the perpetrator. One could argue that the
    Complaint depicts a preventable scenario because the directors did not respond to
    internal reports about inadequate data security risks as swiftly as they might have.
    But the difference between a flawed effort and a deliberate failure to act is one of
    extent and intent. A Caremark violation requires a plaintiff to demonstrate the latter.
    Here, the Complaint lacks particularized allegations demonstrating that the
    Post-Acquisition Board knew that the vulnerabilities in Starwood’s data system ran
    afoul of the law, that it nonetheless chose not to address them, or that it scorned legal
    notification requirements. Having failed to show that those directors consciously
    disregarded positive law or acted in bad faith, the plaintiff has not impugned the
    ability of any member of the Demand Board to impartially consider a demand based
    on a substantial likelihood of liability for failed oversight.
    Morrison v. Berry, 
    2019 WL 7369431
    , at *18 (Del. Ch. Dec. 31, 2019) (“Bad faith, in the
    context of omissions, requires that the omission be intentional and constitute more than an
    error of judgment or gross negligence.”).
    50
    III.   CONCLUSION
    The plaintiff failed to allege particularized facts that could support a finding
    that any member of the Demand Board faced a substantial likelihood of liability on
    a non-exculpated claim. Any claim based on pre-Acquisition due diligence is time
    barred.   The remaining claims are unsupported by particularized allegations
    demonstrating that the Post-Acquisition Board acted in bad faith with regard to
    cybersecurity oversight, compliance, or notification of the data breach. As a result,
    a demand made on the Demand Board would not have been futile with respect to the
    plaintiff’s breach of fiduciary duty claim. The defendants’ Motion to Dismiss is
    granted and the Complaint is dismissed pursuant to Court of Chancery Rule 23.1.
    51