Cross-Practice Team Secures Former CEO’s Dismissal of Shareholder Derivative Claim Arising out of Cyberattack

A Law360 article reported on the success of a Ropes & Gray litigation and data privacy team in dismissing the claims brought by an alleged shareholder of SolarWinds against current and former members of its board of directors.

Delaware’s Court of Chancery recently dismissed a derivative claim brought by an alleged shareholder of SolarWinds, claiming that the Company’s current and former directors breached their fiduciary duties by failing to ensure that SolarWinds had minimal cybersecurity protections.  Ropes & Gray represented Kevin Thompson, SolarWinds’ former CEO and one of its former board members, who had been named in the litigation.

The court dismissed the claim as to all named defendants, including Mr. Thompson, in an important ruling that fills in the contours of the scope of director duties with respect to corporate cybersecurity under Delaware law. 

In this case, the alleged shareholder plaintiffs argued that the SolarWinds board, on which Mr. Thompson served, received extensive warnings about the possibility of a catastrophic cyberattack but failed to take appropriate oversight action, ignoring “red flags” indicating that SolarWinds’ customers could be at risk.  The plaintiffs asserted that this abdication of responsibility amounted to an actionable breach of fiduciary duties that the Company should pursue (and, under the operative Delaware standard, that it would have been “futile” to bring this claim to the board before filing the lawsuit).

Vice Chancellor Glasscock of Delaware’s Court of Chancery rejected these contentions and granted the motion to dismiss filed by Mr. Thompson, in addition to those filed by the other named defendants. 

The Ropes & Gray team that represented Mr. Thompson included data privacy partners Ed McNicholas and Fran Faircloth and litigation & enforcement partners Peter Welsh, Dan O’Connor, and Tom Brown.