Funny story: we at LifeX recently stepped off a board. It wasn’t a US company, so it had…its quirks on rules etc. But it’s a nice occasion to talk board fiduciary obligations — even a small startup board is a chance at liability if you are a director of a Delaware company.

This Is Not a Swiss Ski Club
Caremark oversight for investors who thought the board seat was mostly introductions, quarterly updates, and an attractive line in the biography.
There is a particular kind of board member whom startup ecosystems produce with industrial efficiency.
He is intelligent. He is successful. He may have founded companies, allocated millions of dollars, attended Davos, and developed surprisingly strong views about burn multiples. He joins the board of a Delaware corporation and thinks of himself as an investor with enhanced access.
Then something terrible happens.
An employee alleges sexual harassment. Another alleges sexual assault. The CFO says the accounts may be unreliable. A whistleblower claims the CEO has been deceiving customers or investors. Regulators start asking questions. The company’s lawyer sends an email whose subject line contains the words “privileged and confidential.”
Our director’s first instinct is often:
Management should handle this.
That instinct is understandable. It is also incomplete.
Under Delaware law, directors do not manage every operational detail. But they do supervise the corporation. And when credible warning signs concern serious misconduct, legal violations, employee safety, financial integrity, or a risk central to the company’s business, the board cannot simply admire the scenery from the chairlift.
A Delaware directorship is not an honorary title. It is a fiduciary office.
The basic bargain: management manages; the board oversees
Section 141(a) of the Delaware General Corporation Law provides that the business and affairs of a corporation are managed “by or under the direction of” its board of directors. That wording matters. Directors ordinarily act through management, but ultimate authority—and therefore ultimate supervisory responsibility—rests with the board. (Delaware Code Online)
This does not mean directors must personally investigate every complaint, approve every invoice, or monitor the CEO’s whereabouts after dinner.
Corporate law is not a doctrine of clairvoyance.
Directors are generally protected by the business judgment rule, which gives substantial deference to decisions made by disinterested directors in good faith and on an informed basis. Delaware does not impose liability because a board made a reasonable decision that later turned out badly.
The law distinguishes sharply between:
- A bad outcome, and
- A bad-faith refusal to perform the board’s job.
The first is an ordinary feature of business. The second is where Caremark enters.
What is Caremark?
The doctrine takes its name from In re Caremark International Inc. Derivative Litigation, a 1996 Delaware Court of Chancery decision involving alleged regulatory violations in a healthcare company.
Chancellor William Allen described an oversight claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” The reason was sensible: courts should not second-guess directors every time employees commit misconduct somewhere inside a large organization. (Justia)
But Caremark also established that directors have an affirmative obligation to make a good-faith effort to ensure that the corporation has reasonable information and reporting systems.
Ten years later, the Delaware Supreme Court formalized the test in Stone v. Ritter. Oversight liability can arise when directors either:
- Utterly fail to implement any reasonable reporting or information system or controls, or
- Having established such a system, consciously fail to monitor it or respond to known warning signs. (Justia)
These are often called the two prongs of Caremark:
Prong One: No system
The board never made a good-faith effort to establish a way for important compliance and operational risks to reach it.
Prong Two: Red flags ignored
A system nominally existed, but directors consciously disregarded information indicating that serious problems required board attention.
The crucial word is consciously.
Negligence is generally not enough. A plaintiff ordinarily must plead facts supporting an inference of bad faith: that directors knew they were not doing their job and nevertheless failed to act.
That is a demanding standard. It is not, however, an imaginary one.
“We had board meetings” is not necessarily an answer
Boards sometimes misunderstand the first Caremark prong.
They point to a folder containing financial statements, investor decks, management presentations, and cheerful graphs. They conclude that because information flowed toward the board, an oversight system must have existed.
That is like saying an airport has security because it has a front door.
The relevant question is whether the board established reasonable processes for receiving information about risks that matter profoundly to the corporation.
The modern turning point was Marchand v. Barnhill.
Blue Bell Creameries suffered a listeria outbreak. Three people died. The company recalled all its products, shut its plants, laid off a substantial portion of its workforce, and entered a liquidity crisis. Stockholders alleged that the board had no committee focused on food safety, no regular protocol requiring management to report food-safety risks, and no schedule for board-level discussion of the subject. (Justia)
Food safety was not peripheral to Blue Bell. It was existential. The company made ice cream. Ice cream that poisons its customers is not merely a disappointing product iteration.
The Delaware Supreme Court held that the allegations supported an inference that the board had failed to make a good-faith effort to oversee a “mission critical” risk. General reports about operations were not an adequate substitute for a board-level system directed at food safety. (Justia)
The lesson is not that every board needs seventeen committees and a compliance dashboard resembling the cockpit of an Airbus.
The lesson is that the board must identify the company’s most consequential risks and create a credible way for information about them to reach directors.
For a bank, that might be anti-money-laundering compliance.
For an aircraft manufacturer, it is safety.
For a pharmaceutical company, it may be clinical-trial integrity, FDA compliance, or product safety.
For a workplace heavily dependent on scarce technical talent, it may include a culture in which employees can report harassment, retaliation, fraud, or abusive executive conduct without the report disappearing into the CEO’s inbox.
Boeing: an oversight system cannot be decorative
The Boeing derivative litigation arose after two 737 MAX crashes killed 346 people.
Stockholders alleged that the board had not established a meaningful process for monitoring airplane safety and later failed to respond adequately to red flags after the first crash. The Delaware Court of Chancery allowed key Caremark claims to proceed, emphasizing that the board must at least make a good-faith effort to establish a reasonable board-level reporting system. (Justia)
The case is useful because it destroys a comforting fiction: that management’s expertise relieves directors of responsibility.
Of course management knows more about aircraft engineering than the average director. Management almost always knows more about operations. That is precisely why the board needs systems that force material information upward.
Oversight does not mean becoming an aeronautical engineer.
It means ensuring that the engineers’ safety concerns cannot be filtered, diluted, or buried before they reach the people charged with supervising the corporation.
Clovis Oncology: red flags count even when they arrive wearing a PowerPoint template
In re Clovis Oncology, Inc. Derivative Litigation involved a company developing a cancer drug. The board allegedly received information indicating that management was using a clinical-trial response rate inconsistent with the trial protocol while publicly presenting a more favorable picture of the drug’s performance.
The Court of Chancery allowed the oversight claim to survive. The allegations supported an inference that directors understood the relevant regulatory and clinical issues yet failed to respond to warning signs about protocol violations and misleading disclosures. (Justia)
This is important for venture-backed companies.
Red flags do not always arrive as a whistleblower dramatically sliding a dossier across a mahogany table. They may appear as:
- Metrics whose definitions keep changing;
- A general counsel who uses strangely careful language;
- Complaints described as “interpersonal issues”;
- Revenue that cannot be reconciled with contracts;
- Clinical data that look better in investor materials than in source documents;
- An executive who insists that only he can explain the numbers;
- A board deck from which a previously recurring compliance slide has quietly vanished.
A sophisticated board member is not expected to assume that every anomaly proves fraud.
He is expected to notice when the anomalies require questions.
Sexual harassment and assault allegations are not merely “HR matters”
The most dangerous phrase in startup governance may be:
This is an HR matter.
Sometimes it is. An isolated workplace disagreement can usually proceed through normal management processes.
But allegations of sexual harassment, sexual assault, retaliation, coercion, or repeated executive misconduct—particularly involving the CEO—can implicate much more than employment administration.
They can create:
- Civil liability;
- Criminal exposure for individuals;
- Regulatory inquiries;
- Insurance-notification obligations;
- Disclosure issues;
- Employee departures;
- Customer and investor losses;
- Evidence-preservation duties;
- Conflicts involving senior management;
- Severe reputational and financing risk.
They may also reveal that the company’s reporting system does not work—or works only until a complaint concerns someone powerful.
The McDonald’s decisions
The Delaware Court of Chancery’s McDonald’s opinions are especially relevant.
David Fairhurst, McDonald’s global chief people officer, was alleged to have engaged in sexual harassment while also ignoring red flags about sexual misconduct within the company. The court held that corporate officers owe fiduciary oversight duties within their areas of responsibility and allowed claims against Fairhurst to proceed. His alleged personal misconduct also supported a separate loyalty claim. (Justia)
The court later dismissed the oversight claims against McDonald’s outside directors. That distinction matters. The directors had not simply done nothing: the board had engaged with the problem, hired outside advisers, investigated misconduct involving the CEO, negotiated his departure, and later pursued litigation after discovering additional facts. The plaintiffs failed to plead that the directors acted in bad faith. (Justia)
In other words, McDonald’s does not say that every workplace allegation creates director liability.
It says something more practical:
A board that responds in good faith has substantial protection. An executive or board that suppresses, ignores, or participates in misconduct may not.
A 2026 Court of Chancery decision, Los Angeles City Employees’ Retirement System v. Sanford, further illustrates that workplace sexual misconduct can constitute corporate trauma supporting fiduciary-duty claims. The court declined to dismiss claims against an officer alleged to have benefited from concealing abuse and against directors alleged to have ignored clear warning signs in bad faith. (Justia)
The doctrine is evolving, but the direction is not mysterious. Delaware courts are not converting every employment dispute into corporate litigation. They are recognizing that pervasive misconduct, management-level concealment, and board-level indifference can become governance failures.
What should a board do when allegations concern the CEO?
The CEO cannot be allowed to exercise unilateral control over an investigation into the CEO.
This does not mean every accusation is true. It means the process for determining what happened must be credible.
When serious allegations arise, the board should ordinarily consider the following steps.
1. Preserve evidence
Relevant emails, texts, messaging records, personnel files, access logs, expense records, and security footage may need to be preserved.
“Please investigate yourself, and try not to delete anything” is not a preservation protocol.
2. Clarify who represents whom
Company counsel represents the company, not automatically the CEO, the founder, the lead investor, or individual directors.
Where interests may diverge, the board should determine whether the company, a committee, or particular individuals need separate counsel.
3. Remove conflicted people from control of the process
A CEO accused of misconduct should not decide:
- Who interviews witnesses;
- What documents investigators receive;
- Whether the complainant is credible;
- What the board is told;
- Whether the investigation continues;
- What consequences are imposed.
The CEO may be interviewed and permitted to respond. He should not be his own judge, jury, stenographer, and minister of information.
4. Convene the board
The board should meet promptly enough to demonstrate active oversight.
Minutes should record the subjects discussed, information reviewed, advice received, conflicts considered, and actions authorized. Minutes need not read like a transcript, but silence is rarely an attractive historical record.
5. Use independent investigators when appropriate
Depending on the seriousness, credibility, and scope of the allegations, the board may engage independent outside counsel or another qualified investigator.
Independence is not theatrical. An investigator whose future work depends entirely on the accused executive may not inspire confidence.
6. Protect complainants and witnesses
The board should oversee measures against retaliation, evidence tampering, intimidation, or abrupt personnel actions that could compromise the investigation.
7. Consider interim measures
Administrative leave, modified authority, dual approvals, restricted systems access, or temporary reporting changes may be warranted.
An interim measure is not a final finding of guilt. It is risk containment.
8. Monitor the investigation
Hiring counsel does not complete the board’s duty. The board should define the mandate, receive updates, address obstacles, review findings, and determine appropriate action.
Delegation is permissible. Abdication is not.
9. Act on the result
Depending on the facts, possible responses include discipline, termination, governance changes, compensation clawbacks, reporting to authorities, disclosure, remediation, settlements, new controls, or no action if the allegations are not substantiated.
The board’s job is not to produce a predetermined outcome. Its job is to conduct a good-faith process and make an informed decision.
What if the allegation is unproven?
Boards must avoid two symmetrical errors.
The first is instantly treating an allegation as established fact.
The second is treating the absence of a completed investigation as a reason to do nothing.
An allegation is information. Its credibility and seriousness determine the appropriate response.
Relevant questions include:
- Is the allegation specific?
- Is it contemporaneous?
- Is there documentary or witness corroboration?
- Does it describe criminal, fraudulent, retaliatory, or coercive conduct?
- Are there multiple complainants?
- Does the accused control the company’s normal reporting channels?
- Has management discouraged escalation?
- Does the allegation fit earlier reports or unexplained departures?
- Could delay expose employees, customers, patients, or investors to continuing harm?
A single vague complaint may require modest inquiry.
Several detailed and consistent allegations against the CEO require something more substantial than asking the CEO whether he agrees.
Fraud allegations deserve their own alarm bell
Fraud reaches directly into the board’s core responsibilities.
Possible fraud affecting financial statements, fundraising materials, customer representations, clinical data, reimbursement claims, regulatory filings, or capitalization records can generate overlapping risks under state fiduciary law, federal securities law, contract law, criminal law, and industry-specific regulation.
The board should be especially cautious where the CEO:
- Controls all financial information;
- Prevents direct access to the CFO or auditor;
- Frequently restates past explanations;
- Claims accounting questions are attacks on his authority;
- Pressures employees to sign inaccurate documents;
- Uses company funds for unexplained personal purposes;
- Presents different numbers to different constituencies;
- Retaliates against people who raise discrepancies.
The clever founder myth has a dark cousin: the idea that chaotic records are evidence of visionary intensity.
Sometimes the genius is merely not reconciling the bank account.
Caremark is not automatic liability
The doctrine should not be exaggerated.
A director is not personally liable merely because:
- Misconduct occurred;
- A complaint was made;
- The board’s decision was imperfect;
- An investigation failed to discover every fact;
- Management deceived the board;
- The company suffered enormous losses.
Plaintiffs must generally plead particularized facts supporting an inference that directors failed to make a good-faith effort to establish oversight systems or consciously ignored known problems.
Recent decisions continue to describe Caremark liability as a demanding standard rather than a general negligence regime. Courts routinely dismiss claims where plaintiffs can show a corporate disaster but cannot plead bad-faith board conduct. (Justia)
This is why process matters so much.
A board that meets, asks questions, receives advice, investigates credible allegations, documents its reasoning, monitors remediation, and makes an informed decision is in a radically stronger position than a board that leaves no record except unread emails and expressions of confidence in the founder.
Delaware does not demand perfection.
It demands an attempt.
Personal liability, exculpation, indemnification, and insurance
Many Delaware corporations include a charter provision authorized by Section 102(b)(7), which can eliminate directors’ personal monetary liability for certain breaches of the duty of care.
But exculpation has limits. It does not protect breaches of loyalty, acts or omissions not in good faith, knowing violations of law, improper personal benefits, or certain unlawful distributions. (Delaware Code Online)
That distinction is critical because Caremark claims are treated as loyalty claims grounded in bad faith, not merely as claims that directors were careless. Stone v. Ritter made that doctrinal structure explicit. (Justia)
Section 145 of the Delaware General Corporation Law permits or requires indemnification in specified circumstances and authorizes corporations to purchase directors’ and officers’ insurance. But indemnification depends on statutory requirements, corporate documents, the procedural posture, and the nature of the conduct. Insurance contains exclusions, limits, retentions, notice requirements, and disputes over advancement or coverage. (Delaware Code Online)
The slogan “D&O will cover it” is therefore not a governance strategy.
Insurance is valuable. It is not holy water.
A director facing a derivative suit may spend years dealing with motions, discovery, depositions, reputational damage, advancement disputes, insurers, lawyers, and uncertainty even if the case ultimately settles or is dismissed.
Avoiding final liability is not the same as having a pleasant decade.
Will a negligent foreign director be arrested or barred from the United States?
Usually not.
A conventional Caremark claim is a civil fiduciary-duty claim. It does not by itself produce imprisonment, deportation, or an immigration ban.
A foreign director does not become criminally liable simply because he failed to supervise a company perfectly. Nor does losing a civil corporate-governance case automatically make someone inadmissible to the United States.
Criminal or immigration consequences would generally require additional facts—for example, personal participation in fraud, obstruction, destruction of evidence, false statements, conspiracy, sanctions violations, or another offense carrying independent consequences.
This is worth stating because overheated board conversations often oscillate between two equally foolish positions:
Nothing can happen to me.
and
I will be arrested at JFK because I missed a board meeting.
Both are generally wrong.
The realistic risks are civil litigation, removal, expense, insurance complications, reputational damage, distraction, and an extremely uncomfortable documentary record showing what the director knew and when he decided not to ask questions.
The special danger of the investor-director
Investor-directors sometimes imagine that their primary fiduciary role is to the fund that appointed them.
It is not.
When acting as a director, the person owes fiduciary duties to the corporation and its stockholders. The director may have been nominated by a venture fund, founder, preferred-stock class, or strategic investor, but the board seat is not simply an observation right with better catering.
This can create difficult conflicts.
The fund may want to preserve a financing.
The company may need to disclose damaging information.
The founder may be a longstanding relationship.
The corporation may need an independent investigation of that founder.
The investor-director may worry that decisive action will destroy the company’s valuation.
Yet declining to investigate because the truth could impair valuation is not risk management. It is an attempt to insure the portfolio by setting fire to the policy.
A good investor-director asks:
What does the corporation need from me in this role?
not merely:
What outcome protects my investment this quarter?
A practical board protocol
Every startup board should establish a lightweight but real oversight architecture before a crisis occurs.
At minimum:
Identify mission-critical risks
The board should agree on the small number of risks capable of seriously harming the enterprise.
These may include:
- Product or patient safety;
- Data security and privacy;
- Financial reporting;
- Regulatory compliance;
- Clinical-trial integrity;
- Workplace misconduct;
- Anti-bribery and sanctions compliance;
- AI-model safety or misuse;
- Customer-fund segregation;
- Manufacturing quality.
Create reporting channels
Determine who reports what, to whom, and how often.
The relevant information should not depend entirely on the CEO’s discretion.
Provide escalation routes
Employees should have a way to report serious concerns outside ordinary management channels, particularly when the concern involves senior leadership.
Put risk on the calendar
Mission-critical oversight should appear periodically on the board agenda. If a topic is important enough to destroy the company, it is important enough to receive twenty minutes before the discussion of hiring velocity.
Record the work
Minutes should demonstrate that the board received information, asked questions, considered advice, and followed up.
Test the system
A hotline no employee trusts is not an effective system. A compliance policy nobody has read is office décor.
The board should occasionally ask whether reporting channels are known, independent, and used.
Five myths that deserve retirement
Myth 1: “I do not run the company.”
Correct. But you supervise the people who do.
Myth 2: “One complaint is not a board issue.”
Sometimes it is not. But one credible allegation of rape, systemic fraud, dangerous products, evidence destruction, or CEO misconduct can be more board-relevant than fifty ordinary operating issues.
Materiality is not determined by headcount.
Myth 3: “The CEO can investigate himself.”
The CEO can provide evidence and defend himself. He cannot credibly control the process when his own conduct is at issue.
Myth 4: “The board should wait until the facts are clear.”
Facts often become clear because the board investigates.
Waiting is not a method of fact-finding.
Myth 5: “Caremark means directors are liable whenever something goes wrong.”
No. The doctrine targets bad-faith failures of oversight, not ordinary business errors.
But that should not be comforting to a director who knowingly chooses not to look.
Caremark in one sentence
You do not have to prevent every disaster.
But you must make a good-faith effort to create systems that bring serious risks to the board—and when credible warning signs arrive, you cannot simply look the other way.
The good news is that Delaware law is not asking directors to be superheroes.
It is asking them to be directors.
Call the meeting. Ask the uncomfortable questions. Preserve the evidence. Use independent advisers when necessary. Document the process. Follow up.
And if the founder tells you that this is all an overreaction, remember: people rarely object to governance controls because the controls are completely irrelevant.
Selected authorities
- In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). (Justia)
- Stone v. Ritter, 911 A.2d 362 (Del. 2006). (Justia)
- Marchand v. Barnhill, 212 A.3d 805 (Del. 2019). (Justia)
- In re Clovis Oncology, Inc. Derivative Litigation, 2019 WL 4850188 (Del. Ch. Oct. 1, 2019). (Justia)
- In re The Boeing Company Derivative Litigation, 2021 WL 4059934 (Del. Ch. Sept. 7, 2021). (Justia)
- In re McDonald’s Corporation Stockholder Derivative Litigation, 289 A.3d 343 (Del. Ch. 2023). (Justia)
- In re McDonald’s Corporation Stockholder Derivative Litigation, 291 A.3d 652 (Del. Ch. 2023). (Justia)
- Los Angeles City Employees’ Retirement System v. Sanford, C.A. No. 2024-0998-KSJM (Del. Ch. Jan. 16, 2026). (Justia)
- 8 Del. C. §§ 102(b)(7), 141, 145. (Delaware Code Online)
This article is a simplified educational overview, not legal advice. Actual board responses should be developed with qualified Delaware and subject-matter counsel based on the specific facts.
The sharpest next edit would be to add a brief opening anecdote based on the real board situation—anonymized, but unmistakably alive—so the legal analysis begins with blood in the water rather than Section 141(a).
You must be logged in to post a comment.