Data theft at Yahoo - Management must pay damages - How would it be in Switzerland?
Hackers at Yahoo have stolen data from 3 billion customers. This had personal consequences for the management. While in most cases the affected customers were able to assert claims for damages against the company, the shareholders were usually left empty-handed. In the Yahoo case, the shareholders had for the first time sued the management - including Yahoo CEO Marissa Mayer - on behalf of the company for breach of fiduciary duties. The former management team now has to pay the shareholders millions because of the cyber attack. The lawsuit was settled with a cash payment of $29 million (which will be covered by insurance). A California judge approved the settlement last week.
In the event of a breach of data protection obligations, customers can sue the company based on the basis on the Swiss Data Protection (injunction, removal action, declaratory action, action for satisfaction, issue of profits, right of reply). Depending on the contractual relationship, there may also be contractual (or non-contractual) claims for damages.
The shareholders could also bring an action against the management (article 754 CO). However, the claim is for payment to the company and not to the shareholders (article 756 CO).
The revised Data Protection Act will also provide for fines for managers.
Management is well advised to pay due attention to data protection and cyber risks (risk-based approach):
