Data theft - Is the management liable?

Data protection: Management at risk

Yahoo Shareholders Receive Compensation from Management

Hackers at Yahoo have stolen data from 3 billion customers. This had personal consequences for the management. While in most cases the affected customers were able to assert claims for damages against the company, the shareholders were usually left empty-handed. In the Yahoo case, the shareholders had for the first time sued the management - including Yahoo CEO Marissa Mayer - on behalf of the company for breach of fiduciary duties. The former management team now has to pay the shareholders millions because of the cyber attack. The lawsuit was settled with a cash payment of $29 million (which will be covered by insurance). A California judge approved the settlement last week.

What would be the legal situation in Switzerland?

In the event of a breach of data protection obligations, customers can sue the company based on the basis on the Swiss Data Protection (injunction, removal action, declaratory action, action for satisfaction, issue of profits, right of reply). Depending on the contractual relationship, there may also be contractual (or non-contractual) claims for damages.

The shareholders could also bring an action against the management (article 754 CO). However, the claim is for payment to the company and not to the shareholders (article 756 CO).

The revised Data Protection Act will also provide for fines for managers.

What are the lessons for management?

Management is well advised to pay due attention to data protection and cyber risks (risk-based approach):

  • Risk analysis
  • Implementation of a data protection concept (risk management; regulation of responsibilities)
  • Documentation of data protection efforts (management and board minutes)
  • Ensuring compliance with standards (certifications; data privacy seal)
  • Review of documentation and contracts with providers
  • Securing insurance cover (Cyber Risk Insurance; D&O Insurance)

January 2019 | Author: Dr. Martin Eckert

Your team


In need of legal, tax or compliance advice? We look forward to contacting you.

From the magazine

Portfolio transfer/asset transfer

The ongoing phase of low interest rates and the stricter capitalization requirements of the Swiss Solvency Test (SST) mean that insurers are increasingly combing their portfolios for unprofitable or capital-intensive business and, as a result, are no longer writing the unviable business (run-off). In order to reduce the technical provisions on the books, the active reduction of run-off portfolios is becoming increasingly popular. This can be done by transferring a company, a portfolio or assets. In doing so, the run-off portfolio is finally settled for the transferring insurer. Another possibility is the (retrospective) reinsurance (commutation) of the business, a purely balance sheet-related adjustment of the run-off portfolio. In the following, portfolio transfer and asset transfer will be dealt with in more detail.

Corona virus blocks air freight

Several airlines have suspended their flights to China. British Airways is currently not flying to China and will reassess the situation on 29 February 2020. Lufthansa, Swiss and Austrian Airlines will fly to China for the last time on 31 January. After that, all flights will be temporarily suspended until 9 February 2020. Cathay Pacific plans to reduce flights to mainland China by up to 50% by the end of March. Further reductions and suspensions of scheduled flights must be expected. This will not only have an impact on passenger transport, but will also lead to a significant reduction in air freight to and from China. Considering that air freight is mainly used for time-sensitive and, in relation to its weight, valuable goods, these restrictions can lead to considerable problems and damage in supply chains.

All magazine reports


All publications