Liability of the Managing Director for Information Security in the Company

Nowadays, it is hard to imagine a company without IT and digital business processes. However, in addition to the many benefits of digitization, it also offers high risks: If every employee participates in the digital world in the company, the probability of an information security incident (e.g., incidents triggered by viruses, phishing, hacking, etc.) increases.

Networking can quickly affect a company's entire IT infrastructure. This can result in vast sums of damage. For the company, it is not only the financial interests that are at risk, but also the damage to the company's reputation after a data breach and the legal consequences that can threaten.

In the end, in case of doubt, the consequences always affect the managing director personally. How the liability of the managing director looks in concrete terms and how the risk can be minimized, if necessary, is dealt with in the following.

Possible scope of compensation

If a cyber attack causes damage to a company, the costs incurred by the company itself should not be forgotten: Costs for restoring data and systems, lost revenue, costs for determining the cause, e.g., through forensic investigations of a specialized service provider, loss of customer confidence, loss of production, loss of value of the company, etc.

In addition, damages may be paid to third parties. These are based not only on Art. 82 GDPR, but also outside of data protection law on Section 280 BGB.

Compensation pursuant to Section 280 of the German Civil Code (BGB) can only be claimed from third parties with whom the company has a legal relationship and whose obligations have been violated by the data breach and its consequences. In addition, within the scope of this basis of claim, it is up to the company concerned to prove that it is not responsible for the incident, i.e. e.g. appropriate Protective measures has taken. The management should therefore always carefully implement and document the company's IT security in order to be able to prove that the IT is secured using state-of-the-art technology.

In addition, damages can be claimed under Art. 82 GDPR if personal data is processed by the company. In this case, the affected parties must be compensated for material and immaterial damages. This can only be averted by proving that the company is in no way responsible for the factor that triggered the damage.

In addition, a fine may be imposed in accordance with Art. 83 GDPR.

The liability listed here can also not be excluded by general terms and conditions (GTC).

Recourse possible?

Even if the cause of a cyber attack is usually user error on the part of an employee, taking action against the company's own employees is hardly likely to succeed. On the one hand, the liability of employees is very limited, and on the other hand, case law has so far limited it to one year's salary, so that the damage caused cannot be compensated for with this. In principle, the management or the company is responsible for the misconduct of its own employees.

In most cases, recourse to IT service providers is also not very promising. Their main obligation is only to provide the service contractually agreed with the management. According to Art. 24 I and II DSGVO, it is necessary for the company to operate the IT according to the state of the art. If the agreed service of the service provider does not correspond to the state of the art, this is the responsibility of the company that wanted the service to be so.

The most that could be considered here is the violation of a secondary obligation (the indication that the required service does not correspond to the state of the art) (§ 280 BGB). However, it will hardly be possible for the IT service provider to cover the sums involved, especially since it regularly agrees a liability limit in advance, at least for larger contracts.

Liability of the management

Ultimately, the only recourse left for the company to compensate for the financial loss is to take recourse against the management, which they are also obligated to do.

As a rule, slight negligence on the part of the management is sufficient to justify liability. The management has the duty to ensure that the company does not violate any legal provisions. Depending on the legal form of the company and the activity carried out, the law may also contain more specific obligations, the breach of which may give rise to liability.

Minimization of the liability risk

To minimize liability risk, management should regularly consult with Information Security Consultants Consult, conduct and document risk assessments. Also perform penetration tests and vulnerability assessments through external specialized service providers help with risk assessment and should also be documented. In the event of a data breach, the documentation and measures can lead to exoneration if necessary.

The results can then also be used to assess whether cyber insurance is necessary. Whether the conclusion of such insurance is even obligatory for the management is controversial. At least if the cyber dangers represent a risk to the existence of the company, this is to be affirmed in any case. In this context, special attention must also be paid to the correct selection of the insurance and, after conclusion, to the constant comparison of whether it is still the most suitable.

On the other hand, the management can also be exempted from the obligation to take out cyber insurance by a shareholders' resolution. In this way, the management no longer bears any liability risk, but the company is still at risk to the same extent.

In any case, it is recommended to draft an emergency plan in case of a cyber attack as well as a data backup plan. These must be known within the company.

In order to further protect yourself as a managing director, it is advisable to take out D&O insurance in case of doubt.

In individual cases, decisions on specific measures should always be made after obtaining expert advice. A lack of expertise on the part of the managing director in the area of liability never leads to exoneration.