top of page

Directors' liability for data breaches & cyber attacks

In the Netherlands, from 2023, listed companies risk a fine if it is found that hacking or failure of company IT systems is due to insufficient measures taken to prevent it. This is stated in the amended Corporate Governace Code. Thus, even the director risks being held liable for it. What risks do directors in Belgium face if they take insufficient measures to bring their company into line with GDPR obligations? Mr Franklin lists it for you.

What is directors' liability?

Directors' liability refers to the legal responsibility of managers and directors of a company for their actions and decisions. It means that directors can be held personally liable for damages resulting from their negligence, incorrect decisions or wrongful actions taken on behalf of the company.

Inadequate GDPR and IT security measures could lead to directors' liability

In the situation where the company's IT systems are hacked, it is possible that as a result of that hacking, personal data of customers, employees, etc. may end up in the wrong hands, which qualifies as a data breach. If, in doing so, it would turn out that insufficient measures were taken to adequately protect the IT systems against it or the company's GDPR policy was not properly developed, a director runs the risk of being held internally liable by the company for it.

A director will only be held liable if it appears that his decisions, actions or conduct were manifestly outside the range of how a normally prudent and careful director would have behaved in the same circumstances. Where a director or governing body would not have taken all reasonable steps to roll out a sound GDPR policy and adequately secure IT systems, which could take into account, among other things, the cost-benefit, the likelihood of hacking and the sensitivity of the data processed by the company, there is a real chance that the director could be held liable by the company. Similarly, the case where the Data Protection Authority fines a company for GDPR violations (e.g. inadequate security measures) could lead to internal director liability. Indeed, every director should know that a company processing personal data should take into account GDPR obligations.

Directors, members of the management body or persons who have actual management power with respect to the legal entity will also be externally liable with respect to third parties to the extent that their mistake is an extra-contractual error (= extra-contractual management error). A third party, in the case of a hacking involving the disclosure of personal data, is the data subject whose personal data has been leaked. In order to hold the director who failed to take sufficient measures to prevent the data leak liable, it will fall to the data subject to prove the director's fault, prove the damage suffered by the data leak and the data subject will have to prove that the damage was caused by the director's fault.

Role of cyber insurance and directors' liability insurance

One of the measures that can be taken by the director or by the governing body to cover any damage resulting from a cyber attack

is to take out cyber insurance. Such insurance provides cover for financial losses incurred as a result of a cyber attack, data breach or as a result of IT system failure. An important question here is whether such cyber insurance can also be invoked when one is held personally liable as a director for the damages already described above.

The answer to that question is negative as cyber insurance will only cover damages for which the company itself is held liable. If, as a director, you are held personally liable for the damage caused by a cyber attack or data breach, as a director you will also have to be personally liable for the compensation claimed. For this reason, as a director, it may also be advisable to take out directors' liability insurance that does cover damage resulting from management errors.

As a director, do you have doubts about your company's GDPR policy and IT infrastructure and want to avoid potential liability claims? Then take a look at our services and do not hesitate to contact us!


bottom of page