Directors Beware! You Could Be Held Personally Liable For Data Breaches

We read about it all the time – businesses both here and abroad are increasingly subjected to major data breaches. Cyber crime is on the rise, and we are all at risk.

A particular danger faces any director whose company’s computer systems are hacked and losses ensue. Overseas, disgruntled shareholders are already suing directors in such cases for dereliction of their fiduciary duties, and there’s a very real threat of incurring personal liability if you drop the ball on this one.

We analyse what the Companies Act and King IV require of directors in this regard, and discuss the danger of failing to comply with any of these duties. Most importantly, we end off with some practical thoughts on how to protect yourself from liability.

Hacking into computers has become common place. In the United States it grew by 45% in 2017. Yahoo, one of America’s largest Internet search engines, was recently the victim of cyber crime and disgruntled shareholders are suing the directors for dereliction of their fiduciary duties.

Hacking is a reality in South Africa also, which raises the issue of your personal liability as a director in the event of your company being exposed to cyber crime.

What do the Companies Act and King IV expect of directors?

Directors need to have “taken reasonably diligent steps to become informed about the matter” – in other words directors would be expected to know cyber crime has become commonplace and to take steps to ensure the company takes all the necessary actions to prevent outsiders getting access to company information. King IV specifically charges directors to “identify and respond to incidents, including cyber attacks…”.

Your risk is that as a director you are personally liable for any costs, losses or damages resulting from a breach of your duties.

How to protect yourself from liability

If a company suffers loss from a hacking incident, then directors need to show they have addressed the issue to the best of their ability if they want to avoid attracting such liability.

Whilst many of us may feel lost when it comes to technology, it is clearly an issue that exposes a company to significant risk. Make sure you and your board of directors gain an understanding of how to protect your business. You need also to ensure that in need you can show documentation to a court to prove that you acted with diligence to counter the risk of being hacked.