YAHOO SHAREHOLDERS RECEIVE COMPENSATION FROM MANAGEMENT
Hackers at Yahoo have stolen data from 3 billion customers. This had personal consequences for the management. While in most cases the affected customers were able to assert claims for damages against the company, the shareholders were usually left empty-handed. In the Yahoo case, the shareholders had for the first time sued the management - including Yahoo CEO Marissa Mayer - on behalf of the company for breach of fiduciary duties. The former management team now has to pay the shareholders millions because of the cyber attack. The lawsuit was settled with a cash payment of $29 million (which will be covered by insurance). A California judge approved the settlement last week.
WHAT WOULD BE THE LEGAL SITUATION IN SWITZERLAND?
In the event of a breach of data protection obligations, customers can sue the company based on the basis on the Swiss Data Protection (injunction, removal action, declaratory action, action for satisfaction, issue of profits, right of reply). Depending on the contractual relationship, there may also be contractual (or non-contractual) claims for damages.
The shareholders could also bring an action against the management (article 754 CO). However, the claim is for payment to the company and not to the shareholders (article 756 CO).
The revised Data Protection Act will also provide for fines for managers.
WHAT ARE THE LESSONS FOR MANAGEMENT?
Management is well advised to pay due attention to data protection and cyber risks (risk-based approach):
- Risk analysis
- Implementation of a data protection concept (risk management; regulation of responsibilities)
- Documentation of data protection efforts (management and board minutes)
- Ensuring compliance with standards (certifications; data privacy seal)
- Review of documentation and contracts with providers
- Securing insurance cover (Cyber Risk Insurance; D&O Insurance)