Following a cyberattack by the group “ALPHV,” also known as “Black Cat,” on the company “Motel One,” millions of hotel guest data (names, credit card details, addresses, birth and travel dates, phone numbers, etc.), a total of six terabytes, have been stolen. Portions of the data, some dating back to 2016, have already surfaced in the darknet for exploitation by Hackers. In a similar incident involving the US hotel chain Marriott in 2020, the UK Data Protection Authority imposed an initially GBP 100 million fine (later reduced to GBP 18.4 million). In addition to the fine, compensation claims from affected individuals are anticipated.
The case gains additional significance due to the impending decision of the European Court of Justice on reference questions concerning Scalable Capital GmbH (Case Nos. C-182/22 and C-189/22). The Court is tasked with clarifying whether the mere loss of data (e.g., through a successful hacker attack) is sufficient to establish identity theft and thus a claim for damages.
These risks and questions also impact Swiss companies if they offer goods or services in the European internal market or observe the behavior of individuals within the territorial scope of the GDPR (the so-called market location principle). This automatically raises the question of the legal liability of companies and management in the event of data thefts to the detriment of Swiss companies under national liability regulations, in purely Switzerland-related matters.
Data Protection Law
As of September 1, 2023, Switzerland enforced the fully revised Federal Data Protection Act (DSG). The DSG addresses weaknesses that arose in the application of the “old” data protection law to current situations. It also aligns with the provisions of the GDPR on various levels. The DSG aims to protect the personality and fundamental rights of natural persons whose personal data is processed (Art. 1 DSG). According to Art. 2 para. 1 DSG, the law applies to private individuals and federal agencies (“controllers”) processing personal data of natural persons.
Obligation for Data Security
Data processing must be designed to comply with data protection regulations, especially the principles of the DSG according to Art. 6 DSG, Art. 7 para. 1 DSG. According to Art. 8 DSG, the controller and the data processor must ensure appropriate data security through suitable technical and organizational measures in line with the risk. These measures must aim to prevent violations of data security.
If there are contractual agreements with the individuals affected by the data breach and these agreements link legal consequences to a data incident, these contractual liability mechanisms are activated by the data breach. Especially in cases of fault-independent liability agreements, the agreed-upon liability instruments become effective quickly and directly.
If there are sufficient indications that data processing may violate data protection regulations, the Federal Data Protection Commissioner (EDÖB) initiates an investigation ex officio according to Art. 49 DSG. The controller is obliged to cooperate in this investigation. Failure to comply with this obligation or disregard of EDÖB’s orders may result in a fine of up to CHF 250,000.
DSG, in Art. 32 DSG, provides an opening to the classical instruments of the Swiss Civil Code (specifically Art. 28, 28a, as well as 28g-28l ZGB) for the civil pursuit of unlawful personal data processing. Affected individuals can enforce negative claims, such as injunctions, removals, or declarations of legality. Additionally, affected individuals have reparative claims, including claims for damages (regarding pecuniary damages) and compensation (regarding immaterial damages). In addition, claims for profit restitution and counterstatements come into play.
Unlike under the GDPR regime, the penalty provisions of the DSG primarily target natural persons responsible rather than companies. As of current knowledge, the fines cannot be insured and are not covered by the company of the penalized employee. If the investigation into the background of the data breach highlights criminal provisions under Art. 60-66 DSG, personal liability of the management/executive body is initially at risk. Eventual intent is sufficient for the realization of these criminal provisions. However, the responsibility primarily falls on the individual who, in an executive position, makes specific decisions about what actions to take. By delegating data protection duties, the liability risk for executive bodies under the criminal provisions of the DSG can be significantly reduced.
A risk that cannot be minimized through delegation lies in the liability of executive bodies under the employment contract and according to the Swiss Code of Obligations. Specifically, Art. 754 OR states that members of the board of directors and all persons involved in management are responsible to the company, individual shareholders, and company creditors for damages caused by intentional or negligent breaches of duty. For the board of directors, responsibility for data protection in the company arises from Art. 716a para. 1 no. 1 OR.
The same risk applies according to Art. 827 OR for managers (of an LLC) if the four liability prerequisites of breach of duty, damage, causal connection, and fault are fulfilled in the context of data theft. If, for example, the obligation to establish legal data security mechanisms was assigned to the manager by the company’s resolution, and the manager culpably violated this obligation by omission, such behavior could be the basis for compensation in the event of data theft damage.
Management should pay appropriate attention to data protection and cyber risks. The outlined legal situation emphasizes the delegation of specific tasks to avoid risks from the criminal provisions of the DSG. This is an advantage for the affected executive body, but it could pose a challenge to the working atmosphere. With regard to civil liability mechanisms, delegation is not possible. Executive bodies should, therefore, strictly adhere to the recommendations outlined below.
Based on the presented liability situation, executive bodies should, following a thorough risk analysis, oversee the implementation of a well-prepared and tailored data protection concept aligned with the company’s needs. Crucial questions about the application of the DSG and/or GDPR must be answered, as there is a risk of dual liability. Responsibilities within the company should be clearly defined and decisions documented well.
Cyber risks must also be considered. Cybersecurity and data protection efforts should be part of the discussions of responsible bodies. The fact that this has been addressed must be demonstrable through meeting and session protocols. Executive bodies should focus on the data protection concept, appropriate defense measures against attacks and data thefts, and an action plan in the event of an attack that suggests an attempted data theft. Executive bodies should also strive for necessary and adequate insurance coverage (e.g., cyber risk policies).
In the event of an incident, it must be clear who is required to report what circumstances to whom and when. Moreover, to avoid personal liability and ensure potential insurance coverage, a criminal complaint (e.g., suspicion of offenses under Art. 162, 179-179novies, 273 Swiss Penal Code) should be filed, and potential damage should be reported to the D&O insurer.
In any case, it is advisable to seek legal assistance both in the development and review of the mentioned concepts and in the event of a data theft. In the Marriott chain case mentioned above, legal proceedings reduced the fine from nearly GBP 100 million to GBP 18.4 million.