The potential liability of directors for corporate cyber breaches in South Africa

Abstract

The advances in technology across the world have brought with it new ways of conducting business in a connected economy. South African companies are no exception. However, with this wave of digital connection there are also associated dangers and risks to companies, such as cyber-attacks. A data breach can cost a company a lot of money. The financial fallout may have a severe impact on the company bottom line, erode the share value and the company public profile may decline. All these impacts may lead to the closure of the company with the knock-on negative effect on employees and the economy. Directors are charged with the responsibility of sound management of the company. This research investigates whether, and if so how, directors may be held liable by the company for the damages caused by a corporate cyber breach on the basis that the directors breached their duties of care, skill and diligence owed to the company in terms of the Companies Act 71 of 2008. The ambit of ‘diligence’ expected from directors is investigated and it is considered whether the duty imposes an oversight and monitoring obligation on directors. The question of whether directors may rely on the business judgment rule to escape liability is answered. It is concluded that the business judgment rule is not applicable in instances where directors have positive obligations of oversight and monitoring. The dissertation also explores how the delictual liability of directors may be established within the context of corporate cyber breaches. Recommendations are put forward on manners in which directors may avoid liability.