Yes, Officers & Directors Can Be Held Personally Liable for Their Company’s Data Breach – Here’s Why


“Can I be held personally liable for my company’s data breach?”

That is one of the questions I am asked many times by officers and directors of companies.  For companies doing business in Texas, the answer could be “YES!” although the usual reasons provided are not nearly as straightforward as the one discussed in the video below.

***Please note, this analysis applies only to officers and directors, not regular employees of a company.

The Usual Explanation

We cybersecurity lawyers often answer that question by referencing the Department of Justice’s “Yates Memo” or by discussing how federal agencies like the Federal Trade Commission sometimes focus on individuals in their enforcement actions. And, of course, this discussion would not be complete without mentioning shareholder derivative litigation and Caremark Claims. But those are all a bit cumbersome, inconsistent, and subjective. However, for companies that are formed or registered to do business in Texas, there is another, less known situation in which officers and directors can be held personally liable for the debts of their companies.  And, every year, many companies in Texas find themselves in just this predicament.

The Less Known Basis for Personal Liability

Typically, entities, whether they are corporations (Corp.), limited liability companies (LLC), limited liability partnerships (LLP), professional corporations (PC), or others, are legal fictions for shielding liability.  The law permits these entities to be treated as the “person” legally responsible for its actions, shielding the officers and directors from liability in many, if not most, cases. There is at least one scenario, however, where officers and directors of an entity that is formed or registered to do business in Texas can be held personally liable: When the entity is not kept in good standing, the officers and directors of the entity could be held responsible for the entity’s debts, which could potentially include liability for data breaches or other cyber incidents.

Jeff Mullins (@jeffreyamullins), one of my Scheef & Stone, L.L.P. law partners, is a knowledgeable and experienced business lawyer who focuses his practice on working with business entities.  Jeff has a thorough knowledge of these entity compliance requirements and, in the video below, explains just how easy it can be to miss seemingly insignificant requirements that could mean personal liability for you.

The good news is that Jeff is a great guy who is easy to work with and offices right next to me! Jeff would be happy to help you make sure your business entity is up-to-date. Just let me know when you are ready and I will be happy to introduce you — now watch and listen to what he has to say:


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service business law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.