Phishing e-mails and the liability of a managing director of a limited liability company

The liability of a managing director of a limited liability company (GmbH) requires the violation of a specific duty in his function as a management body of the company. For other breaches of duty by the managing director, liability is determined by the general provisions of civil law. This was decided by the Zweibrücken Higher Regional Court (Oberlandesgericht, "OLG").

Facts

The decision of the OLG Zweibrücken is based on the following facts: The managing director of a GmbH received phishing e-mails from unknown fraudsters abroad. These fraudsters reconstructed the e-mail address of a long-term business partner of the GmbH with a barely noticeable exchange of two letters ("@w...flim.com" instead of @w...film.com"). The exchange via e-mail was common practice between the business partners and seemed plausible at first glance. To settle the alleged claims, the managing director repeatedly transferred sums of money amounting a low six-figure sum to the bank accounts named in the e-mails. Only later it emerged that the managing director was a victim of fraud.

The GmbH demanded that the managing director compensate the company for the incurred damage. The Frankenthal Regional Court dismissed the claim for payment. The GmbH appealed against this decision.

The decision of the OLG Zweibrücken (judgment of 18.08.2022 - Ref.: 4 U 198/21)

The appeal was unsuccessful. In the opinion of the OLG Zweibrücken, the managing director cannot be held liable as a management body pursuant to Section 43 (2) of the German Limited Liability Companies Act ("GmbHG"). In line with the prevailing opinion in the literature, the OLG Zweibrücken considers the violation of specific duties of the management body to be necessary.  This is not the case here.

The duties of the management body can be divided into four different areas of duty: (i) the duty of legality, (ii) the duty of care "in the narrower" sense, (iii) the duty of supervision, and (iv) the duty of compliance. Liability for other activities of managing directors is governed by general civil law.

The commissioning of a money transfer based on phishing e-mails is considered an accounting activity and, according to the OLG, is not a breach of a duty specifically incumbent on directors and officers. Neither the delegated management nor a possible duty of supervision had been violated here.

The OLG Zweibrücken also denied liability under civil law principles, i.e., under Section 280 (1) of the German Civil Code ("BGB") and Section 823 (1) BGB. It was only slightly negligent (“leicht fahrlässig”) that the managing director did not notice the "misspelled letters" in the phishing e-mails in which the bank transfer was requested. In accordance with the liability principles under employment law and the associated mitigation of liability, liability was ruled out in this case despite slight negligence.

Practical advise

The liability of the managing director arising from his management body position can only concern the violation of specific duties as management body. This is recognized for the liability of executive board members of a stock corporation in the context of Section 93 AktG; nothing else can apply to the liability of managing directors under Section 43 (2) GmbHG, to which Section 93 AktG was a template.

The classification under the respective reason of liability can have significant effects in practice. Differences arise regarding the standard of care and the distribution of the burden of proof. Whereas liability under general rules requires compliance with the "due care required in the course of business", the "due care of a prudent businessman" applies to the liability of the managing director pursuant to Section 43 (1) GmbHG. In addition, in the case of liability pursuant to Section 280 (1) BGB, the managing director only bears the burden of proof with regard to fault, whereas in the case of liability pursuant to Section 43 (2) GmbHG, he must discharge himself with regard to the breach of duty.

In its decision, the OLG Zweibrücken applied the so-called “principles of the intracompany damage compensation” to the breach of a non-organ specific duty of the managing director. Despite slight negligent conduct the managing director was not held liable. The principles of intracompany damage compensation are developed by German case law. They stipulate a reduction of liability for an employee acting in performance of their employment. To this extent, an employee cannot be held liable in cases of slight negligence. In the literature it is disputed whether the principles of the intracompany damage compensation can be applied to the management directors or board members. The prevailing opinion does not consider the principles to be applicable. Contrarily, in the above-mentioned case, the OLG Zweibrücken applied the mitigation of liability for employees to the managing director. A clarifying decision by the Federal Court of Justice regarding this question will not be issued in this case, as no appeal has been filed.

The court decision illustrates the complexity of a managing director’s liability and should be taken as an opportunity to take a closer look at the D&O insurance of managing directors. In most cases, the insurance coverage of a D&O insurance policy is specified in such way that only breaches of duty which arise as a result of the management body activity are covered. This could mean that a managing director whose breach of duty is not classified as a board activity might not be covered by the insurance. The case-by-case classification could therefore lead to problems regarding the insurance company's obligation to pay.