Can executives or board members be held personally liable for information governance failures?
Yes, in certain circumstances. While organizations themselves usually bear the direct consequences of information governance (IG) failures, executives and board members can face personal exposure when they fail to exercise their oversight duties or when they participate in misconduct. The risk is real but situational, and it varies by jurisdiction, industry, and the nature of the failure.
Where Personal Liability Can Arise
Several distinct pathways can reach individuals rather than only the organization:
- Breach of fiduciary duty. Directors and officers owe duties of care and loyalty. Courts have increasingly held that a sustained failure to implement or monitor compliance and information systems can be a breach of the duty of oversight.
- Obstruction and spoliation. Destroying, altering, or failing to preserve records relevant to litigation or an investigation can lead to sanctions against an organization and, where intent is shown, personal or even criminal liability for those who directed it.
- Statutory and regulatory duties. Some laws impose recordkeeping or certification obligations directly on named officers. Signing inaccurate filings or certifying deficient controls can create individual accountability.
- Privacy and data protection failures. A serious mishandling of personal data can expose responsible leaders to regulatory enforcement and reputational consequences, especially where governance was clearly inadequate.
What Reduces Personal Exposure
Liability typically turns on whether leaders acted reasonably and in good faith, not on whether a failure occurred at all. Protective practices include:
- Establishing a documented IG and records retention program, and ensuring it is actually followed.
- Receiving regular reporting on compliance, retention, legal holds, and data incidents, and acting on red flags.
- Defining clear roles, accountability, and escalation paths so issues reach the board.
- Maintaining defensible disposition so records are kept and destroyed by policy, not by improvisation.
The Practical Takeaway
Personal liability is usually tied to neglect of oversight or active wrongdoing rather than honest, well-governed mistakes. Boards and executives protect themselves by treating information as a governed asset, demanding visibility into how records are managed, and ensuring legal preservation duties are honored. Strong, well-documented governance is both the best operational practice and the best individual safeguard.
For broader context, see the information governance topic hub.
Sources & further reading
Authoritative government and non-profit references.
- The Sedona Conference publications — The Sedona Conference
- Records management laws — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Can executives or board members be held personally liable for information governance failures?. Records Management University. https://www.recordsmgmt.org/questions/can-executives-be-personally-liable-for-information-governance-failures/
MLA
RM University Editorial. "Can executives or board members be held personally liable for information governance failures?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/can-executives-be-personally-liable-for-information-governance-failures/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can information governance help reduce cloud storage costs, and how?
- Can our IT department decide on its own to delete old files to free up server space?