The judgment of the Supreme Court of the Czech Republic (the “Czech Supreme Court”) dated 26 February 2026, Case No. 21 Cdo 3349/2024, addressed employee liability for making a payment as a result of a phishing attack.
Summary of the Facts
The employer sought damages from its former employee in the amount of more than CZK 760,000. The damage arose in connection with an international payment of EUR 47,000 made on the basis of an email purporting to contain an instruction from the company’s Chief Executive Officer. In reality, it was a phishing attack.
The defendant was a managerial employee – the Director of the Finance Division (G1). Reporting to him was the Section Director (G2, Accounting and Tax). On 19 December 2017, at 8:52 a.m., he received an email allegedly from the CEO (from a non- displayed address), asking about the account balance and requesting a payment of EUR 47,000. At 9:02 a.m., he confirmed to the purported CEO that sufficient funds were available.
At 9:09 a.m., he received payment instructions and a request for confirmation; at 9:12 a.m., he stated that he would pass on the instruction. Follow-up reminders ensued. He spoke by telephone with the Section Director, who requested an email bearing an electronic signature, as required by the employer’s internal regulation; the defendant assured her that he had spoken with the CEO.
At 9:53 a.m., he asked the purported CEO to send a signed instruction; at 9:58 a.m., he was told that the documents would be delivered later and that the payment was to be made immediately.
At 9:59 a.m., he forwarded the email to his subordinate with the note “Jitka, please…”. At 10:09 a.m., this Section Director instructed her subordinate to execute the international payment after verifying the signing authority, while the defendant was kept informed.
Legal Issues Addressed by the Czech Supreme Court
The Czech Supreme Court considered:
- how an instruction given by a superior employee to a subordinate is to be interpreted in employment relationships (so-called factual conduct), and
- how the degree of fault of several employees is to be determined in cases of joint liability for damage under Section 257(5) of the Labour Code.
Conclusions of the Czech Supreme Court
Nature of an Instruction Given by a Superior Employee
The Czech Supreme Court confirmed that:
- an instruction given by an employer or a managerial employee regarding the performance of work is not a legal act, but so-called factual conduct,
- however, its content must be interpreted analogously in accordance with the rules governing the interpretation of declarations of will under the Civil Code (Section 556 of the Civil Code.),
- in such interpretation, it is necessary to take into account in particular:
- the intention of the acting person,
- the context of the situation,
- previous communication between the parties,
- the established practice between the parties.
The Czech Supreme Court concluded that the defendant’s email containing the words “Jitko, prosím” (“Jitka, please”) in conjunction with the preceding communication constituted an instruction to the subordinate employee to carry out the purported CEO’s instruction, i.e. to make the payment.
Employee Liability for Damage
For employee liability for damage to arise, all of the following conditions must be met:
- breach of employment duties,
- occurrence of damage,
- causal link,
- fault on the part of the employee.
The defendant breached these duties in particular by:
- insisting on the execution of a payment instruction that did not meet the requirements of the employer’s internal regulations and assuring the subordinate employee that he had communicated with the CEO, thereby dispelling her doubts.
Degree of Fault in Cases Involving More Than One Employee
The Czech Supreme Court emphasised that the term “degree of fault” under Section 257(5) of the Labour Code includes:
- the form of fault (e.g. negligence),
- the significance of the breach of duties for the occurrence of the damage.
In the case at hand:
- both employees acted with conscious negligence,
- however, the decisive role in causing the damage was played by the defendant, who, as a managerial employee, pushed through the execution of the payment.
The Czech Supreme Court therefore concluded that:
- the defendant’s degree of fault could not be lower than 75%,
- the degree of fault of the other employee could not exceed 25%.
Impact of the Decision
- The decision is particularly significant in the area of employee liability for damage,
- it confirms that instructions from superiors may also be inferred from indirect communication if this follows from the context,
- it emphasises the liability of managerial employees for defective instructions,
- it clarifies the interpretation of the term “degree of fault” in cases of joint liability of multiple employees.
The decision is also important for employers’ practice in dealing with damage caused by cyberattacks (such as phishing) and for setting up internal control mechanisms for financial transactions.
HR Legal Update 03/2026 download here.