Can a DAO be held accountable for breaches of cybersecurity or data breaches?

A DAO can be held accountable for cybersecurity and data breaches, if it is, simply put,
legally obliged to avoid them. Such an obligation may, on the one hand, arise directly from
law, in particular from specific data protection and cybersecurity laws. E. g. Art. 32 GDPR requires that the controller and the processor implement appropriate technical and organizational measures to ensure a level of security regarding the affected personal data.

Consequently, the DAO is only obliged to observe such obligations, if it falls within the scope of the regulation, from which the given obligation arises. 

On the other hand, such obligations may be based on contract, in particular on explicit
contractual clauses. However, in current practice such clauses are rather unlikely to occur in
DAO- related contracts. Relevant obligations may under certain circumstances arise from the general diligence obligations between the contractual parties. 

To summarize, whether the DAO can be held accountable for a cybersecurity or data breach, depends on the circumstances of the given case and hence requires a particular
assessment.