“Haf­ni­um”: poten­ti­al impact on pro­ces­sing relationships

The Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) con­ti­nues to warn about cri­ti­cal “Haf­ni­um” secu­ri­ty vul­nerabi­li­ties in Micro­soft Exch­an­ge ser­vers: com­pa­nies with unpatched Exch­an­ge ser­vers face the thre­at of attacks from the inter­net. Ger­man com­pa­nies are affec­ted as well.

From the view­point of data pro­tec­tion law, com­pa­nies acting as con­trol­lers are requi­red, at a mini­mum, to docu­ment secu­ri­ty updates pur­su­ant to Artic­le 33(5) of the GDPR. In cases whe­re a poten­ti­al risk can­not be ruled out, noti­fi­ca­ti­on of the com­pe­tent super­vi­so­ry aut­ho­ri­ty is requi­red in accordance with Artic­le 33(1) of the GDPR and, in case of high risk, the cir­cum­s­tances must be com­mu­ni­ca­ted to the data sub­jects in accordance with Artic­le 34(1) of the GDPR.

But not infre­quent­ly, Exch­an­ge ser­vers are ope­ra­ted not by the con­trol­ler, but rather by out­side ser­vice pro­vi­ders, i.e. pro­ces­sors. In such cases, the pro­ces­sors are respon­si­ble for che­cking and moni­to­ring their ser­vers and are requi­red, pur­su­ant to Artic­le 28(1) of the GDPR, to pro­vi­de suf­fi­ci­ent gua­ran­tees to ensu­re that pro­ces­sing con­forms to the requi­re­ments of data pro­tec­tion law by imple­men­ting appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res. In accordance with Artic­le 28(3)(f) of the GDPR, pro­ces­sors are requi­red to assist the con­trol­ler in ensu­ring com­pli­ance with the obli­ga­ti­ons spe­ci­fied in Artic­les 32 to 36 of the GDPR. This requi­re­ment par­ti­cu­lar­ly appli­es in the case of the “Haf­ni­um” secu­ri­ty vulnerabilities.

Con­se­quen­ces for pro­ces­sing relationships

If the pro­ces­sor does not patch the ser­vers and check if they are com­pro­mi­sed, or if its efforts to do so are unsuc­cessful or come too late, it may be neces­sa­ry for con­trol­lers to noti­fy the data pro­tec­tion aut­ho­ri­ty or even com­mu­ni­ca­te the mat­ter to the data sub­jects, with the processor’s assis­tance. Regard­less of whe­ther noti­fi­ca­ti­on or com­mu­ni­ca­ti­on is requi­red, the breach has to be docu­men­ted in accordance with Artic­le 33(5) of the GDPR, and in this as well the pro­ces­sor is requi­red to assist. For the con­trol­ler, docu­men­ting the breach is also important with regard to pos­si­ble recour­se claims based on mis­con­duct on the part of the pro­ces­sor, so that it is in both par­ties’ inte­rest for docu­men­ta­ti­on to be as detail­ed possible.

In addi­ti­on, the processor’s hand­ling of the cur­rent vul­nerabi­li­ties may lead the con­trol­ler to con­clude that the pro­ces­sor is not in a posi­ti­on to gua­ran­tee appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res, as requi­red in accordance with Artic­le 28(1) of the GDPR. For exam­p­le, if the pro­ces­sor is days or weeks late in instal­ling updates or if the pro­ces­sor fails to check if sys­tems are com­pro­mi­sed, or does so only ina­de­qua­te­ly, even though the­se mea­su­res are abso­lut­e­ly requi­red, the con­trol­ler may con­clude on this basis that it can and must no lon­ger rely on the processor’s exper­ti­se. At the very least, con­trol­lers should exami­ne the orga­niza­tio­nal mea­su­res taken by the ser­vice pro­vi­der in this case and request chan­ges if neces­sa­ry. If, in the end, the­re are con­ti­nuing defi­ci­en­ci­es in the processor’s mea­su­res to ensu­re com­pli­ance with the GDPR, the pro­ces­sing rela­ti­onship may no lon­ger be per­mis­si­ble and data pro­ces­sing by the pro­ces­sor may have to be discontinued.

Pro­ces­sors which are affec­ted by the­se cir­cum­s­tances, par­ti­cu­lar­ly tho­se which were late in instal­ling updates or fai­led to check if the sys­tem was com­pro­mi­sed, are advi­sed to fur­nish docu­men­ta­ti­on to their con­trol­lers demons­t­ra­ting that they have nevert­hel­ess pro­vi­ded suf­fi­ci­ent gua­ran­tees for the secu­ri­ty of pro­ces­sing and/or that the neces­sa­ry impro­ve­ments are alre­a­dy under­way. Con­trol­lers, for their part, should cont­act affec­ted pro­ces­sors and request the rele­vant infor­ma­ti­on and docu­men­ta­ti­on so as to com­ply with their super­vi­so­ry duties. Sen­si­ble docu­men­ta­ti­on may include e.g. full docu­men­ta­ti­on of the hand­ling of an inci­dent, brin­ging in out­side experts or the deve­lo­p­ment of con­cepts which demons­tra­b­ly rai­se the level of secu­ri­ty. As things stand, far-reaching con­se­quen­ces are only con­ceiva­ble in case of a gra­ve breach.

Fur­ther action and conclusion

In light of pos­si­ble recour­se claims and the thre­at of con­se­quen­ces for pro­ces­sing rela­ti­onships, affec­ted con­trol­lers and pro­ces­sors should take imme­dia­te action to ensu­re that “Haf­ni­um” secu­ri­ty vul­nerabi­li­ties are addres­sed by instal­ling the available updates. In addi­ti­on, the sys­tems they use should be che­cked to deter­mi­ne if they have may have been com­pro­mi­sed. If they need assis­tance, valuable resour­ces are available from BSI (only in Ger­man) and, in par­ti­cu­lar, in the self-help gui­dance from HiSo­lu­ti­ons (only in Ger­man). In addi­ti­on to tech­ni­cal aspects, con­trol­lers and pro­ces­sors should also devo­te more atten­ti­on to the legal con­se­quen­ces of the secu­ri­ty vul­nerabi­li­ties, which may go well bey­ond the noti­fi­ca­ti­on and com­mu­ni­ca­ti­on requi­re­ments which have been the sub­ject of inten­se dis­cus­sion late­ly.

The Cyber­se­cu­ri­ty & Data Pro­tec­tion team at reusch­law Legal Con­sul­tants will help you resol­ve the “Haf­ni­um” secu­ri­ty vul­nerabi­li­ties and pro­vi­des advice in all legal ques­ti­ons rela­ting to IT secu­ri­ty.

Hafnium’s impact on pro­ces­sing rela­ti­onships will also be a sub­ject of the digi­tal lunch break which will be held by reusch­law & K4 Digi­tal on Thurs­day, 25 March 2021, from 12:00 PM to 12:40 PM. Admis­si­on to the event is free of char­ge. You can regis­ter here.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.