Legal incident response: cyberattacks from a legal viewpoint

Stefan Hessel

In 2021 as well, companies will face numerous cybersecurity risks arising from the progressive digitization of the economy. In addition to prevention, growing importance is being attached to the detection of cyberattacks and, above all, to response. Unlike preventive measures, a subject which is rather vague given the wide variety of legal requirements for cybersecurity and which requires individual analysis, the rules governing the response to cyberattacks are very clear in some cases. One example is personal data breaches, which will serve as an example below.

From a technical viewpoint, a cyberattack can be understood as an IT security incident, i.e. impairment of the protective goals of IT security (confidentiality, integrity and availability) (only in German) by an attacker acting with deliberate intent. But this is not a fixed definition, let alone a legal term. In order to examine the legal consequences of cyberattacks, it is therefore necessary to fit the real-life circumstances summarized by the term "cyberattack" in each case within the bounds of the applicable legal definition. In the case of data protection law, the relevant statute is Article 4 No. 12 of the GDPR (only in German), which contains a legal definition of the term "personal data breach."

According to this definition, a personal data breach occurs in case of a security breach "leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data." A particularly relevant aspect of this definition is that the security breach must relate to personal data. Accordingly, in case of cyberattacks which do not affect the processing of personal data, a personal data breach does not occur and strict requirements of the GDPR do not apply. On the other hand, it is possible to have a personal data breach which does not even affect the company itself, only e.g. a company conducting processing on its behalf. Personal data breaches may also occur entirely independently of cyberattacks, e.g. if data storage media are lost. The question as to whether a personal data breach has occurred may depend on legal nuances, and is to be determined in the context of other legal requirements as well. It is therefore necessary to subject cyberattacks to careful legal analysis in each case.

If a cyberattack qualifies as a personal data breach, the controller is required at a minimum to document the breach in accordance with Article 33(5) of the GDPR (only in German), regardless of the risk. This documentation must be extensive enough to demonstrate that the personal data breach does not pose a risk to the rights and freedoms of natural persons. In view of the fact that it may be disputed at a later date whether a cyberattack resulted in the occurrence of a personal data breach, controllers should document all incidents, even those where a link to individual persons can be ruled out.

If personal data were affected and a risk cannot be ruled out, notification must be made to the responsible data protection authority in accordance with Article 33(1) of the GDPR (only in German). This notification has to be made by the controller without delay after learning of the personal data breach, within 72 hours if possible. If notification is made later than 72 hours, it is necessary to provide an explanation for the delay. In case of doubt, it is therefore better to submit the notification on time and supplement it later, if necessary, as new information comes to light. If the personal data breach poses a high risk, it is also necessary to notify the data subject in accordance with Article 34(1) of the GDPR.

Violations of the documentation, reporting and notification requirements are subject to fines in accordance with Article 83(4)(a) of the GDPR. If the personal data breach is attributable to inadequate technical or organizational measures, there may also be a violation of Article 32(1) of the GDPR (only in German), which may also result in a fine in accordance with Article 83(4)(a) of the GDPR (only in German). Violations of the GDPR may also trigger damage claims in accordance with Article 82(1) of the GDPR, although the specific requirements for such claims, as well as their amount, have yet to be conclusively clarified. Accordingly, controllers are advised to have the matter reviewed by their attorneys, particularly in case of severe fines or damage claims. A decision by the District Court of Bonn of 11 November 2020 (Case No. 29 OWi 1/20), in which the court reduced a fine imposed by the Federal Commissioner for Data Protection upon 1&1 AG from about EUR 9.5 million to EUR 900,000, demonstrates how effective legal action can be when contesting fines.

Legal requirements for the handling of cyberattacks must be taken into account in the company's incident response process. As demonstrated by the example of data protection law, it is necessary to satisfy the key requirements at the technical level for the documentation of personal data breaches. Caution is therefore necessary, particularly for incident response measures which destroy the company's ability to trace the attack. It is also necessary for the incident response process to include the necessary expertise to evaluate reporting and notification requirements. Given that detection measures such as e.g. looking through employees' e-mail accounts and accessing third-party systems may have legal relevance (e.g. in terms of data protection law), a legal assessment is also necessary in this regard.

Separately from the legal requirements for incident response, legal measures may also serve to protect and secure the company's processes for the management of cyberattacks (legal incident response). Possible measures may include e.g. written instructions to employees concerning the company's contingency plan or ensuring detection options, e.g. through binding rules concerning the private use of the company's internal internet access and company e-mail accounts. Legal measures can even be taken to counter a situation in which a personal data breach does not occur in the controller's company, but rather in that of a processor, a situation which is particularly challenging from a technical viewpoint. Possible measures in this case include e.g. a clause on the involvement of outside experts in the investigation of personal data breaches, contractual obligations to preserve evidence and express agreements concerning lines of communication and reporting processes in the event of an incident. In this way, controllers will be able to address a problem which is relevant in practice, i.e. the possibility that the processor will bypass the controller and notify the data protection authority directly.

In conclusion, it can be stated that the legal requirements with regard to cybersecurity are growing and, as shown above on the example of data protection law, these requirements now have a complexity which requires legal expertise. The same applies for the establishment of a system for management of the applicable legal requirements. In addition to considering the legal requirements within the context of incident response, companies should also devote increasing consideration to legal measures which are designed to secure the processes for the management of cyberattacks.

[January 2021]