Legal inci­dent respon­se: cyber­at­tacks from a legal viewpoint

In 2021 as well, com­pa­nies will face num­e­rous cyber­se­cu­ri­ty risks ari­sing from the pro­gres­si­ve digi­tiza­ti­on of the eco­no­my. In addi­ti­on to pre­ven­ti­on, gro­wing importance is being atta­ched to the detec­tion of cyber­at­tacks and, abo­ve all, to respon­se. Unli­ke pre­ven­ti­ve mea­su­res, a sub­ject which is rather vague given the wide varie­ty of legal requi­re­ments for cyber­se­cu­ri­ty and which requi­res indi­vi­du­al ana­ly­sis, the rules gover­ning the respon­se to cyber­at­tacks are very clear in some cases. One exam­p­le is per­so­nal data brea­ches, which will ser­ve as an exam­p­le below.

From a tech­ni­cal view­point, a cyber­at­tack can be unders­tood as an IT secu­ri­ty inci­dent, i.e. impair­ment of the pro­tec­ti­ve goals of IT secu­ri­ty (con­fi­den­tia­li­ty, inte­gri­ty and avai­la­bi­li­ty) (only in Ger­man) by an atta­cker acting with deli­be­ra­te intent. But this is not a fixed defi­ni­ti­on, let alo­ne a legal term. In order to exami­ne the legal con­se­quen­ces of cyber­at­tacks, it is the­r­e­fo­re neces­sa­ry to fit the real-life cir­cum­s­tances sum­ma­ri­zed by the term “cyber­at­tack” in each case within the bounds of the appli­ca­ble legal defi­ni­ti­on. In the case of data pro­tec­tion law, the rele­vant sta­tu­te is Artic­le 4 No. 12 of the GDPR (only in Ger­man), which con­ta­ins a legal defi­ni­ti­on of the term “per­so­nal data breach.”

Accor­ding to this defi­ni­ti­on, a per­so­nal data breach occurs in case of a secu­ri­ty breach “lea­ding to the acci­den­tal or unlawful des­truc­tion, loss, altera­ti­on, unaut­ho­ri­zed dis­clo­sure of, or access to, per­so­nal data.” A par­ti­cu­lar­ly rele­vant aspect of this defi­ni­ti­on is that the secu­ri­ty breach must rela­te to per­so­nal data. Accor­din­gly, in case of cyber­at­tacks which do not affect the pro­ces­sing of per­so­nal data, a per­so­nal data breach does not occur and strict requi­re­ments of the GDPR do not app­ly. On the other hand, it is pos­si­ble to have a per­so­nal data breach which does not even affect the com­pa­ny its­elf, only e.g. a com­pa­ny con­duc­ting pro­ces­sing on its behalf. Per­so­nal data brea­ches may also occur enti­re­ly inde­pendent­ly of cyber­at­tacks, e.g. if data sto­rage media are lost. The ques­ti­on as to whe­ther a per­so­nal data breach has occur­red may depend on legal nuan­ces, and is to be deter­mi­ned in the con­text of other legal requi­re­ments as well. It is the­r­e­fo­re neces­sa­ry to sub­ject cyber­at­tacks to careful legal ana­ly­sis in each case.

If a cyber­at­tack qua­li­fies as a per­so­nal data breach, the con­trol­ler is requi­red at a mini­mum to docu­ment the breach in accordance with Artic­le 33(5) of the GDPR (only in Ger­man), regard­less of the risk. This docu­men­ta­ti­on must be exten­si­ve enough to demons­tra­te that the per­so­nal data breach does not pose a risk to the rights and free­doms of natu­ral per­sons. In view of the fact that it may be dis­pu­ted at a later date whe­ther a cyber­at­tack resul­ted in the occur­rence of a per­so­nal data breach, con­trol­lers should docu­ment all inci­dents, even tho­se whe­re a link to indi­vi­du­al per­sons can be ruled out.

If per­so­nal data were affec­ted and a risk can­not be ruled out, noti­fi­ca­ti­on must be made to the respon­si­ble data pro­tec­tion aut­ho­ri­ty in accordance with Artic­le 33(1) of the GDPR (only in Ger­man). This noti­fi­ca­ti­on has to be made by the con­trol­ler wit­hout delay after lear­ning of the per­so­nal data breach, within 72 hours if pos­si­ble. If noti­fi­ca­ti­on is made later than 72 hours, it is neces­sa­ry to pro­vi­de an expl­ana­ti­on for the delay. In case of doubt, it is the­r­e­fo­re bet­ter to sub­mit the noti­fi­ca­ti­on on time and sup­ple­ment it later, if neces­sa­ry, as new infor­ma­ti­on comes to light. If the per­so­nal data breach poses a high risk, it is also neces­sa­ry to noti­fy the data sub­ject in accordance with Artic­le 34(1) of the GDPR.

Vio­la­ti­ons of the docu­men­ta­ti­on, report­ing and noti­fi­ca­ti­on requi­re­ments are sub­ject to fines in accordance with Artic­le 83(4)(a) of the GDPR. If the per­so­nal data breach is attri­bu­ta­ble to ina­de­qua­te tech­ni­cal or orga­niza­tio­nal mea­su­res, the­re may also be a vio­la­ti­on of Artic­le 32(1) of the GDPR (only in Ger­man), which may also result in a fine in accordance with Artic­le 83(4)(a) of the GDPR (only in Ger­man). Vio­la­ti­ons of the GDPR may also trig­ger dama­ge claims in accordance with Artic­le 82(1) of the GDPR, alt­hough the spe­ci­fic requi­re­ments for such claims, as well as their amount, have yet to be con­clu­si­ve­ly cla­ri­fied. Accor­din­gly, con­trol­lers are advi­sed to have the mat­ter review­ed by their att­or­neys, par­ti­cu­lar­ly in case of seve­re fines or dama­ge claims. A decis­i­on by the Dis­trict Court of Bonn of 11 Novem­ber 2020 (Case No. 29 OWi 1/20), in which the court redu­ced a fine impo­sed by the Fede­ral Com­mis­sio­ner for Data Pro­tec­tion upon 1&1 AG from about EUR 9.5 mil­li­on to EUR 900,000, demons­tra­tes how effec­ti­ve legal action can be when con­test­ing fines.

Legal requi­re­ments for the hand­ling of cyber­at­tacks must be taken into account in the company’s inci­dent respon­se pro­cess. As demons­tra­ted by the exam­p­le of data pro­tec­tion law, it is neces­sa­ry to satis­fy the key requi­re­ments at the tech­ni­cal level for the docu­men­ta­ti­on of per­so­nal data brea­ches. Cau­ti­on is the­r­e­fo­re neces­sa­ry, par­ti­cu­lar­ly for inci­dent respon­se mea­su­res which des­troy the company’s abili­ty to trace the attack. It is also neces­sa­ry for the inci­dent respon­se pro­cess to include the neces­sa­ry exper­ti­se to eva­lua­te report­ing and noti­fi­ca­ti­on requi­re­ments. Given that detec­tion mea­su­res such as e.g. loo­king through employees’ e‑mail accounts and acces­sing third-party sys­tems may have legal rele­van­ce (e.g. in terms of data pro­tec­tion law), a legal assess­ment is also neces­sa­ry in this regard.

Sepa­ra­te­ly from the legal requi­re­ments for inci­dent respon­se, legal mea­su­res may also ser­ve to pro­tect and secu­re the company’s pro­ces­ses for the manage­ment of cyber­at­tacks (legal inci­dent respon­se). Pos­si­ble mea­su­res may include e.g. writ­ten ins­truc­tions to employees con­cer­ning the company’s con­tin­gen­cy plan or ensu­ring detec­tion opti­ons, e.g. through bin­ding rules con­cer­ning the pri­va­te use of the company’s inter­nal inter­net access and com­pa­ny e‑mail accounts. Legal mea­su­res can even be taken to coun­ter a situa­ti­on in which a per­so­nal data breach does not occur in the controller’s com­pa­ny, but rather in that of a pro­ces­sor, a situa­ti­on which is par­ti­cu­lar­ly chal­len­ging from a tech­ni­cal view­point. Pos­si­ble mea­su­res in this case include e.g. a clau­se on the invol­vement of out­side experts in the inves­ti­ga­ti­on of per­so­nal data brea­ches, con­trac­tu­al obli­ga­ti­ons to pre­ser­ve evi­dence and express agree­ments con­cer­ning lines of com­mu­ni­ca­ti­on and report­ing pro­ces­ses in the event of an inci­dent. In this way, con­trol­lers will be able to address a pro­blem which is rele­vant in prac­ti­ce, i.e. the pos­si­bi­li­ty that the pro­ces­sor will bypass the con­trol­ler and noti­fy the data pro­tec­tion aut­ho­ri­ty direct­ly.

In con­clu­si­on, it can be sta­ted that the legal requi­re­ments with regard to cyber­se­cu­ri­ty are gro­wing and, as shown abo­ve on the exam­p­le of data pro­tec­tion law, the­se requi­re­ments now have a com­ple­xi­ty which requi­res legal exper­ti­se. The same appli­es for the estab­lish­ment of a sys­tem for manage­ment of the appli­ca­ble legal requi­re­ments. In addi­ti­on to con­side­ring the legal requi­re­ments within the con­text of inci­dent respon­se, com­pa­nies should also devo­te incre­asing con­side­ra­ti­on to legal mea­su­res which are desi­gned to secu­re the pro­ces­ses for the manage­ment of cyberattacks.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.