25 March 2019
In the age of digital businesses, cyberattacks are a constant threat for every company – from startups to large corporations. The best protection happens long before any attack takes place. This includes the legal setup. Companies should be aware of the following obligations under German cybersecurity law.
German law requires companies to provide for Business Continuity measures (BCM). Legally, they have to enable you at least to identify cybersecurity shortcomings at an early point in time. However, in order to survive cyberattacks effectively, you should consider a more comprehensive approach. Ideally, your BCM system assigns internal responsibilities for cybersecurity, sets out immediate measures and back-up systems in case of cyberattacks, and measures to help you reassume normal business operations after the attack.
With the GDPR in force, make sure to have sufficient technical and organizational measures in place to assure the safety of personal data used for your business. The necessary level of resilience against cyberattacks must be assessed using a “risk-based approach”, depending on your business and the way personal data is used for it. The more risk-prone and data-heavy your activities are, the more resilient your systems should be. In case of non-compliance, you might face fines of up to €20 Mio. or up to 4% of your annual turnover.
Make sure to thoroughly document any cyberattack that took place. This is not only an obligation deriving from GDPR, but will also help you to analyze what happened and prepare your business for future cybersecurity risks. More importantly, the data gathered about the attack might help identifying the attacker via his/her IP-address. The documentation also allows you to respond to requests of information by data protection supervisory authorities.
You might be able to make damage claims against the attacker with the help of an unlikely ally. Privacy law may prevent you from trying to identify the attacker via his/her IP-address yourself. However, the public prosecutor’s office can request traffic data on the incident from Communication Services Providers for criminal prosecution. This is only possible for a limited time after the attack. Therefore, you should file criminal charges against the (yet unknown) attacker as soon as possible and keep in touch with the public prosecution’s office in the following days and weeks. This way, the attacker might face prosecution and you might be able to assert damage claims later on (although, in practice, this will only be possible in “best case scenarios”).
In some cases, you will have to notify supverisory authorities about a cyber-attack. This is especially the case with, but not limited to, data breaches. In case of data breaches, you might even have to inform data subjects about the incident. You should check with your legal advisor whether a notification is necessary.
by multiple authors
by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Wiebke Reuter, LL.M. (London)
by multiple authors