Author

Dr. Paul Voigt, Lic. en Derecho, CIPP/E

Partner

Read More
Author

Dr. Paul Voigt, Lic. en Derecho, CIPP/E

Partner

Read More

25 March 2019

Cyberattacks: 5 To Do’s in Germany

In the age of digital businesses, cyberattacks are a constant threat for every company – from startups to large corporations. The best protection happens long before any attack takes place. This includes the legal setup. Companies should be aware of the following obligations under German cybersecurity law.

1. Have your Business Continuity Measures up and running

German law requires companies to provide for Business Continuity measures (BCM). Legally, they have to enable you at least to identify cybersecurity shortcomings at an early point in time. However, in order to survive cyberattacks effectively, you should consider a more comprehensive approach. Ideally, your BCM system assigns internal responsibilities for cybersecurity, sets out immediate measures and back-up systems in case of cyberattacks, and measures to help you reassume normal business operations after the attack.

2. Protect personal data

With the GDPR in force, make sure to have sufficient technical and organizational measures in place to assure the safety of personal data used for your business. The necessary level of resilience against cyberattacks must be assessed using a “risk-based approach”, depending on your business and the way personal data is used for it. The more risk-prone and data-heavy your activities are, the more resilient your systems should be. In case of non-compliance, you might face fines of up to €20 Mio. or up to 4% of your annual turnover.

3. Document the attack and your response

Make sure to thoroughly document any cyberattack that took place. This is not only an obligation deriving from GDPR, but will also help you to analyze what happened and prepare your business for future cybersecurity risks. More importantly, the data gathered about the attack might help identifying the attacker via his/her IP-address. The documentation also allows you to respond to requests of information by data protection supervisory authorities.

4. Involve the public prosecutor’s office

You might be able to make damage claims against the attacker with the help of an unlikely ally. Privacy law may prevent you from trying to identify the attacker via his/her IP-address yourself. However, the public prosecutor’s office can request traffic data on the incident from Communication Services Providers for criminal prosecution. This is only possible for a limited time after the attack. Therefore, you should file criminal charges against the (yet unknown) attacker as soon as possible and keep in touch with the public prosecution’s office in the following days and weeks. This way, the attacker might face prosecution and you might be able to assert damage claims later on (although, in practice, this will only be possible in “best case scenarios”).

5. Notify the authorities

In some cases, you will have to notify supverisory authorities about a cyber-attack. This is especially the case with, but not limited to, data breaches. In case of data breaches, you might even have to inform data subjects about the incident. You should check with your legal advisor whether a notification is necessary.

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

Games and gambling

German Gambling Law – Update 2023

15 September 2023
Briefing

by multiple authors

Click here to find out more
Data & cyber

The countdown has begun: By 26 December 2022, all old standard contractual clauses must be replaced by the new SCCs 2021

19 October 2022
In-depth analysis

by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Wiebke Reuter, LL.M. (London)

Click here to find out more
Technology, media & communications

Trans-Atlantic Data Privacy Framework (TADPF) - the road ahead

4 April 2022
In-depth analysis

by multiple authors

Click here to find out more