License to hack – Companies in the crosshairs of hackers and supervisory authorities

For several years now comanies of all business areas and sizes have been exposed to persistent attacks by hackers. Company IP, know how and data is in danger … including personal data!
Recently, it emerged that the Marriott International Group had become the target of a massive attack on the IT security of the systems of its Starwood hotels. Data from around 500 million people are said to have fallen into the hands of attackers, including the most sensitive data such as credit card information. The list of comparable incidents in all business sectors is long and keeps growing. Bank and credit card theft, encryption trojans, website sabotage, “WLAN eavesdropping” and various forms of industrial espionage can not only cause considerable financial damage and the dreaded damage to goodwill. Depending on the course of events, such processes may also reveal weaknesses in the protection of the company’s IT infrastructure, which can often lead to regulatory proceedings and sensitive fines.
And now that GDPR has entered the stage since May 2018 companies face much stricter compliance rules when dealing with cyber attacks. Dealing with such an event not only from a practical but also a legal perspective has never been more important.

Protection against cyber attacks – Is there anything in the law?

Many companies are now probably familiar with the fact that the EU Data Protection Basic Regulation (GDPR), which came into force in May 2018, contains various requirements for IT security. Violations of the requirements for compliance with sufficient technical and organizational measures can be extensively sanctioned, which individual authorities have already made use of. In addition, and often unknown to many companies, other laws contain various provisions on cyber security, including national telemedia and telecommunication laws. But even at first glance, rather “unsuspicious” laws oblige compliance with corresponding standards, such as general commercial codes or stock corporation laws. Accordingly, IT security is part of the essential tasks of the company management, which is responsible for implementing IT security properly. If this goes wrong, the company management may even be held personally responsible for this, since IT security is a building block for adhering to the principles of the proper management of the company.

Cyber Attacks – What measures must companies take in advance?

First, companies must implement an adequate standard for the IT security of their own systems and those of their service providers according to the „state of the art“. This can be guided by Art. 32 GDPR, which, among other things, requires measures to ensure the long-term confidentiality, integrity, availability and resilience of systems and services in connection with the processing. This also includes measures to quickly restore the availability of personal data and access to them in the event of a physical or technical incident. Sufficient Business Continuity Measures (BCM) are therefore an essential part of the respective concept.

In the absence of more concrete legal requirements, companies are faced with the challenge of defining the level of protection that is adequate for them and the measures that can be derived from it. The relevant measures must be evaluated within the framework of a risk-based approach and depend on the way in which personal data are processed. The more sensitive the data, the more risky the business activity, the more secure the relevant systems should be.

Assistance is provided here by, among others, the national Information Security Agencies and the various European supervisory authorities. Against the background of the growing professionalism of attackers, many companies fall back on the advice of external IT security specialists, who know the specifications, solution approaches and industry standards and can effectively support companies in the conception of suitable IT security standards.

In addition – oftenly neglected – employees must understand what is going on when it comes to IT security and what is taboo! Since in many cases it’s the own employees opening the door for cyber attackers due to carelessness, it is not allowed to save here. Employees must be sufficiently sensitized and instructed practically, e.g. through a workshop with a security consultant who points out typical errors and attack scenarios. Training is not optional, but mandatory!

Business Continuity – it’s also a GDPR topic!

Even before the (possible) incident and companies must continue to prepare for the emergency: As part of the BCM, every company must draw up a crisis plan with which the most important steps can be processed quickly and effectively in the event of a “crisis”. Essential points of such a plan are:

• Definition of responsibilities
• Definition of escalation and decision paths (also fort he executive management)
• Elaboration of flow charts and immediate measures
• Implementation of an internal incident reporting system
• Providing templates for reporting and documenting incidents for the involved employees
• Identifying a team of external experts who can provide rapid support in the event of an attack, consisting of IT experts, legal counsel and communications specialists
• Definition of contact points with competent authorities in order to be able to carry out any notifications in good time

A corresponding contingency plan for IT security incidents must be sufficiently documented and should be tested at regular intervals by means of a simulation. Such a plan is not only “nice to have”. Rather, companies are already obliged to take appropriate measures by law and - often unknown – especially company law requirements.

It should be noted that the non-implementation of such measures may even constitute a data protection violation of its own and may lead to a sanction on the part of the supervisory authorities. In view of the new maximum fines of up to 20 million euros or 4% of the worldwide annual turnover, this is a relevant circumstance.

Last but not least, cyber-insurances can also be a useful component in the protection package against cyber attacks. Depending on their structure, these may not only mitigate the financial consequences of a cyber attack. Insurers can also provide further valuable assistance in the event of a cyber attack on the basis of their experience: through appropriate contacts to specialists, but also before that by providing appropriate checklists and further instructions.

And what if it’s too late ... A checklist for emergencies

1. Eliminate danger – adhere to the contingency plan

IT security incidents are extreme situations that can sometimes lead to great psychological stress for the persons involved. A crisis plan helps! Working through this plan in the event of a crisis helps not to overlook any essential steps and also provides a degree of legal security when it comes to finding and eliminating sources of danger and closing possible gaps in the first few hours.

2. Adequately document the incident and reaction

All findings about the discovered or suspected cyber attack must be thoroughly investigated and documented. This obligation already results from the law. However, it is also indispensable in order to be able to provide authorities and affected parties with sufficient information in the event of a cyber attack. Since the situation will often be diffuse, expert advice is often indispensable. Evidence such as log files must be backed up in good time before they are (automatically) deleted. Subsequently, a comprehensive documentation helps to analyse the processes and to draw conclusions for improvements of the processes and measures to prevent future attacks.

3. Involve law enforcement authorities

Law enforcement authorities can often achieve more in the prosecution of perpetrators than the victims themselves. For example, connection data can be obtained, search measures can be initiated or information can be obtained from other, otherwise inaccessible sources which are helpful in the later prosecution of civil claims against perpetrators. Since such measures continue to lose their effect over time, hurry and close coordination with the authorities are often required - even if such measures will unfortunately be successful in practice in the rarest cases.

4. Check for reporting obligation and act if necessary

Depending on the process, notification to data protection authorities and/or data subjects may be required acc. to Art. 33 / 34 GDPR. The first step is to determine the relevant time limits as soon as the attack is detected. Reports to data protection supervisory authorities must be made within 72 hours under the GDPR. Whether such a notification is required often requires a prognosis decision with regard to the existing risk for the persons concerned, as the situation in the rarest cases will be clear. In order to avoid unnecessary notifications and also to ensure a legally strategic approach, specialised legal advice should be sought. Points to be clarified in this context are regular:

• Data access / data flow to unauthorized third parties yes/no
• Sensitivity of the data categories concerned (payment data, health data, etc.)
• Consequences for affected parties (e.g. risk of fraud)

In any case, the communication and defence strategy should be defined “proactively” before a notification is made. Depending on the process, the report can become the first step in a lengthy communication with the authority, which can also involve the investigation of legal violations by the reporting company. In this respect, too, a notification should always be preceded by at least a brief examination of the company’s data protection compliance in order to be prepared for enquiries and to be able to control communication in a targeted manner. Subject to the examination of the individual case, however, it has proved to cooperate with the authorities!

5. Do not forget data protection even in the greatest hurry!

Particularly in the stress situation of a cyber attack, elementary (data protection) legal requirements are often overlooked in internal and external investigation measures, which in an emergency can lead to a later ban on the use of evidence and separately sanctionable data protection violations. The measures should therefore be checked for legal compliance, especially before employee screenings or the personalized control of log files.

Take one step at a time!

Even when it’s hot, you should always keep your cool first. Careless measures can often deepen the damage in the case of a cyber attack. Professionals can help to avoid such mistakes. And: After the attack is before the attack. We have to learn from mistakes. Be it by further hardening IT security or by further improving processes. If you want to be legally well prepared for the next attack, you can’t do without tidying up!