6 April 2020
The German Federal Office for Information Security (BSI) sees an increased threat to the cyber-security in companies during the corona-crisis. Besides reports of an increase in phishing-mails in which the receiver is asked to enter personal data and the growing concern about cyber attacks on system-critical facilities such as hospitals or pharma companies our experts have received an increasing number of enquiries from companies that have been victims of cyber attacks in recent days. The risk of cyber attacks is particularly caused by the inexperience of many companies and employees in dealing with new technologies in times of increased work from home, the high time pressure and the resulting error-proneness of the implementation of technical solutions in the current corona-crisis.
Cyber attacks can not only trigger the obligation to report relevant transactions to the responsible regulatory agency or the notification to interested parties. Unfortunately, in many cases they also lead to system failures, the loss of data and high costs for the elimination of the consequences of such attacks.
Especially during the corona-crisis, all companies are strongly advised to take all necessary measures to protect themselves effectively from cyber attacks and not to neglect the IT security of the company.
The best protection against cyber attacks is the implementation of adequate IT safety measures.
Each company is obligated to maintain an adequate standard of IT security for its own systems and those of its service providers in line with the state of the art - even in times of greatest hardship.
A first guideline is provided by the requirements of Art. 32 GDPR, which among other things requires measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term.
In the absence of more concrete legal requirements, companies are often faced with the challenge of determining the adequate level of protection and the measures to be derived from it. The required measures are to be evaluated within the framework of a risk-based approach and depend on the way in which personal data is processed. The more sensitive the data, the more risky the business activity, the more secure the relevant systems should be.
Assistance is provided here by the handouts of the BSI (see below) and the various German and European supervisory authorities. Against the background of the growing professionalism of the attackers, also and especially in the corona crisis, it makes sense to fall back on the advice of external IT security specialists who know the specifications, solution approaches and industry standards and can effectively support companies in the conception of suitable IT security standards.
These days many employees are working from home. Maintaining IT security under these circumstances is a major challenge for many companies. At the same time, new and for many companies still unknown dangers are lurking in the home office.
The employer remains responsible for data protection in the home office and compliance with the GDPR and providing for sufficient technical and organisational measures for IT security. Employees are to be provided with appropriate regulations in order to uniformly define the framework conditions and obligations in connection with working from the home office.
Individual measures are particularly important for working from home:
The use of business systems as well as access to company data and e-mails should only be made possible via secure access (e.g. VPN access) with robust access verification. In addition to encryption "in transit" of communication with the company network, the company terminals should have reasonable protection mechanisms (password protection, encryption). The company must ensure that employees are unable to deactivate or circumvent default protection mechanisms without further ado, especially in the "turmoil" of the corona crisis.
If third parties (e.g. family members, flatmates) have access to the home office of the employee, the employee should ensure that the risks of unauthorised access to data by third parties are minimised, e.g. by
Personal and confidential data should only be processed directly at the employee's home office. If this is not possible, the data to be protected should in any case be stored in a lockable cabinet. Finally, the employee should ensure that all documents that are no longer required are destroyed in a manner that complies with data protection regulations (e.g. by shredding the document into small pieces).
Further necessary measures can be found in the overviews published by the BSI on the subject of "telework". In addition, our experts have designed a special FAQ on the legal requirements in the home office, which you can find in an updated version here.
Experience has shown that the greatest risks to IT security arise where employees act carelessly or are not sufficiently sensitized to the corresponding dangers. Training and sensitization of employees is therefore one, if not the most important part of an efficient IT security strategy.
Employees must be given a clear understanding of what is possible and what is taboo when it comes to IT security - and what dangers lurk in the corona crisis! Especially in times of corona, attackers take advantage of the employees' insecurity. Also during the crisis, it is helpful to inform employees about the essential security measures, e.g. in a short instructional video or online briefing.
Particularly against the background of the growing danger of cyber attacks by phishing and ransom/malware, among others, employees should be clearly advised of the corresponding risks and the proper handling of these sources of danger, especially during the Corona crisis.
The following recommendations, which the BSI also makes, are essential:
Further tips and information on the use of private devices in the home office ("Bring your own device" or BYOD for short) can also be found on our website.
Even before the (possible) incident, companies should continue to prepare for the emergency. For all companies currently struggling with the corona crisis, it should be a great challenge to draw up further plans for e.g. cyber attacks in addition to dealing with the crisis. However, a certain amount of planning ahead will pay off in the event of an emergency, so that at least the most important steps can be carried out quickly and effectively in the crisis. Essential points of such a plan are:
Last but not least, cyber-insurance can also be a useful component in the protection package before and after cyber-attacks - also and especially during the corona crisis. Depending on their design, they not only mitigate the financial consequences of a cyber attack. Based on their experience, insurers can also provide further valuable assistance in the event of an incident: through appropriate contacts with specialists, but also before that by providing appropriate checklists and further instructions.
Should a cyber attack occur, the following steps should be taken to mitigate the risks:
IT security incidents are extreme situations that can sometimes lead to great psychological stress for the persons involved. A contingency plan helps to ensure that no essential steps are overlooked and also provides a certain amount of legal security when it comes to finding and eliminating the sources of danger and closing possible gaps in the first few hours.
In times of corona and the associated challenges such as staff shortages, absence of the responsible employees and increased cost pressure, this is an even greater challenge for many - if not all - companies, but one that can be mastered with appropriate preparation.
Experts can help to quickly find the causes of a cyber attack and to quickly and efficiently contain the risks and possible resulting damage to the company. IT experts give advice on which measures are particularly important in the first few hours to protect company systems (e.g. changing passwords, virus scans, resetting systems and hardening IT security for future threats).
All findings about the detected or suspected cyber attack must be thoroughly investigated and documented. This is essential, among other things, in order to be able to inform authorities and affected persons adequately in the event of an incident. Since the facts are often diffuse, the advice of experts is usually indispensable. Evidence such as log files must be secured in time before they are (automatically) deleted. Subsequently, a comprehensive documentation helps to analyse the processes and to draw conclusions for process improvements and measures to prevent future attacks.
Law enforcement authorities can sometimes achieve more than the injured parties themselves in prosecuting the perpetrators. For example, follow-up data can be obtained, search measures can be initiated, or information can be obtained from other sources that are otherwise not accessible, which can be helpful in the subsequent prosecution of civil law claims. As such measures lose their effect over time, it is important to act quickly and in close coordination with the authorities - even if in practice such measures will unfortunately be successful in the rarest cases.
Depending on the operation, notification to data protection authorities and/or the data subjects will be required. First of all, the relevant deadlines must be determined immediately upon discovery of the attack. Reports to data protection authorities must be made within 72 hours (for the requirements see Art. 33, 34 GDPR). Whether such a report is actually to be made often requires a forecast decision with regard to the existing risk for the persons concerned, because the situation will be clear in the rarest cases. In order to avoid unnecessary reporting and to ensure a legally strategic approach, specialised legal advice should be obtained. Points to be clarified in this context are regular:
In any case, the communication and defence strategy should be clearly defined before a notification is made. It must be reported “in advance”. Depending on the process, reporting can be the first step in a lengthy communication with the authorities, which can later also involve the investigation of legal violations by the reporting company. For this reason alone, a report should always be preceded by at least a brief examination of the company's data protection compliance in order to be prepared for any inquiries. In many cases, however, it has proven to be a good idea to work together with the authorities in a cooperative and constructive manner!
Particularly in the stressful situation of a cyber attack, elementary (data protection) legal requirements are often overlooked in internal and external investigative measures, which in an emergency can lead to a subsequent ban on the use of evidence and separately sanctionable data protection violations. Especially before employee screenings or the personalized control of log files, the measures should therefore be legally reviewed. In times of corona, these requirements are particularly challenging for companies, but remain essential in order to be able to act in a legally secure manner.
In general, and especially in times of Corona, it is best to remain calm in case of a cyber attack. Inconsiderate measures can often deepen the damage. Professionals can help to avoid such mistakes. For dealing with future incidents, companies must learn from mistakes and be (legally) prepared for the next attack, be it by further hardening IT security or by further improving processes.
We regularly support companies in connection with cyberattacks, regulatory reports, information of affected persons and the "clean-up" after a corresponding incident - even during the corona crisis! We have a large team of experts who have extensive experience in dealing with cyber attacks and can support you quickly and efficiently.
We have compiled on our website comprehensive information and recommendations for action in response to the legal implications arising from the coronavirus pandemic: Coronavirus - legal issues
by multiple authors
by multiple authors