News

Cyberattacks and data theft

08.01.2019

The New Year period generally yields little news. Still, there was one topic which hit the headlines and which generally deserves more public attention: attacks by hackers, cyberactivists and data leaks. Hackers published sensitive data on Twitter about public figures, including a number of politicians, a practice known as doxxing.

What does this mean for the authorities and companies affected?

According to the information available so far, no politically or financially sensitive information was involved. But this is just a matter of luck and not a general rule. Especially in a business context, attackers often target sensitive data, especially trade and company secrets or customer data. Thus, cyberattacks are not merely a theoretical threat, but are becoming increasingly relevant. According to a report by our firm and the Center for Corporate Compliance at EBS Law School, 36% of the companies surveyed had been affected by cybersecurity incidents such as hacker attacks in the past few years. Nearly 50% of the companies surveyed expect similar incidents in the next few years.

What can affected companies do?

In the event of misappropriation of data by hackers, as in the recently reported cases, companies may face damage to their reputation, a drop in revenues, fines and compensation claims. Besides, the management bears the risk of being held personally liable for damage caused to the company. To minimise these risks, the following action may be taken:

Prevent: Take necessary preventive measures

Prevention is the core of any defence; alongside technological defensive measures which should be based on the specific risk situation of the company, effective legal measures are also required, including the following:

  • Identifying and assessing the company’s specific cyber-risks and weak points.
  • Checking the status of existing service level agreements with service providers for security gaps, and adjusting them if necessary.
  • Setting up a contingency plan for the event of a cyberattack, including defining responsibilities in a crisis, internal and external legal advisors, IT experts and PR professionals if necessary.
  • Checking the status and if necessary adjusting the scope of insurance (possibly cyber-insurance) with a focus on coverage of business interruption costs, costs of restoring the IT system, IT forensics and third-party claims.

Detect: Immediately secure claims

To keep the damage to a minimum following a hacker attack, the company must respond immediately in the event of an attack:

  • The most important thing is to meet the notification obligations of data privacy law within 72 hours, pursuant to Art. 33, 34 GDPR. If these are not complied with, the company can face significant consequences including severe fines.
  • Where cybercriminals have attacked a company providing critical infrastructure (section 2(10) Act on the Federal Office for Information Security [BSIG]), the provisions of the BSIG and other special acts must be complied with; in particular, special reporting obligations apply.
  • The option of filing a complaint should also be considered. There are now special public prosecutors’ offices in many German states which specialise in cybercrime, such as the Bavarian Central Bureau of Cyber Crime or the North Rhine-Westphalia Central Bureau and Contact Point for Cyber Crime. This specialisation continues at police level. Even if the attackers will not necessarily be identified and even prosecuted under criminal law, evidence obtained by investigating authorities is often very valuable for subsequent recourse claims against third parties (service providers, insurance companies, executive bodies).
  • It is also important to get the insurer involved early on in order to comply with the obligations of the insurance policy and not to jeopardise insurance coverage
  • It may be sensible to use IT forensic specialists along with the investigating authorities in order to track down the hackers
  • Immediate coordination with lawyers (also abroad, if applicable) to secure access to assets or data abroad

Respond: Assert claims

In the event of data theft at companies, it is also important not only to rapidly resolve the matter and immediately secure claims but also to actively pursue them and thereby avert damage from the company, its shareholders and its employees. The following measures would be appropriate:

  • If the company responds quickly, monies can still be secured. In addition to criminal proceedings, interim relief proceedings can make sense. It is advisable to involve specialised law firms which can implement suitable measures, if necessary in coordination with lawyers abroad
  • It should be checked whether there is insurance that covers the involvement of costly support
  • It is also important to prepare a defence against compensation claims by third parties such as customers or business partners if their personal or confidential data has been misappropriated
  • Also check whether any claims can be asserted against the IT service providers if there is a contractual basis for this

Are executive bodies liable?

No cases are yet known of in Germany in which the management has faced legal action as a result of cyberattacks. However, liability for breach of the duty of care in respect of IT security obligations is certainly conceivable. Legal action is also obvious because the usual D&O insurance policies do not provide for any exemption for such breaches of duty. One exception is currently under discussion in the US: if a foreign state is behind a cyberattack – discussed for the “NotPetya” attack – the insurer could invoke an exemption for attacks by sovereign states.

Conclusion

While there is no out-and-out protection from hacker attacks, companies should put in place maximum safeguards. Here the Prevent, Detect, Respond triad known from in compliance management systems can be made materialise. By contrast, inadequate measures can have serious consequences for the company and its management. To avert damage from the company, it is essential to tackle the company-specific cyber-risks already at an early stage. This is precisely the job of the management if it wants to avoid being held liable itself.

 

Contact

Arbitration
Compliance & Investigations
IT & Outsourcing
Insurance & Reinsurance
Data Privacy
Data Privacy
Digital Business
Family-owned Businesses and Private Clients
Fintech
Life Sciences
Commerce & Trade
Telecommunications

Share

Show all

Insights

blurred motion on railway
News

New since 15 March 2024: Third-party notices in DIS arbitration proceedings - The Supplementary Rules for Third-Party Notices (DIS-TPNR)

18.04.2024
hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
telescopes with pulse
News

Digital Markets Act: European Commission opens investigations against Alphabet, Apple and Meta

28.03.2024
bridge river with pulse
News

CSDDD update: Breakthrough in European Corporate Sustainability Due Diligence Directive (CSDDD)?

21.03.2024
pipe structure
News

Company succession: new option trap when exempting operating assets

15.03.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
people working late in office blurred corporate
News

Classics of authorised dealer law still relevant

04.03.2024