Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Personal data must be protected against unauthorised processing through adequate technical and organisational measures. These measures are set forth in more detail in articles 8 to 12 of the implementing Ordinance to the Federal Data Protection Act (DPO). Any system in which personal data is processed must live up to appropriate state-of-the-art technical standards in terms of protection against risk of unauthorised or accidental destruction or loss, technical flaws, forgery, theft or unlawful access, copying, use, alteration and other kinds of unauthorised processing. More specific requirements are imposed on systems that feature automated processing of personal data. Those systems must, in particular, ensure appropriate access, disclosure, storage and usage controls. In the context of the revision of the FDPA, the DPO is also slated for an overhaul; however, a revised ordinance has not yet been issued.

Sector-specific regulations do not contain more detailed requirements on the actual standards to be implemented.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

To date, Swiss law does not expressly prescribe such recording obligations. Under the text of the revised FDPA, in particular, as certain data breaches will have to be notified, this would imply recording cyberthreats to the extent these resulted in a breach.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

The current FDPA does not provide for an explicit obligation to notify data breaches. Switzerland is finalising the steps towards ratification of the revised Council of Europe Treaty 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) as the Federal Council ratified it in December 2019 and Parliament is expected to give its formal approval in the near future. Under the revised Council of Europe Treaty 108, a notification obligation in the case of data breaches would have to be included in local law. Pursuant to article 7, paragraph 2 of the revised Treaty, the data controller is obliged to notify, without delay, at least the competent supervisory authority of data breaches that may seriously interfere with the rights and fundamental freedoms of data subjects. Consequently, and in anticipation of the ratification, the revised FDPA provides for a duty to notify data breaches to the Federal Data Protection and Information Commissioner (FDPIC). The revised rules call for data controllers to notify the FDPIC as soon as possible if a data breach has occurred and when the breach is likely to result in a high risk to the privacy or the fundamental rights of the data subject. Conversely, the data processors have to notify all breaches of data security to the data controller as soon as possible. This breach notification mechanism will not systematically require informing the data subjects as this step shall only be required when necessary for the protection of the data subject or if requested by the FDPIC.

Notification duties specific to certain sectors and critical infrastructures include the following:

  • financial services sector: mandatory notification to the Swiss Financial Market Supervisory Authority without delay regarding events of material relevance for the supervision of the relevant supervised entity;
  • telecommunications sector: notification to the Federal Office of Communications of faults in the operation of telecommunications networks that affect a significant number of customers;
  • aviation sector: notification to the Federal Office of Civil Aviation in the event of safety-related data breaches;
  • railway industry: notification to the Federal Department of the Environment, Transport, Energy and Communications in the event of severe incidents; and
  • nuclear sector: notification to the Swiss Federal Nuclear Safety Inspectorate in the event of safety-related data breaches.
Time frames

What is the timeline for reporting to the authorities?

Sector-specific provisions may require the affected entity to report any relevant cybersecurity incidents without delay.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Scholarly opinion holds that article 4, paragraph 2 of the FDPA, which enshrines the principle of good faith, entails the rule that data subjects must be informed of unauthorised access to their data. However, such notification duty depends on the gravity of the breach in question. Further, specific contractual obligations may impose on organisations a duty to report threats or breaches. The revised FDPA contains rules on the notification of data breaches. Pursuant to these rules, the data controller may be required to inform the data subjects of the breach if the information should prove necessary for the protection of the data subject or if it is requested by the FDPIC.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

1 January 2021.