Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

As mentioned in question 6, personal data must be protected against unauthorised processing through adequate technical and organisational measures. Such measures are set forth in more detail in articles 8 to 12 of the implementing Ordinance to the FDPA. Any systems in which personal data is processed must live up to appropriate state-of-the-art technical standards in terms of protection against risk of unauthorised or accidental destruction or loss, technical flaws, forgery, theft or unlawful access, copying, use, alteration and other kinds of unauthorised processing. More specific requirements are imposed on systems that feature automated processing of personal data. Such systems must, in particular, ensure appropriate access, disclosure, storage and usage controls. In the context of the revision of the FDPA, the implementing Ordinance to the FDPA is also slated for an overhaul; such a revised ordinance has, however, not yet been issued.

Sector-specific regulations do not contain more detailed requirements on the actual standards to be implemented.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

To date, Swiss law does not expressly prescribe such recording obligations.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

The current FDPA does not provide for an explicit obligation to notify data breaches. Should Switzerland ratify as it intends to do, the revised Council of Europe Treaty 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data), a notification obligation in the case of data breaches would have to be included in local law. Pursuant to article 7, paragraph 2 of the revised treaty, the data controller is obliged to notify, without delay, at least the competent supervisory authority of data breaches that may seriously interfere with the rights and fundamental freedoms of data subjects. Consequently, and in anticipation of the said ratification, the draft of the revised FDPA provides for a duty to notify data breaches to the FDPIC (see question 24). The draft rules call for data controllers to notify the FDPIC as soon as possible in case a data breach occurs and when such breach is likely to result in a high risk to the privacy or the fundamental rights of the data subject; conversely, the data processors have to notify all breaches of data security to the data controller as soon as possible. This breach notification mechanism will not systematically require informing the data subjects, as this step shall only be required when necessary for the protection of the data subject or if requested by the FDPIC.

Sector- and critical infrastructure-specific notification duties include:

  • financial services sector: mandatory notification to FINMA without delay regarding events of material relevance for the supervision of the relevant supervised entity;
  • telecommunications sector: notification to OFCOM in the case of faults in the operation of telecommunications networks that affect a significant number of customers;
  • aviation sector: notification to the Federal Office of Civil Aviation in the case of safety-related data breaches;
  • railway industry: notification to the Federal Department of the Environment, Transport, Energy and Communications in the case of severe incidents; and
  • nuclear sector: notification to the Swiss Federal Nuclear Safety Inspectorate in the case of safety-related data breaches.
Timeframes

What is the timeline for reporting to the authorities?

The sector-specific provisions mentioned in question 28 require the affected entity to report any relevant cybersecurity incidents without delay.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Scholarly opinion holds that article 4, paragraph 2 FDPA, which stipulates the principle of good faith, entails the rule that data subjects must be informed of unauthorised access to their data. However, such notification duty depends on the gravity of the breach in question. Further, specific contractual obligations may impose on organisations a duty to report threats or breaches. As mentioned above (see questions 24 and 28), the draft of the revised FDPA contains rules on the notification of data breaches. Pursuant to these rules, the data controller may be required to inform the data subjects of the breach if such information should prove necessary for the protection of the data subject or if it is requested by the FDPIC.