The New Year period generally yields little news. Still, there was one topic which hit the headlines and which generally deserves more public attention: attacks by hackers, cyberactivists and data leaks. Hackers published sensitive data on Twitter about public figures, including a number of politicians, a practice known as doxxing.
What does this mean for the authorities and companies affected?
According to the information available so far, no politically or financially sensitive information was involved. But this is just a matter of luck and not a general rule. Especially in a business context, attackers often target sensitive data, especially trade and company secrets or customer data. Thus, cyberattacks are not merely a theoretical threat, but are becoming increasingly relevant. According to a report by our firm and the Center for Corporate Compliance at EBS Law School, 36% of the companies surveyed had been affected by cybersecurity incidents such as hacker attacks in the past few years. Nearly 50% of the companies surveyed expect similar incidents in the next few years.
What can affected companies do?
In the event of misappropriation of data by hackers, as in the recently reported cases, companies may face damage to their reputation, a drop in revenues, fines and compensation claims. Besides, the management bears the risk of being held personally liable for damage caused to the company. To minimise these risks, the following action may be taken:
Prevent: Take necessary preventive measures
Prevention is the core of any defence; alongside technological defensive measures which should be based on the specific risk situation of the company, effective legal measures are also required, including the following:
- Identifying and assessing the company’s specific cyber-risks and weak points.
- Checking the status of existing service level agreements with service providers for security gaps, and adjusting them if necessary.
- Setting up a contingency plan for the event of a cyberattack, including defining responsibilities in a crisis, internal and external legal advisors, IT experts and PR professionals if necessary.
- Checking the status and if necessary adjusting the scope of insurance (possibly cyber-insurance) with a focus on coverage of business interruption costs, costs of restoring the IT system, IT forensics and third-party claims.
Detect: Immediately secure claims
To keep the damage to a minimum following a hacker attack, the company must respond immediately in the event of an attack:
- The most important thing is to meet the notification obligations of data privacy law within 72 hours, pursuant to Art. 33, 34 GDPR. If these are not complied with, the company can face significant consequences including severe fines.
- Where cybercriminals have attacked a company providing critical infrastructure (section 2(10) Act on the Federal Office for Information Security [BSIG]), the provisions of the BSIG and other special acts must be complied with; in particular, special reporting obligations apply.
- The option of filing a complaint should also be considered. There are now special public prosecutors’ offices in many German states which specialise in cybercrime, such as the Bavarian Central Bureau of Cyber Crime or the North Rhine-Westphalia Central Bureau and Contact Point for Cyber Crime. This specialisation continues at police level. Even if the attackers will not necessarily be identified and even prosecuted under criminal law, evidence obtained by investigating authorities is often very valuable for subsequent recourse claims against third parties (service providers, insurance companies, executive bodies).
- It is also important to get the insurer involved early on in order to comply with the obligations of the insurance policy and not to jeopardise insurance coverage
- It may be sensible to use IT forensic specialists along with the investigating authorities in order to track down the hackers
- Immediate coordination with lawyers (also abroad, if applicable) to secure access to assets or data abroad
Respond: Assert claims
In the event of data theft at companies, it is also important not only to rapidly resolve the matter and immediately secure claims but also to actively pursue them and thereby avert damage from the company, its shareholders and its employees. The following measures would be appropriate:
- If the company responds quickly, monies can still be secured. In addition to criminal proceedings, interim relief proceedings can make sense. It is advisable to involve specialised law firms which can implement suitable measures, if necessary in coordination with lawyers abroad
- It should be checked whether there is insurance that covers the involvement of costly support
- It is also important to prepare a defence against compensation claims by third parties such as customers or business partners if their personal or confidential data has been misappropriated
- Also check whether any claims can be asserted against the IT service providers if there is a contractual basis for this
Are executive bodies liable?
No cases are yet known of in Germany in which the management has faced legal action as a result of cyberattacks. However, liability for breach of the duty of care in respect of IT security obligations is certainly conceivable. Legal action is also obvious because the usual D&O insurance policies do not provide for any exemption for such breaches of duty. One exception is currently under discussion in the US: if a foreign state is behind a cyberattack – discussed for the “NotPetya” attack – the insurer could invoke an exemption for attacks by sovereign states.
While there is no out-and-out protection from hacker attacks, companies should put in place maximum safeguards. Here the Prevent, Detect, Respond triad known from in compliance management systems can be made materialise. By contrast, inadequate measures can have serious consequences for the company and its management. To avert damage from the company, it is essential to tackle the company-specific cyber-risks already at an early stage. This is precisely the job of the management if it wants to avoid being held liable itself.