Data breaches as a result of hacking attacks

Cyber attacks on IT systems represent an ever-increasing challenge in data protection law. Large-scale hacker attacks on companies are reported at regular intervals in a large number of relevant media. Well-known companies and programmes - e.g. Windows 10 - have already been the target of cyber attacks. But also in times of increasing digital transformation - intensified by the Covid-19 pandemic - as well as political tensions, those responsible should deal with the topic all the more. The following article is therefore intended to provide a brief introduction to the reporting and notification obligations provided for in the GDPR and, in doing so, to address some special features of attacks on the company's internal IT infrastructure. Despite the fact that the European Data Protection Board (EDSA) has only recently updated its "Guidelines 01/2021 on Examples regarding Personal Date Breach Notification", data protection practice shows that ambiguities can still arise in the interpretation of the relevant provisions.

Obligation to notify the supervisory authority pursuant to Art. 33 DS-GVO

Article 33 (1) of the GDPR first establishes the obligation for data controllers to report a personal data breach to the competent supervisory authority without undue delay and, if possible, within 72 hours.  Article 4 No. 12 of the GDPR specifies when a personal data breach is to be assumed. According to this, a breach of security - whether unintentional or unlawful - must lead to the destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data. However, this should not be misunderstood to mean that every data breach must be reported. The question of whether data processing was carried out lawfully - i.e. in compliance with a legal basis under data protection law - is not decisive. It is obvious that some problems of demarcation can arise at this point.

If a previously identified personal data breach is "unlikely to result in a risk to the rights and freedoms of natural persons", the obligation to notify, which is generally prescribed, does not apply. The risk assessment, which is not always easy to handle, must be carried out in each individual case and cannot be "prepared" without restrictions. However, various national data protection supervisory authorities have published guidelines to help data controllers assess the factors to be taken into account (see, for example, the Hamburg Commissioner for Data Protection and Freedom of Information). In addition to the type and scope of the data concerned, the consequences to be expected - such as identity theft of the data subject - may play a role. It also makes a decisive difference how easy and likely it is that the data subject can actually be identified from the respective data.

If an assessment to be carried out according to the aforementioned criteria comes to the conclusion that a risk to the rights and freedoms of natural persons can probably be assumed, the controller must observe the 72-hour period standardised in Article 33 (1) of the GDPR. The relevant starting point for the deadline is the point in time at which the data breach "became known" to the controller. As a rule, this requirement is met, if there is a sufficient certainty that a security incident has occurred. When such certainty can be assumed depends on the circumstances of the individual case. However, it does not matter how the responsible party became aware of the relevant facts - e.g. through external third parties. When observing the 72-hour deadline, the question may also arise as to whether, for example, weekend days - in accordance with the regulations of German procedural law - lead to an extension of the deadline to the next working day. Even if an immediate reaction of a supervisory authority is not to be expected on a Sunday, Art. 33 GDPR does not provide for such an extension of the deadline. Therefore, in the event that the deadline expires on a public holiday, for example, at least a short announcement should be made in such a way, that a detailed notification is planned for the next working day in accordance with Article 33 of the GDPR. If supervisory authorities offer special forms on their websites, these can also be used on a public holiday. Under no circumstances, a controller should "wait" until an authority is actually reachable.

Further problems can arise if external third parties - e.g. IT service providers - are involved. If such service providers become aware of a data breach, but do not report after a certain period of time, the question arises, as to when the 72-hour period for a report begins to run. However, since Article 33 of the GDPR explicitly refers to the controller becoming aware, we do not believe that the respective service provider should be taken into account. The controller must be in a position to exhaust the time period made available to him in order to enable a notification of the relevant incident to the authority.

Obligation to notify the data subject pursuant to Art. 34 DS-GVO

In addition to the obligation to notify the data breach to the supervisory authority, the controller may - depending on the circumstances of the individual case - also be obliged to notify the data subject directly of the incident. However, according to Article 34(1) of the GDPR, this requires that the personal data breach is likely to result in a high risk to the personal rights and freedoms of natural persons. While an obligation to notify the supervisory authority will often be the case, this must be examined more intensively with regard to the obligation to notify the data subject. The criteria already mentioned must also be taken into account in the risk assessment to be carried out.

Application of these principles to cyber attacks

In order to show the difficulties in applying the law in individual cases, the following example will serve as an illustration.

Many companies ask themselves in particular to what extent the encryption of data in the event of a cyber attack can have an influence on the risk for those affected and thus also on any obligation to report or notify. For example, situations may be conceivable in which an attacker gains access to certain - encrypted - data records, but does not learn the corresponding key for decrypting the data. It is also conceivable that the affected data is temporarily no longer available. As is so often the case, the individual case will be decisive in these constellations. First of all, it can be stated that encryption does not automatically trigger a risk for the data subjects that can be excluded from the outset. In such a constellation, the controller should always check which consequences for the data subjects are conceivable - for example, in the form of financial or social disadvantages - and over what period of time the attacker had access to the corresponding data. If it is only possible to restore the data after the notification period under Article 33 (1) of the GDPR has expired, the EDSA believes that this can also be included in a risk assessment to be carried out. If the cyber attack affects sensitive data pursuant to Article 9 (1) of the GDPR, this circumstance must also be taken into account.

For the sake of understanding, the following should be noted at this point: Even if personal data has been encrypted, the GDPR applies without restriction. The "threshold" for anonymising the data must be set very high and will not regularly exclude the scope of application of the GDPR in the case of "mere" encryption. On the other hand, state-of-the-art encryption can exclude, or at least minimise risks to the rights and freedoms of natural persons. Companies are therefore advised to protect their internal IT infrastructure in accordance with the technical and organisational measures provided for in Article 32 of the GDPR in order to minimise conceivable risks in the event of a data breach.

Further specifics may arise if a cyber attack has been identified but the corresponding malware has been rendered harmless. In particular, if there is no evidence that the company's internal data was actually accessed, a thorough risk assessment must be carried out. Even in this - at first glance - "harmless" constellation, it is important to note, that no generally valid statements can be made for a risk assessment. Often, the consequences of a cyber attack cannot be easily estimated. Therefore, even in the aforementioned scenario, those responsible must evaluate all circumstances of the individual case in an overall assessment.

Practice Tip:

Cyber attacks are not just a "nuisance", but can lead to high risks for the individuals affected in the event of an emergency. Companies also have a lot at stake. In addition to their own reputation, supervisory measures - including fines - must always be kept in mind. We therefore urgently advise companies to put their internal IT infrastructure to the test and to attach greater importance to the issue of IT security. If a data breach is actually identified, there should be no hesitation; in cases of doubt, legal advice should be sought.

For those responsible, it is also a good idea to inform themselves within the framework of the many publications by authorities. For example, the Bavarian State Office for Data Protection Supervision has compiled various information in a flyer on the topic of "cybercrime" to provide an overview of the topic and to sensitise companies accordingly. The Bavarian State Commissioner for Data Protection also has a separate information page on the topic of "cyber defence". Finally, the German Federal Office for Information Security (BSI) has published a "Guide to Responding to IT Security Incidents" and provides information on different attack scenarios and corresponding countermeasures. In addition, the BSI's website offers an constantly updated overview of the state of defence technology, which companies should implement within the scope of what is appropriate for them. Those who follow these BSI recommendations can hardly be accused of not having fulfilled their obligations to establish data security under Article 32 of the GDPR.

SKW Schwarz has its own task force on the topic of data breaches (in particular on the problems of cyber attacks) and is happy to support companies in dealing with data protection in an emergency. Due to the topicality of the issue, SKW Schwarz will also invite interested parties to a webinar at short notice to discuss current legal issues regarding cyber attacks. Finally, as a recommendation to companies, it is important for us to once again point out the implementation options and problems when claiming insurance protection against cyber threats (see also the article: "The main thing is cyber insurance!") Whether and how the protection of cyber insurance can be suitable for cushioning the consequences of a cyber attack for companies in many cases requires dealing with the specific problems of this insurance - even before concluding a corresponding contract.