Our consulting approach
The primary goal of our legal advice in the area of cybersecurity is the creation or restoration of secure processes and procedures within the business area of our clients. Since the causes for a lack of security in the processing of data or in the IT security infrastructure can be manifold, our consulting approach is also varying, but in any case adapted to the specific needs of our clients. You benefit from our expertise in all relevant areas of IT and data protection law. From the implementation of a comprehensive information security or data protection management system to rapid intervention in the event of a cyber attack on your systems.
Our experts work together in fast-action task forces to ensure that your company quickly becomes operational again and remains so in the long term. Below, we provide an overview of the focus areas of our IT security law practice.
Please also visit our topic page on Data Protection & Data Security.
Advice on data protection and IT security breaches, especially cyber attacks
In recent years, the risk of companies falling victim to cyberattacks has increased dramatically. Should attackers succeed in penetrating internal systems, companies regularly find themselves exposed to considerable ransom demands, fines and/or significant loss of reputation. We support you in preventively identifying and remediating IT and data protection vulnerabilities in your infrastructure. If you become a victim of a cyber attack, we will help you with Incident and Emergency Response with our network of technical IT security consultants. We will handle communication with investigative and regulatory authorities on your behalf and support you in preparing and executing internal and external communications regarding the incident.
Advice on the implementation of information security and data protection management systems (ISMS and DSMS)
Modern security standards require a variety of effective, synergistic measures to protect the IT infrastructure. An information security management system helps you to establish procedures and rules within your organization to permanently guarantee and continuously improve the security of the information you process. In order to organize and permanently guarantee compliance with the special requirements of processing personal data, a data protection management system should also be introduced and maintained.
We will be happy to advise you on introducing data protection and information security management systems and ensuring that they mesh. If you wish, we can also support you with certification.
In the aftermath of an IT security incident, claims may also be made against corporate bodies, such as acting board members or managing directors. If previous protective mechanisms have not been effective, cyber insurance should be taken out as a last resort to provide effective cover for the responsible parties. The conclusion of such an insurance seems advisable especially because the damages incurred are usually not covered by the D&O insurance. Overall, the range of benefits of all insurance policies with regard to damage caused by IT security incidents should definitely be adapted to the respective company situation and the individual liability risk. Here, the legal expertise of our lawyers helps to identify which benefits should really be available.
Data protection law
The importance of data protection and data protection compliance is constantly increasing, and not only against the background of more and more reports of proceedings for fines and damages. For this reason, it is essential to ensure that the processing of personal data complies with data protection regulations. In practice, these requirements constantly present data controllers with new, complex tasks, the mastering of which can be associated with an immense expenditure of time and money.
Our cross-location team of market-renowned and award-winning experts supports you in answering individual questions as well as in designing extensive processes in compliance with data protection regulations and minimizing the associated risks.
Emergency Response Plan
In the event of a cyber attack, the most important step is to act quickly. Every hour that business processes are interrupted causes further damage to affected companies. Therefore, necessary immediate measures should be initiated immediately and a crisis team should be formed to coordinate further action. We will help you implement a comprehensive emergency response plan and support you in developing a tailor-made concept to prepare you for an emergency.
KRITIS operators and regulated industries
In addition to general IT security requirements, operators of critical infrastructures must also comply with the provisions of the BSI Act. As a result, operators of critical infrastructures must take particular care to ensure that the critical infrastructures they operate are and remain functional. After all, the failure or disruption of a critical infrastructure has significant consequences for a large number of people.
The increased requirements for operators of critical infrastructures apply both with regard to the elements, components and parts used and with regard to the software used.
Managed service and service level agreements with IT service providers
Every company is faced with the question of whether and to what extent it uses the support of external service providers to manage its IT infrastructure. The use of such managed services, which, in contrast to other types of IT outsourcing, involve regularly recurring services, can be worthwhile for companies since their own resources are saved. However, in the interest of both parties, the scope of the service to be provided should be clearly defined in advance and contractually agreed. Transparency about the acquired range of services is created by concluding a service level agreement, which contractually stipulates the services to be provided by the external company. The negotiation of this contract requires a high level of consulting and negotiation competence in order to optimally assert your interests. We are happy to support you in this.
Duties of corporate bodies and liability of corporate bodies
Cybersecurity is a C-level matter. Therefore, the appropriate consideration of IT security law requirements and compliance with data protection regulations is essential for companies, regardless of their size. Companies that fail to comply with these obligations and, under certain circumstances, also their executive bodies, face the threat of claims from contractual partners or liability to the company. Serious violations of such obligations can also result in severe fines.
With the help of our holistic consulting approach, you can assess and minimize your liability and litigation risks. Our lawyers specializing in IT security, corporate, insurance and compliance law will be happy to support you in implementing and enforcing appropriate measures, taking out D&O insurance and, if necessary, defending yourself in court against asserted claims.
Product safety and supply chains for IT and software products
Increasingly, cyberattacks are also occurring indirectly via external service providers. As with any cyberattack, there is also an enormous liability risk for the affected companies in the event of an indirect attack, i.e. in the form of an attack on another company within the supply chain. Especially against the background of ever new national and European legal requirements, companies face a wide range of legal issues when using and distributing digital products and digital content. We advise you on the implementation of a strategy that interlinks different, synergetic measures to secure the supply chain.
Examination of legal questions concerning the state of the art
The central concept of IT security law is that of "state of the art". Not only in the area of critical infrastructures, but also for telemedia providers, the use of IT systems at credit institutions, the introduction of technical and organizational measures in the area of data protection, policies of cyber insurance and much more, the interpretation of this term is of central importance and at the same time highly complex in legal terms.
The distinction from "generally accepted rules of technology" or the "state of the art in science and technology" is also a legal requirement that should not be overlooked. Not least due to the technical expertise of our lawyers specializing in IT security law, we will be happy to advise you on the state of the art in all areas relevant to you.
Stärkung der Cybersicherheit in kritischen Sektoren – Welche Veränderungen die NIS 2-Richtlinie mit sich bringt; Manuel Poncza; Data Protection Update No. 136, March 8, 2023
- Der Entwurf des Cyber Resilience Act und dessen Konsequenzen für KMUs; Manuel Poncza; IHK Cologne, March 14, 2023
Cyberversicherung und der "Stand der Technik", Dr. Lutz M. Keppeler und Stefan Jöster; Messe Security Essen, September 21, 2022
Current Publications (selection)
- Digital Operational Resilience Act und Cyber Resilience Act: Neue Vorgaben der EU zur Cybersicherheit; Dr. Hans Markus Wulf & Dr. Johannes Rolfs, LL.M.; Data Protection Update No. 132, Feb. 13, 2023
- Manuel Poncza: Der Entwurf des EU Cyber Resilience Act, Zeitschrift für Product Compliance (ZfPC) 2023, pp. 44-50
- Datenschutzrechtliche Grundlagen der sog. "Penetration Tests"; Manuel Poncza; Zeitschrift für Datenschutz 2023, 8
- Dr. Hans Markus Wulf, Dr. Lutz Martin Keppeler, Manuel Poncza: Cyberangriffe – Effektive Vorbeugung und richtige Begegnung im Angriffsfall; Update Datenschutz No. 123, November 24, 2022
- Manuel Poncza: Der Entwurf des EU Cyber Resilience Act, Update Datenschutz No. 118, September 2022
- Dr. Lutz M. Keppeler und Manuel Poncza: Warnstufe Rot – Die Log4Shell-Sicherheitslücke, Update Datenschutz Nr. 107, December 17, 2021
- Dr. Lutz M. Keppeler: Comments by § 4a, 4b, 5b, 7a, 7b,7c, 9b BSIG, § 11 EnWG und § 109 TKG in Ritter (Hrsg.), die Weiterentwicklung des IT-Sicherheitsgesetzes, 2021
- Dr. Hans Markus Wulf: Recht auf Datenkopie: Erstes höchstrichterliches Urteil zum datenschutzrechtlichen Auskunftsanspruch nach Art. 15 III DSGVO ergangen (BAG vom 27. April 2021), Update Datenschutz Nr. 95, April 2021
- Dr. Hans Markus Wulf: IT-Sicherheitsgesetz 2.0: Neuer Entwurf der Bundesregierung, Update Datenschutz No. 90, February 2021
- Dr. Lutz M. Keppeler: Dataguidance Cybersecurity Guidance in Germany, Dataguidance-Platform, April 2020
- Dr. Lutz M. Keppeler: Cyberschutz in der Anwaltskanzlei, MkG-Spezial, Mai 7, 2019
- Dr. Lutz M. Keppeler und Dr. Stefan Jöster, LL.M.: Tiber-EU: Sicherheitsstandards stärken Cyberversicherungen, Börsen Zeitung, March 30, 2019
- Dr. Hans Markus Wulf: Der Cybersecurity Act – Wohin steuert Europa in Fragen der Cybersicherheit?, Update Datenschutz Nr. 48, December 14, 2018
- Dr. Lutz M. Keppeler und Dr. Stefan Jöster, LL.M.: Worauf Makler beim Verkauf von Cyberpolicen achten sollten, Pfefferminzia, November 15, 2017
- Dr. Lutz M. Keppeler und Dr. Stefan Jöster, LL.M.: Cyber-Versicherungen gegen Online-Kriminalität, FAZ, October 10, 2017
Current Events (selection)
- Panel discussion with on data protection and cyber security, 3. Deutor Cyber Security Best Practice Conference, Markus Lennartz und Dr. Lutz M. Keppeler, Stuttgart, June 30, 2022
- Haftung für Cyberrisiken in der Kommune, 8. Kommunaler IT-Sicherheitskongress 2022, Stefan Jöster und Dr. Lutz M. Keppeler, Berlin, Mai 3, 2022
- Haftung und Organisationsverschulden der Kommune bei Cyber Vorfall. Digital.Kommunal.Sicher-Informationssicherheit in der Kommunalverwaltung, Dr. Lutz M. Keppeler, February 15/17/23 and 14, 2022
- Die Folgen eines Cyberangriffs, As part of the lecture series „Kurz mal Recht“ der IHK Hanau, November 25, 2021
- Live online interview on cyber insurance, together with Dr. Stefan Jöster, conducted by Malwarebytes, September 11, 2020
- Data protection and IT security law, presentation by Dr. Lutz M Keppeler, webinar „Cyberrisiken und Datenschutz in Zeiten des Homeoffice“, together with GOSSLER, GOBERT & WOLTERS ASSEKURANZ-MAKLER GMBH & CO. KG und der Digitrace GmbH, August 28, 2020
- BSI Basic Protection. New quasi-legal security standard?, lecture by Dr. Lutz M Keppeler, International Insuralex Meeting “Cyber beyond borders”, Frankfurt, November 29, 2019
- Teilnahme an Paneldiskussion “CYBER CRISIS MANAGEMENT”, lecture by Dr. Lutz M Keppeler, 2. Deutor Cyber Security Best Practice Conference 2019
- Basic Data Protection Regulation and E-Privacy Regulation, lecture by Dr. Hans Markus Wulf, Handelskammer Hamburg, Oktober 22, 2019
- Cybersicherheit & Recht – Rechtliche und technische Anforderungen für Unternehmen, lecture by Dr. Hans Markus Wulf, WM Gruppe, 21. Compliance-Tagung, September 19, 2019