Digitization and networking are moving ahead swiftly: in society, in the economy, and at state level. No one can afford to ignore the issue of cybersecurity. Users depend on working IT systems. Although the threat from the Internet is invisible, it is extremely real.
Cybersecurity covers technical and organizational aspects relating to the protection of data and information systems with a particular focus on preventing cybercrimes. This is the downside of ever-progressing digitization: The potential attack area for hackers and other cybercriminals is becoming larger, or more diverse: Attackers are developing more efficient malware on different attack paths; WannaCry or Spectre/Meltdown are well known examples. They are designed to influence the functioning of IT systems or to siphon off internal information. Digital industrial espionage is now just as much a part of everyday life as criminal networks that sell cyberattacks as a service. Companies’ web presences can also be manipulated. Business interruption, the costs of investigating incidents, restoring IT systems are all leading to financial consequences and – particularly sensitive from companies’ point of view – an associated loss of reputation. In Europe, there is an additional risk: the first fines imposed on the basis of the new General Data Protection Regulation are sanctioning the inadequate protection of personal data. A fine of EUR 400,000 was imposed on a hospital recently (even without an IT security incident having occurred). The “Knuddels” social network was only fined EUR 20,000 following its close cooperation with the data protection supervisory authority after a massive amount of unencrypted customer data had been lost.
In a 2018 status report on IT security in Germany, the Federal Office for Information Security (BSI) reports that some 70 percent of companies and institutions had been victims of cyberattacks in 2016 and 2017. Almost half of those attacks were successful. The BSI encourages companies to create adequate security concepts that directly limit damage in the event of cyberattacks.
This gives rise to legal and economic issues: Are there sufficient plans in the company to avert cyberattacks? Has damage mitigation been considered? To what extent will the company be liable for inadequate security precautions as part of prevention and damage mitigation? Will recourse against a supplier of defective software possible in case of hacking events? Is the company subject to special reporting obligations? Does cybersecurity have to be addressed in contracts as well? To what extent do the many new cyber insurance products provide meaningful protection?
The dynamics of digitization are constantly creating new risks, making cybersecurity ever more important. The invisible opponent on the web makes it difficult to offer evidence. Accordingly, decision-makers are obligated to legally secure their companies in cases of cyberattacks. We will be glad to shed light on your particular situation and assist you in protecting your company against cyberattacks.
Your contacts are the experts from the IP, Media & Technology Practice Group. Dr. Ruben A. Hofmann, Dr. Lutz Martin Keppeler and their team specialize in data protection, Internet law, and IP law.