Cyberattacks – Effective prevention and appropriate response in the event of an attack

A. Backdrop

As companies increasingly go digital, incidents and attacks against company IT infrastructures (“IT security incident”) are also multiplying. Such incidents refer to events that influence or can influence the security of information, and consequently the confidentiality, availability and integrity of data. IT security incidents are often carried out in a targeted manner by attackers (“cyberattack”). Cyberattacks can have severe consequences for the companies attacked, sometimes even leading to an outage of the whole IT infrastructure; they can also cause vital restrictions on internal and external business operations. In turn, this can have a significant impact on the company’s reputation in the market. Where a cyberattack aims to acquire data and this affects personal data, it becomes a personal data breach within the meaning of Art. 4 (12) GDPR. Once the incident has been identified, the controller is under the obligation to notify the competent supervisory authority without undue delay, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

B. Current cases of cyberattacks

The following cases of cyberattacks have recently been identified at well-known companies or public bodies:

• In October 2022, the US Treasury was targeted by a DDoS attack carried out by the Russian hacker group Killnet, but was able to successfully fend off the attack.
• In September, the company FourB S.p.A. – a sales partner of the Italian branch of Vodafone – was the target of a cyberattack. Hackers were able to access a 310 GB database with 295,000 files relating to Vodafone customers, such as contract information, contact details and copies of ID documents.
• The French defense and technology group Thales was the victim of a ransomware attack in November. The hackers claim not only to have encrypted data but also to have stolen them and announced a data leak.

• In December 2020, Berlin’s commissioner for data protection and freedom of information imposed a fine of EUR 12,000 on a company that failed to comply with the obligation to report.
• In June 2019, the Hungarian data protection authority imposed a fine of EUR 15,462 for a delayed report (45 days after the incident).
• In March 2019, the Hungarian data protection authority imposed a fine of EUR 34,375 on a party that failed to report a data protection incident.

C. Responsibility

In the event of an infringement of the obligation to report after a cyberattack, it is not the data protection officer of the company who is considered the controller within the meaning of the GDPR (Art. 4 (7) GDPR). Rather, the management of the company is the responsible organ to which the duty to report without undue delay falls (see the judgment of the Labor Court of Heilbronn on Ref. 8 Ca 135/22).

The Labor Court of Heilbronn explained accordingly:

“...the data protection officer’s obligations are not bound by instruction, rather they are legal duties in which the officer is not subject to instruction. According to Art. 39 GDPR, they (the data protection officer) are principally obligated to inform, advise and monitor. On the other hand, according to Art. 4 (7) GDPR, the party responsible for implementing the provisions of the GDPR, and the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG] that substantiates and expands upon it, is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data...”

Consequently, it is the managing director or the board who is responsible for implementing data protection, not the data protection officer.

D. Recommended prevention measures

The following measures in particular are recommended to provide reasonable protection for companies against cyberattacks and to minimize the risk of a successful cyberattack:

• The main entry point for a cyberattack is an actual person. This is why it is essential to train employees on IT security, and in particular: a) ensure that employees are aware of how to deal safely with emails, attachments and links, b) produce conduct guidelines on dealing with cyberattacks, c) produce password guidelines that are guaranteed by automated systems, with special requirements for and on administrators.
• Before using software: Carry out a risk classification of systems, software and operating systems, and incident tracking, including a data protection impact assessment where necessary in compliance with Art. 35 GDPR.
• Once software has been implemented, perform regular analyses of vulnerability and, where necessary, retire systems that work with software and operating systems for which current security updates are no longer provided (see the info page of Microsoft, for instance).
• Ensure that patches for hardware and software are installed without undue delay as soon as they appear.
• Implement a managed antivirus solution for all clients and servers.
• Use a reputation-based IP filter that is populated dynamically on a daily basis for your firewall.
• Use legally-permissible system monitoring software to detect suspicious behavior.
• Activate all legally permissible log sources for detailed logging of system activities (it must always be determined in advance how long the log data will be stored for).
• Use of encryption technology for storage media and end devices (clients, mobile devices).
• Regular data backups.
• Appoint an information security officer to monitor all these prevention measures.

E. Recommended response measures

Crises should always be handled on an individual basis and measures must be adapted to the particular case, especially the on-site IT infrastructure, the type of attack and the objective.

The German Federal Office for Information Security (“BSI”) has provided a non-exhaustive brochure of the Top 12 Tools for use in a crisis, in particular:

• Is it definitely a cyberattack or just a technical failure?
• Have you got a continuous log of all the actions you have taken?
• Have you informed all relevant persons and controllers?
• Have system protocols, log data, notifications, screenshots, data carriers and other digital information been forensically secured?
• Have the affected systems been separated from the network? Have Internet connections been cut from the affected systems? Has all unauthorized access been prevented?
• Have backups been halted and protected before being impacted any further?
• Has the extent of the attack been investigated? 
• Have appropriate measures been taken to address and remedy the weaknesses of the system or other processes that were used in the cyberattack?
• Have the investigating authorities been informed and has the offence therefore been reported?
• Is the network continuing to be monitored since the event to identify any new anomalies?
• Have the affected data and systems been restored or rebuilt?
• What needs to be changed in future to prevent cyberattacks?
• Further: Was the data protection incident brought to the attention of the data protection authorities within 72 hours as stipulated by Art. 33 GDPR and, where relevant, reported to all data subjects as per Art. 34 GDPR?

F. Conclusion

It is essential, on the one hand, to preventatively minimize the risk of a cyberattack and, on the other hand, to prepare preventative measures for the event of a cyberattack. The specific shape of the measures for both prevention and follow-up management mainly depends on the individual circumstances of a given company. We have developed a consultancy package, described here, for prevention and response measures that comply with the law. You can download a detailed overview of German IT security law from Legal 500 using this link. Our cybersecurity consultancy offer is available on our website.