Cyber attacks on the upswing – Ten Most Frequently Asked Questions from our Data Breach Notification Consulting Practice

Cyber attacks are booming! The Microsoft Exchange Exploit has caused a stir in thousands of companies in recent weeks and forced the issue of IT security to the top of the agenda! In particular, the regulations contained in the GDPR for dealing with data protection incidents, are not very specific and are applied very differently in practice by the authorities, which often presents companies with the greatest challenges. While the Guideline 01/2021 on Data Breach published by the European supervisory authorities (“EDPB”“) at the beginning of the year promised initial clarification and help for companies seeking advice, the events of the last few weeks show that even within the various supervisory authorities – both nationally and across Europe – there are different opinions on the interpretation of the respective regulations.

When does a data protection incident actually have to be brought to the attention of the supervisory authority? How do the supervisory authorities handle the 72-hour deadline of the GDPR? And crucially: What do I have to tell the authority and what should I not disclose? In practice, affected companies come up against a multitude of questions, which, even almost three years after the entry into force of the GDPR, cannot be answered on the basis of the law, and the published guidance of the authorities to everyone’s satisfaction.

Our Taylor Wessing team in Germany alone has dealt with over 100 data protection incidents in the last two years, including ongoing official proceedings.

It is now time to summarise the Ten Most Frequently Asked Questions from our Data Breach Notification consulting practice and to provide companies with an initial checklist that can help them to ask the most important questions right away if the worst comes to the worst.

Please note: The following list is, of course, only a brief outline of typical data protection issues in the context of a cyber attack. If you do not find what you consider to be the most important questions in the following list or if you have specific questions relating to your company’s practice to which you have not yet been able to find answers, please do not hesitate to contact us!

TOP 1: Our systems and data were encrypted by ransomware. Nothing else seems to have happened. This is understandably annoying for our company, but we do not see any risk for those affected (data subjects), e.g. our employees or customers. Do we have to report such a case to the supervisory authority?

As the lawyers always say: it depends. One thing is certain: In the opinion of the European data protection supervisory authorities, there is no principle according to which the mere encryption of data (and the resulting non-availability, even if only temporarily) cannot trigger a risk to the rights and freedoms of data subjects pursuant to Article 33 GDPR and a resulting notification obligation. According to the European Data Protection Board in its Guidelines 01/2021 on Examples regarding Data Breach Notification of 14 January 2021, the mere unavailability of data after a ransomware attack can also trigger a notification obligation. The relevant factors for determining a possible notification obligation are (i) the actual effects of the subsequent unavailability of the data for the affected person (e.g. financial disadvantages) and (ii) the period of unavailability. The EDPB seems to take the 72-hour period pursuant to Article 33 (1) of the GDPR as an indicator for a period of time, beyond which the recovery may have already taken too long and regularly cause risks for data subjects (cf. Guidelines 01/2021 of the EDPB, para. 24). Even if it remains completely unclear how the EDPB intends to justify the parallel application of the 72-hour time limit to the issue at hand, it may serve as a possible point of reference in practice. Like the EDPB, other authorities (cf. inter alia the position of the data protection supervisory authority in Hamburg) had previously assumed notification obligations in the case of the mere unavailability of data, especially in those cases in which particularly sensitive categories of data are affected (e.g. health data).

Practical tip: The encryption and unavailability of data can also lead to a risk and subsequently to a notification obligation pursuant to Article 33 of the GDPR, and in selected cases also to a high risk and an obligation to inform data subjects pursuant to Article 34 of the GDPR. Be aware!

TOP 2: We have discovered that some of our systems were compromised in a hacking attack. However, according to current knowledge, the data to which the attackers had access was encrypted. We keep hearing that the processing of encrypted data can also raise data protection issues. Do we have to report this to the supervisory authority?

Correct: In principle, the provisions of data protection law also apply to the handling of encrypted data. In such cases, anonymisation that excludes the application of data protection regulations can only be assumed in exceptional cases.

Notwithstanding this, the EDPB and other German supervisory authorities have confirmed several times in the past that the compromise of systems with merely encrypted data does not lead to a reporting obligation (and consequently also not to an obligation to inform those affected) if the encryption corresponds to the state of the art and consequently a compromise is not to be expected.

Practical tip: In the course of a forensic investigation, it should always be determined whether the data concerned was protected by encryption, as appropriate measures can ideally exclude the obligation to report, which may take away at least some of your concerns!

TOP 3: Our IT department discovered malware on our systems, but it could be rendered harmless. No evidence was found that unauthorised third parties were able to view data on our systems or that data was leaked. What do we have to do?

Often, after malware or other traces of compromised systems have been found, no reliable evidence of unauthorised data access by natural persons or even data outflows can be found. On the one hand, this is due to the fact that in many cases attackers can effectively cover their tracks. On the other hand, the information required for a further examination is often not available, since the respective systems do not record log files or only do so in an incomplete manner. Since the obligation to report to a supervisory authority only exists in the case of a risk to the rights and freedoms of data subjects, the existing indications must be evaluated within the framework of a risk assessment. In addition to the probability of an actual compromise of personal data, the risks posed to the data subjects in such a case and the severity of possible damage must be included in an overall consideration. Thus, in the case of particularly sensitive data or considerable severity of possible damage in the event of misuse, a lower probability of actual data access or conclusion is sufficient than if only less sensitive data is involved.

The fact that after a forensic investigation no solid evidence can be found against an actual data breach does not automatically mean that there is no (high) risk for data subjects. Especially in the case that potentially special categories of personal data may have been compromised, the threshold for the obligation to report to the authority is likely to be exceeded quickly.

Practical tip: Just because no evidence can be found does not mean that nothing has happened. A comprehensive consideration of the individual circumstances and a careful risk assessment are absolutely mandatory!

TOP 4: Our service provider discovered a week ago that malicious software had been installed on our systems, which may have led to data outflows. Unfortunately, he only informed us of this today. Can we report the incident at all now?

Since Article 33 (1) GDPR is based on the acquisition of knowledge on the part of the controller, the 72-hour period of Article 33 GDPR should generally only begin to run from the time of knowledge by the commissioning company itself.

Practical tip: In order to ensure an efficient flow of information in the event of a cyber attack, practical regulations on information in the event of a corresponding incident should be contractually regulated with service providers.

TOP 5: We learned on Thursday evening that our systems were compromised as part of a hacker attack. The 72-hour deadline will probably expire on the following Sunday. If we don’t make it before then, do we actually have to report the incident to the authorities on Sunday?

In principle, the correct answer is “yes”“. The regulation in Article 33 GDPR does not provide for any restrictions such as a “weekend” exception for the notification obligation. In fact, it is disputed whether principles of German civil and administrative law, according to which, in the case of expiry of deadlines on Sundays and public holidays, only the following working day should be decisive, can be applied accordingly here and, consequently, a notification on a Sunday is already not required. Practically, it does not seem to make much sense to submit a notification on a weekend, although it is not to be expected that the relevant information can be taken note of at the competent supervisory authority during this period. In this respect, it would be advisable, especially in time-critical situations, to make a brief call to the competent authority and announce the corresponding notification for the following working day, which should generally be accepted by German authorities.

Practical tip: There is no weekend exception to the obligation to report. In borderline cases, the procedure can also be determined by telephone with the supervisory authority at short notice. In any case: Don’t wait until the last minute to report!

TOP 6: Our systems were compromised in a cyber attack, but only B2B customer data was found there. Does the reporting obligation also apply if only B2B data is affected?

In principle, yes it can. The GDPR does not differentiate between corresponding usage scenarios, so that personal data that is collected and processed in a business context is also subject to the applicable data protection regulations and its compromise can, of course, also trigger a reporting obligation (cf. on this, among others, the EDPB, which does not seem to differentiate according to corresponding criteria). Regardless of this, a relevant consideration in the context of the risk assessment to be carried out remains possible and appropriate.  Since the GDPR protects the rights and freedoms of natural persons and not legal persons or companies, a risk within the meaning of Article 33, 34 GDPR can only exist where such a risk can affect the natural person himself. This cannot be ruled out in the B2B area, but should tend to be less frequent than in the case of compromising B2C data.

Practical tip: The differentiation between B2B and B2C data does not solve the “problem” of the reporting obligation, but should help in many cases of the obligatory risk assessment.

TOP 7: During his employment with us, an employee collected customer data within the scope of the authorisations granted to him and “took” it with him“ after the end of his employment. We have learned that he is now using this data to contact corresponding customers. Is this a reportable event?

The prerequisite for a notification obligation pursuant to Article 33 GDPR is that a personal data breach within the meaning of Article 4 No. 12 GDPR has occurred. A personal data breach is a breach of security leading to the destruction, loss or alteration, whether accidental or unlawful, or to the unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

Insofar as an employee steals data from a system to which he or she had legitimate access during the time of his or her employment, it may be questionable whether a breach of the protection of personal data in the sense mentioned above has occurred at all. A breach of security should regularly require a breach of technical or organisational measures pursuant to Article 32, 25 GDPR. Insofar as the application of corresponding data was carried out with the use of duly granted access rights, the existence of this requirement could at least appear questionable.

The EDPB seems to see this differently in its current opinion of January 2021 and assumes a reporting obligation to the supervisory authority in a similar case (probably due to a lack of technical and organisational measures, when the EDPB makes the (seemingly impractical) recommendation to restrict corresponding authorisations from the time of an employee’s termination, even if these are necessary to perform the work owed).

Practical tip: The case illustrates how strictly the supervisory authorities interpret the respective requirements. Keep this in mind when working with the law!

TOP 8: According to forensic findings, attackers were able to capture passwords for remote access through a so-called brute force attack and thus gained access to our systems and were able to steal data. We would like to report this incident to the supervisory authority, but we do not want to disclose too many details about the actual course of events, especially the brute force attack. Would that be possible?

According to Article 33 (3) GDPR, the authority must be provided with, among other things, “a description of the nature of the personal data breach” in the case of a notification.

It is unclear whether corresponding details on the causes and course of the compromise of an IT system must always be reported. Since a successful brute force attack may indicate weaknesses in the company’s IT security (e.g. insufficient security of a remote access), it should be carefully checked before submitting the report which details are mandatory in the case in question and which are not. Since such information could possibly be used as a reason for further investigations by the supervisory authority, it is always advisable to report in advance in such cases. It should also be noted that any errors in IT security can also be used by third parties against the company (e.g. after the assertion of corresponding rights of access within the framework of a lawsuit for damages by the party affected).

Practical tip: As long as the scope of the ban on the use of evidence in Section 43 (4) BDSG has not been clarified, careful examination and caution is advised in corresponding situations.

TOP 9: We would like to report a cyber-attack to the competent supervisory authority, but we are still revising our website, which probably does not yet comply with the applicable data protection regulations. Does that matter?

This may well be the case. In practice, supervisory authorities like to take a look at the register for data protection officers (Has the reporting company appointed a data protection officer?) as well as at the company’s website, whose privacy policy regularly serves as a “business card” for data protection, when they receive a notification pursuant to Article 33 of the GDPR. If there is something wrong here, an examination of a submitted notification may be more critical than if the external presentation of data protection is perfect. In the situation of a cyber-attack, it will often be difficult to make appropriate adjustments because other issues have priority. However, these points should not be ignored. Possibly, the worst “slip-ups” should be corrected before submitting a report. This includes, among other things, the easily recognisable insufficient encryption of contact forms on websites, which can be particularly readily and easily objected to by authorities.

Practical tip: It can be worthwhile to quickly spruce up the website with a few targeted steps before submitting a report.

TOP 10: Some of the authorities’ notification forms ask for a “risk assessment”. How do you do this and do you have to document it?

Pursuant to Article 33 (5) GDPR, the controller is obliged to document personal data breaches, including all facts related to the personal data breach, its effects and the remedial measures taken, in order to enable the supervisory authority to verify compliance with the respective provisions.

Since a risk assessment is an essential part of the overall evaluation needed pursuant to Article 33 GDPR, such an assessment must not only be carried out but also documented accordingly.

When carrying out the risk assessment, companies can use the assistance of the supervisory authorities as a guideline. As an example, we refer to the handout of the Bavarian data protection supervisory authority for a more simplified risk assessment. Further details can be found, among other things, in the samples for a data protection impact assessment, the principles of which can, of course, also be applied within the scope of the assessment pursuant to Article 33 of the GDPR.

Practical tip: Risk assessment is the be-all and end-all of checking a possible reporting or information obligation according to GDPR. All companies are advised to establish an appropriate process in advance, which can then be used to carry out and document such an audit quickly and efficiently in the event of an emergency.