Data protection law review | Part 3: Cyber attack - the right response counts
In the first article in our series on the data protection revision, we showed you what changes are associated with the revision. In the second article, we gave you practical recommendations on how to respond to the changes. In the following, we highlight how to react appropriately in the event of a cyberattack.
Cyber attacks on corporate and administrative data are regrettably part of everyday life in the age of digitalization. Often, the public either does not learn about such incidents at all or learns about them very late, partly because it is feared that this will damage the company's reputation. Even more alarming is the fact that those affected are inadequately informed, even though their personal data has been stolen and may (may) later even turn up on the Internet or darknet. The communication disaster is complete. Two affected cities also had to experience this recently. Neither the municipality of Rolle(nzz.ch paywall), nor the municipality of Bülach(nzz.ch paywall) were prepared for a cyber attack or conducted proper communication. Often, a cyberattack also represents a data protection incident at the same time if personal data is affected.
Legal aspects
The revised Swiss Data Protection Act (revDSG) will impose more extensive obligations on companies and authorities in the future(overview of changes). This is because the revDSG is largely based on the EU's General Data Protection Regulation(GDPR), which has been in force since 2018. For example, as of September 1, 2023, impact assessments must be carried out for data use and the directory of processing activities will become mandatory.
In addition, the revDSG stipulates in Art. 24(1) that data security breaches that lead to a high risk for the personal data concerned must be reported to the FDPIC "as soon as possible". The revDSG does not prescribe a rigid deadline for the notification; unlike the GDPR, which prescribes an "immediate" notification (without culpable hesitation) and, if possible, within 72 hours. From the explanatory memorandum to the revDSG, it can be seen that the responsible party must in principle act quickly, but is granted discretionary powers. This is based on the extent of the threat to the data of the persons concerned; the more significant the threat, the greater the number of persons concerned, the faster action must be taken. However, the person responsible must be given an appropriate amount of time to determine the extent and number of data subjects with professional help, e.g. IT experts. If the determination is more complex and takes several weeks, for example, a preliminary notification to the Federal Data Protection and Information Commissioner (FDPIC) may also be considered in order to fulfill the obligation under Art. 24 (1).
The content of the notification to the FDPIC is specified in Art. 24 para. 2 revDSG and is further specified by Art. 15 Data Protection Ordinance (DPA). At a minimum, the type of data security breach, its consequences and the measures taken or planned as well as the contact person must be communicated. As far as possible, further details such as the time and duration, approximate number of data subjects and the consequences and risks to the data subjects must be provided (Art. 15 para. 1 lit. b. - d. DPA). The "data breach" is specified in one of four categories: the destruction or deletion, loss, alteration or disclosure of data to unauthorized persons. The consequences of the breach must be described as broadly as possible, with the viewpoint of those affected being decisive. Finally, the measures taken or planned for the future must be specified. This point in particular is important: on the one hand, the notification should enable the FDPIC to intervene quickly and effectively or to prescribe information to the data subjects in accordance with Art. 24 Para. 4 revDSG. On the other hand, it can be deduced from this whether the responsible party has handled the data protection incident appropriately and what further measures to protect data security are planned for the future. From a legal point of view, this may unfortunately show that previous measures were inadequate. From a strategic point of view, it can be shown that considerable data security measures will be taken in the future. We will be happy to assist you with the formulation of the legal aspects.
Violation of the reporting obligation under Art. 24 revDSG, however, is not directly punishable by a fine. If, however, the FDPIC initiates an investigation against data regulations ex officio or on the basis of a complaint, fines of up to CHF 250,000 are possible in this procedure in the event of deliberately false information or deliberate refusal to cooperate.
By law, it is not mandatory to inform the data subjects. The information to the data subjects of the data security/cyber incident must only be provided if it is necessary to protect the data subjects or if the FDPIC so requires. What matters here is whether the risks to the personality or fundamental rights can be reduced by informing the data subjects. This should be the case if the data subjects have to take precautions to protect their data, such as changing access data or passwords. Further examples are the control of account movements (e.g. in case of loss of credit card data) or the information to third parties to prevent misuse (e.g. bank data, social security data). However, for reasons of transparency and to restore trust, open communication to the affected parties is probably often warranted.
Communication
In these times of social media shitstorms and Twitter breaking news, special attention must be paid to the communication of cyber attacks. If the technical damage and data loss can no longer be prevented, the reputation should not also be damaged by poor communication. In an age in which even state secrets do not remain secret, it can be assumed that a data protection incident in a medium-sized or larger company or public authority will definitely become known to the public. The press mechanism is then always the same: In addition to the incident itself, the poor communication and error culture are also made the subject of reporting. As is well known, people in the public eye seldom fall over an error, but rather over the way an error is handled. This principle also applies here: How a data protection breach is handled determines whether the reputation suffers or even personal consequences such as resignations or dismissals are threatened.
The information processes - both within a company and within the authority up to the head of the authority or the politically responsible person - must also be in place. Just as for health or operational incidents with emergency numbers, reporting and information chains, there should also be a regularium for data protection breaches: Which IT service provider should be informed? Which law firm should be called? Which persons should be informed and in which order? Who wears the "hat" and is the contact person for the media and those affected? In addition to spokespersons for the authorities and the company, this can also be a specialized law firm such as Wicki Partners AG.
Finally, communication must be adapted when using social networks. There are various communication options for pursuing a proper social media strategy in the event of a data protection breach. The rule here is that it is always better to be in front of the wave than to write after a shitstorm wave that has already occurred. With various measures and the right experts, the social media account can be managed in a crisis situation in such a way that the data protection incident is not the sole defining issue.
Wicki Partners AG is at your side not only in legal matters, but also in crisis communications. Our experts provide legal advice and represent you in media communications and as media contacts. In a crisis situation also 24/7.
Do you have questions about data protection law and how to proceed in the event of cyber incidents? Feel free to contact Sven Kohlmeier. He is a regular speaker at cybersecurity conferences and, based on previous work, an expert in media and social media communications.