Cyber attack liability in the event of data breaches.

Cyber attacks are on the rise and the responsibility is an issue

The number of cyber attacks on companies has been rising steadily for some years. The threat of damage is immense and can even endanger the very existence of companies. If a cyber attack occurs, one of the first questions is always whether it could have been prevented. Followed by the question of who is legally responsible.

Cyber attacks also represent a data protection risk

The risks associated with cyber attacks are not restricted to specific industries. The bankruptcy of a bicycle manufacturer made headlines when it was unable to bear the financial burden as production was brought to a standstill in the wake of a cyber attack.
In addition to damages such as lost sales, the cost of restoring systems, claims for damages from customers due to delays in delivery, etc., the companies also face further liability risks, especially with regard to data protection. In the event of a cyber attack in which personal data is affected, the liability for a breach of the GDPR also becomes an issue. Article 5(1) (f) of GDPR stipulates that data processing at companies must be designed so that unauthorized access, data loss and destruction of data is prevented wherever possible or a suitable level of protection must be provided.

Furthermore, the GDPR also includes specific regulations regarding cyber attacks. Companies are required to

• rapidly restore the availability of the affected personal data after a cyber attack (Art. 32(1) (c) of the GDPR)
• report the cyber attack to the data protection authorities and data subjects (Art. 33, Art. 34 of the GDPR)
• document data protection breaches, their consequences and corrective measures implemented (Art. 33 (5) of the GDPR)

Violating these GDPR rules has consequences: Beyond additional claims for damages by the injured parties, companies also face the risk of severe fines.

Monitoring and organization as a Management responsibility

The case of the bicycle manufacturer is a clear example of how the damage caused by a cyber attack can become an existential threat for companies. This also highlights why IT security and data protection are management responsibilities.

The legal basis for this is Section 93(1) of the German Stock Corporation Act (AktG) and Section 43(1) of the Act on Limited Liability Companies (GmbHG) in conjunction with Section 91(2) of the German Stock Corporation Act (AktG) (analogously, if applicable). The management has the duty to organize and monitor the company in such a way that serious developments threatening the continued existence of the company are identified at an early stage and appropriate countermeasures are taken. The Munich Regional Court (LG Munich I, decision dated December 10, 2013, Ref: 5 HKO 1387/10) ruled that this also applies to a compliance organization designed for loss prevention and risk control.

Ultimately, the members of the board of management and the supervisory board of a publicly traded company may be held personally liable for damages caused by cyber attacks pursuant to Section 93 of the German Stock Corporation Act (AktG) or Section 116(1) in conjunction with Section 93 of the German Stock Corporation Act (AktG). According to section 43(2) of the Act on Limited Liability Companies (GmbHG), the managing director of a GmbH may also be personally liable. Fundamentally, the entire management is responsible, even if special IT responsibilities exist internally. When it comes to liability issues, pointing out that one is not responsible within the company is not a viable excuse.

Prevention through efficient IT compliance & exact documentation is essential

Prevention is the first step towards mitigating entrepreneurial risks and also personal liability risks. To this end, the management should definitely establish suitable Compliance Management Systems (CMS) at the company. These need to be based on a specific risk profile to enable effective risk management and damage prevention. As such, efficient processes should be implemented in line with the risk profile and the IT infrastructure has to be tested using vulnerability scanners and regular penetration tests, for example.

When implementing a CMS, ISO-certified IT compliance systems are a sensible approach as is implementing the corresponding BSI standards. Precisely these action recommendations issued by the German Federal Office for IT Security (“BSI”) are regarded as a very good guide for setting up an appropriate, efficient CMS.

From a legal perspective, this is highly important: If the management can reasonably assume that it is acting in the best interests of the company on the basis of appropriate information (Section 93(1) (2) of the German Stock Corporation Act (AktG)), this significantly reduces personal liability risks, even in the event of cyber attacks.

Furthermore, the members of management need to ensure accurate documentation of the analysis and monitoring activities in connection with the development and establishment of CMS. Precise documentation can mitigate the liability issues if they arise. In this respect, the documentation is essential for a risk management system which complies with the legal requirements.

Maintain an emergency plan to react to cyber attacks

Last but not least, the management needs to be prepared to react in the event of a cyber attack. A comprehensive “emergency plan” is basically indispensable. When preparing an emergency plan, companies can draw on the guidelines from a BSI emergency concept. Observing the BSI standards or guidelines for creating and implementing an emergency plan can also provide legal relief for the management if the worst comes to the worst.

Insurance & outsourcing as a solution?

The final question is whether suitable cyber insurance, D&O insurance or outsourcing the IT security resolve liability risks associated with cyber attacks?

Outsourcing can transfer the liability risks. Nevertheless, the question remains as to whether the liquidity of a service provider can or should be relied upon.

Similarly, cyber insurance policies can compensate for financial risks that the company faces while D&O insurance balance out the personal risks for the management. Yet relying on these alone is not a viable solution. The management’s duty to ensure (data) security at the company is only too clear and leaves the management open to the exclusion of coverage due to an alleged intentional breach of duty.