DE | EN | RU (0)69 76 75 77 80Mon. - Fri. from 8am to 8pm, Sat. from 8am to 5pm

Do Companies in Germany Need to Report Ransomware Attacks?

Sep 30, 21 • Privacy LawNo Comments
Do Companies in Germany Need to Report Ransomware Attacks?

Companies in Germany are increasingly falling victim to ransomware attacks. Attackers use malware to restrict or altogether prevent access to company data in order to extort a ransom for the release of the data.

Consequences of a ransomware attack for companies

If such attacks are successful, they result in operational disruptions or interruptions that lead to serious economic damage for the affected companies. In addition, there is a risk of loss of reputation and liability towards contractual partners.

Affected entrepreneurs are faced with difficult decisions as to how they should react to such extortion. Lastly, all these difficulties are compounded by data protection challenges. Given the circumstances, the ransomware attack must be reported to the German data protection authorities or even to the affected individuals. However, whether and to whom a notification must be made depends on the individual case and an individual risk assessment.

When is there a duty to report a hacker attack?

A successful hacking attack by means of ransomware must always be reported to public authorities in Germany if personal data is inadvertently or unlawfully

  • destroyed,
  • lost,
  • changed or
  • disclosed without authorization

and this results in a risk to the rights and freedoms of natural persons.

If there is a particularly high risk, the persons concerned must also be informed. Therefore, the first issue is whether the ransomware attack also gathered personal data, that is, data that identifies a natural person or renders such a person identifiable. These data are considered lost even if the company only temporarily has no access to the data. Therefore, a data loss has occurred even if the data are later recovered or ransomed. The report to the supervisory authority must then be made as soon as possible within the next 72 hours after the attack.

Risk assessment depends on the individual case

The particular challenge in reporting a data breach is to properly assess the risk to the rights and freedoms of individuals. This is because it always depends on the individual case, and the report must be carried out independently by the companies concerned.

However, if this risk is not considered to be sufficiently high, there is no obligation to notify the persons concerned. The obligation shall not even fully apply if there is no risk at all. In both cases, affected companies can thus at least minimize the damage to their reputation. Factors such as

  • the duration of the data withdrawal,
  • the sensitivity of the data and
  • the number of affected persons

must be taken into account. For example, a relevant risk can often be ruled out if the captured data is one of several backup copies that were sufficiently encrypted. In this case, there is neither an irretrievable loss nor has the data been made accessible without authorization. If, however, the hacked spoils consisted of sensitive data in unencrypted form, e.g. health data, then in most cases a reporting obligation will need be affirmed.

WINHELLER assists companies in the proper response to ransomware attacks

The risk assessment alone shows how complex the appropriate handling of ransomware attacks is under German data protection law. In order to respond properly vis-à-vis the supervisory authorities and affected third parties in exceptional circumstances, a trained and efficient risk assessment is required. We will gladly provide you with competent support in this matter.

Continue reading:
Data Protection Compliance in Germany in Three Steps
Binding Corporate Rules – A Corporate Privacy Shield for Companies in Germany

Stefan Winheller

Attorney Stefan Winheller has specialized in tax law for about 20 years, especially in the areas of cryptocurrencies, foundations/nonprofits and international tax law.

>> show profile

Leave a Comment

Your email address will not be published. Required fields are marked with *

WINHELLER Blog via Newsletter

Subscribe to our free newsletter and receive regular updates on German business law by e-mail. (Mandatory fields are marked with *)

German Business Law News (4 times a year)
I would like to subscribe to the selected newsletter and for that purpose give my consent to WINHELLER to process my above mentioned data. I have read the "Information for Data Processing in the Newsletter Subscription". I understand that I can revoke my consent at any time with effect for the future by clicking the unsubscribe button within the newsletter. *