Companies in Germany are increasingly falling victim to ransomware attacks. Attackers use malware to restrict or altogether prevent access to company data in order to extort a ransom for the release of the data.
Consequences of a ransomware attack for companies
If such attacks are successful, they result in operational disruptions or interruptions that lead to serious economic damage for the affected companies. In addition, there is a risk of loss of reputation and liability towards contractual partners.
Affected entrepreneurs are faced with difficult decisions as to how they should react to such extortion. Lastly, all these difficulties are compounded by data protection challenges. Given the circumstances, the ransomware attack must be reported to the German data protection authorities or even to the affected individuals. However, whether and to whom a notification must be made depends on the individual case and an individual risk assessment.
When is there a duty to report a hacker attack?
A successful hacking attack by means of ransomware must always be reported to public authorities in Germany if personal data is inadvertently or unlawfully
- changed or
- disclosed without authorization
and this results in a risk to the rights and freedoms of natural persons.
If there is a particularly high risk, the persons concerned must also be informed. Therefore, the first issue is whether the ransomware attack also gathered personal data, that is, data that identifies a natural person or renders such a person identifiable. These data are considered lost even if the company only temporarily has no access to the data. Therefore, a data loss has occurred even if the data are later recovered or ransomed. The report to the supervisory authority must then be made as soon as possible within the next 72 hours after the attack.
Risk assessment depends on the individual case
The particular challenge in reporting a data breach is to properly assess the risk to the rights and freedoms of individuals. This is because it always depends on the individual case, and the report must be carried out independently by the companies concerned.
However, if this risk is not considered to be sufficiently high, there is no obligation to notify the persons concerned. The obligation shall not even fully apply if there is no risk at all. In both cases, affected companies can thus at least minimize the damage to their reputation. Factors such as
- the duration of the data withdrawal,
- the sensitivity of the data and
- the number of affected persons
must be taken into account. For example, a relevant risk can often be ruled out if the captured data is one of several backup copies that were sufficiently encrypted. In this case, there is neither an irretrievable loss nor has the data been made accessible without authorization. If, however, the hacked spoils consisted of sensitive data in unencrypted form, e.g. health data, then in most cases a reporting obligation will need be affirmed.
WINHELLER assists companies in the proper response to ransomware attacks
The risk assessment alone shows how complex the appropriate handling of ransomware attacks is under German data protection law. In order to respond properly vis-à-vis the supervisory authorities and affected third parties in exceptional circumstances, a trained and efficient risk assessment is required. We will gladly provide you with competent support in this matter.
Data Protection Compliance in Germany in Three Steps
Binding Corporate Rules – A Corporate Privacy Shield for Companies in Germany