Cybersecurity 2020

Last Updated May 29, 2020

Germany

Law and Practice

Authors



Heuking Kühn Lüer Wojtek is one of Germany’s major commercial law firms with more than 400 lawyers in nine offices across Germany and in Zurich offering service at the highest level. The lawyers in the firms' data protection, privacy and cybersecurity group are leaders in their fields and help clients develop global privacy and data security strategies for today’s digital economy. They advise clients inter alia on data processing agreements, international data flows within groups of companies and binding corporate rules; development of compliance programs (including GDPR compliance); technology-related data usages; on the setting-up and operation of CRM, personnel or other data bases involving personal identifiable information as well as on setting-up of whistle blowing and other reporting schemes. Furthermore, they represent clients towards administrative authorities and in legal disputes related to (alleged) data protection and data security breaches.

Issues related to the protection of personal data are regulated in the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and in sectoral laws (ie, the Banking Law, the Energy Law, etc).

Issues related to the protection of personal data and privacy in electronic communications are regulated primarily in the Telecommunications Act (TKG) as a result of the implementation of the E-Privacy Directive. These issues will be regulated by the E-Privacy Regulation, once it comes into force.

The implementation of Directive (EU) 2016/1148 (NIS Directive) resulted in the amendment of various German legislations, including the Act on the Federal Office for Information Security (BSIG) and the Energy Industry Act (EnWG).

The EU Cybersecurity Act (Regulation (EU) 2019/881) provides a framework for EU-wide certification of information and communication technology (ICT) products, services and processes.

The German Criminal Act (StGB) lays down penalties for data espionage, phishing, acts preparatory to data espionage and phishing, data tampering, computer sabotage and computer fraud.

Penalties

Infringements of the provisions set out in the German Data Protection Act and the GDPR with respect to cybersecurity are subject to administrative fines of up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The TKG and EnWG provide for fines of up to EUR100,000, while the BSIG provides for fines of up to EUR50,000. (If operators of public telecommunications networks do not submit the mandatory security concept to the Federal Network Agency immediately after the start of network operation, they are threatened with a fine of up to EUR100,000 under the TKG. Violations of the notification obligation are punishable with fines of up to EUR50,000 under the TKG. For non-compliance and in the case of disregard of the reporting obligations, the EnWG provides for fines of up to EUR100,000 and the BSIG for fines of up to EUR50,000.)

The penalties provided for by the StGB range from a fine to a prison sentence of up to five years (for computer fraud).

Data Protection Authorities

In addition to the Federal Commissioner for Data Protection and Freedom of Information (BfDI), each federal state has data protection authorities. Those supervisory authorities have powers of approval, advice, investigation and remedies. They conduct investigations into the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.

German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI)

In 1991 Germany established the BSI. The office provides security advice for users and standards for public and private bodies. The guiding principle of the BSI is: "As the federal cybersecurity authority, the BSI shapes information security in digitisation through prevention, detection and reaction for the state, economy and society."

Central Office for Information Technology in the Security Sector (ZITiS)

The Central Office for Information Technology in the Security Sector is an unincorporated federal agency under the authority of the Federal Ministry of the Interior, Building and Homeland Affairs. ZITiS has the task of supporting and advising federal authorities with security tasks with regard to information technology capabilities. For this purpose, the central office develops and researches methods and tools.

Computer Emergency Response Team for Federal Authorities (CERT-Bund)

The CERT-Bund is the central contact point for preventative and reactive measures in the event of security-relevant incidents in computer systems. It serves as a warning and information service for authorities and private internet users. It provides information about security leaks in software, provides a weakness indication (green/yellow/red) for commonly used software and lists present and past security holes.

The supervisory data protection authorities have powers of investigation and remedies. They conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.

They may use the following methods for their investigation purposes:

  • on-the-spot checks on individual companies;
  • dispatch of questionnaires; and
  • automated online audits.

In general, data protection authorities tend to visit larger companies or those companies whose processing operations are likely to result in a high risk to the rights and freedoms of data subjects. Small and medium-sized enterprises are usually only marginally controlled by the authorities so as not to overburden them financially and in terms of personnel.

Companies that received fines can file objections and take legal action.

Each federal state has its own data protection authorities and its own data protection laws, which do not contradict the federal or EU laws, but partly extend them. A federal state’s data protection law only applies to that state’s public bodies.

The tasks of the BSI include:

  • protection of federal networks, detection and defence of attacks on government networks; and
  • warning of malware or security holes in IT products and services.

The CERT-Bund informs about security leaks in software and lists present and past security holes.

Alliance for Cybersecurity

An example in this context is the Alliance for Cybersecurity, which provides companies with up-to-date information on the threat situation in cyberspace as well as practical assistance for the design and implementation of suitable protective measures. Several thousand companies and institutions have already joined the initiative, which was launched in 2012 by the BSI and the digital association Bitkom, making the Alliance for Cybersecurity a successful model for building trust and profitable co-operation between government and industry in the field of cybersecurity.

The Alliance for Cybersecurity's extensive information offering includes BSI recommendations on topics such as the secure configuration of software products, securing systems for manufacturing and process automation, and monitoring and detecting network anomalies.

Cybersecurity Council Germany e.V.

In August 2012, the Cybersecurity Council Germany e.V. was founded by well-known personalities. The Berlin-based association is politically neutral and aims to advise companies, authorities and political decision-makers in the field of cybersecurity and to strengthen them in the fight against cybercrime.

The members of the association include large and medium-sized companies, operators of critical infrastructures, numerous federal states, local authorities as well as experts and political decision-makers with an interest in cybersecurity. Through its members, the association represents more than three million employees from the industry and almost two million members of other associations and societies.

The Cybersecurity Council Germany e.V. pursues the following goals:

  • intensification of the co-operation between politics, public administration, business and science to improve IT protection;
  • initiatives and projects to promote awareness of cybersecurity;
  • establishment of a Germany-wide cybersecurity network in a European and international context; and
  • establishment of a knowledge platform, forum and network for association members.

With the introduction of the GDPR, the EU was the first to introduce new regulations in the area of data protection and security of personal data. Furthermore, the regulations apply supranationally throughout the entire EU and it can be assumed that other countries will use the GDPR as the foundation of their own laws on data security.

Germany also introduced the BSIG before the EU addressed similar topics with the NIS Directive. However, in certain areas Germany’s federal structure can lead to delays and a patchwork of laws and authorities.

In March 2019, the German Federal Ministry of the Interior published the draft for an IT Security Act 2.0, which contains a holistic approach to IT security. Amongst other things, a consumer-friendly IT security label for commercial products is to be included, the competences of the BSI are to be strengthened and criminal offences in cybersecurity and the associated investigation activities are to be expanded. The draft law also extends the addressees of reporting obligations and implementation measures. Overall, the law is expected to result in a considerable additional economic burden for companies and authorities.

The broad spectrum of applicable law closes many security gaps in the cyberspace. But the growing number of cyber-attacks make it clear that security standards must be continuously adapted to the changing risks. A further issue is that the rules on cybersecurity are not condensed in one cybersecurity act, but are spread among numerous different laws. This poses profound challenges for companies to determine which legal framework applies to them.

5G Network

5G networks are expected to become the backbone of transformation services that will positively change life for future generations. This holds true regardless of the area of application, be it automobile vehicles, remote surgery, intelligent care facilities or the multitude of other technological advances that will benefit from 5G. Innovators, investors and users need confidence in the network's cybersecurity to achieve the promising goals of 5G. Therefore, this will be one of the top priorities for 2020.

E-Privacy Regulation

The E-Privacy Regulation is designed to protect personal data in electronic communications and supplements the GDPR in this respect. It replaces the E-Privacy Directive, which the German legislators implemented largely in the Telemedia Act (TMG) and the TKG. Many entrepreneurs are already warning that the E-Privacy Directive will seriously damage digital business.

The key cybersecurity laws are as follows.

  • The BDSG provides cybersecurity requirements and sanctions when personal data is involved.
  • EU Directive 2016/1148 of 6 July 2016 provides specific requirements for networks and information systems for operators of essential services and digital service providers; Germany implemented the directive by amending the BSIG and the EnWG.
  • The Cybersecurity Act provides requirements for European cybersecurity certification schemes with respect to ICT products, ICT services and ICT processes in the EU.
  • EU Directive 2015/2366 of 25 November 2015 on Payment Services 2 (PSD2) sets out provisions for payment service providers (PSP) information systems.
  • EU Regulation 2017/745 applies to medical devices that include software components.
  • The German IT Security Act provides certain security standards and reporting requirements for the operators of critical infrastructures.
  • The TKG regulates the protection of personal data and privacy in electronic communications. However, it will be replaced by the E-Privacy Regulation.
  • Any unlawful alteration, deletion, suppression or rendering unusable of external data fulfils the facts of the case according to Section 303a of the StGB (data alteration). In particularly serious cases, this is also punishable under Section 303b I No 1 of the StGB ("computer sabotage") and is punishable by imprisonment of up to five years or a fine. Since 2007, distributed denial-of-service (DDOS) attacks have also constituted computer sabotage; the same applies to any action that causes damage to an information system that is essential to another.
  • Spying on data (Section 202a, StGB) – ie, gaining access to external data that is specially protected against this – is punishable with a prison sentence of up to three years or a fine. Intercepting foreign data in networks or from electromagnetic radiation has also been a punishable offence since 2007. In contrast to Section 202a of the StGB, no special access protection is required here. Procuring, creating, distributing, making publicly accessible, etc of so-called hacker tools has also been a punishable offence since 2007, if a criminal offence is prepared with them (Section 202c, StGB).
  • According to Section 202a paragraph 2 in conjunction with paragraph 1, data is only protected from being spied on if it is "specially secured" in order to prevent the offence from escalating. This means that only when the user protects his data technically does he also enjoy protection under criminal law. The earlier debate as to whether "hacking" without retrieving data is punishable under criminal law is no longer relevant since the wording of the standard was changed in 2007 in such a way that criminal liability begins as soon as access to data is gained. It is also disputed whether encryption is part of special security. Although it is very effective, it is argued that the data is not secured, but is only available in an "incomprehensible" or simply "different" form.
  • Computer fraud is punishable under Section 263a of the StGB with a fine or imprisonment for up to five years if data processing operations are manipulated to obtain financial gain. Even the creation, procurement, offering, safekeeping or transfer of suitable computer programs is punishable.

Please see 1.2 Regulators.

The European Network and Information Security Agency (ENISA) was created in 2004. The objective of ENISA is to serve as a contact point and centre of expertise for the member states and the institutions of the European Union on issues related to network and information security. Its activity consists of:

  • anticipating future network and information security challenges and assisting the European Union in responding to them, by collecting, compiling, analysing and publishing relevant information and expertise on crucial issues regarding network and information security, taking into account the developments in the digital environment;
  • supporting EU member states and EU institutions in developing and implementing the strategies necessary to meet the legal and regulatory requirements for national information security and thereby promoting the significance and need for network and information security;
  • supporting the EU in building and developing state-of-the-art network and information security capacities and its continuous adaptation to the latest trends; and
  • strengthening the co-operation between EU member states and between national institutions to ensure network and information security.

ENISA also publishes reports and studies on cybersecurity; for example, on privacy, cloud security or the detection of cyber-attacks.

ENISA's main target groups are public sector organisations, in particular:

  • the governments of the EU member states and
  • the institutions of the EU.

The Agency also provides support to:

  • the ICT industries (telecommunications, internet service providers and IT companies);
  • enterprises in general, especially small enterprises;
  • network and information security professionals; eg, IT emergency teams;
  • academic circles; and
  • the public at large.

The European ENISA Regulation 2019/881 (Cybersecurity Act) adopted on 17 April 2019 grants a permanent mandate to ENISA and broadens its powers. ENISA has been made responsible for drafting the “European Certification Schemes for Cybersecurity”. These are to serve as a basis for the certification of products, processes and services that support the provision of the digital single market.

The BSI acts in an advisory capacity to the business community and supports companies of all sizes and from all industries in questions of IT and information security. The objective of the BSI is the preventative promotion of information and cybersecurity in order to enable and promote the secure use of information and communication technology in the state, economy and society.

At federal level, the BSI is also responsible for the protection of critical information infrastructures (KRITIS).

In addition to its advisory function, the BSI co-operates with the business community in a variety of ways. For example, co-operation in the area of certification has long been established. Through the independent testing of IT products and services, the BSI offers manufacturers an opportunity to ensure transparency and more trust in the IT security features of their products and services.

The tasks of the BSI also include:

  • protection of federal networks, detection and defence of attacks on government networks;
  • testing, certification and accreditation of IT products and services;
  • warning of malware or security gaps in IT products and services;
  • IT security consulting for the federal administration and other target groups;
  • information and awareness raising of citizens on IT and internet security;
  • development of uniform and binding IT security standards; and
  • development of cryptosystems for federal IT.

Please see 1.2 Regulators.

Aspects of cybersecurity are handled by the authorities listed under 1.2 Regulators. Additionally, the Federal Institute for Financial Institutions and Insurances (Bundesanstalt für Finanz- und Versicherungsaufsicht, or BaFin) publishes the MA-Risk, which contains procedural and security requirements to be taken into account by banks, payment service providers and insurers.

TeleTrusT

The Federal Association for IT Security (TeleTrusT) is a competence network comprising of domestic and foreign members from industry, administration, consulting and science as well as thematically related partner organisations. Due to the broadly diversified membership and the partner organisations, TeleTrusT embodies the largest competence network for IT security in Germany and Europe. TeleTrusT offers forums for experts, organises events or participations in events and gives its opinion on current issues of IT security.

For additional information, please see 1.2 Regulators.

In Germany, the operators of critical infrastructures are obliged by the IT Security Act to comply with certain security standards and reporting requirements. This law will have to be changed due to the NIS Directive.

However, many companies have chosen to voluntarily comply with the ISO 27001 standard as this is a good way to improve cybersecurity. The Federal Network Agency (BNetzA) even explicitly ordered ISO 27001 certification for electricity and gas network operators in its IT security catalogue by 2018. Furthermore, BaFin also refers to common IT standards such as ISO 27001 or the BSI basic protection catalogues in its minimum requirements for risk management.

Nevertheless, it is usually helpful to develop a framework specifically tailored to the company. For this purpose, sources such as COBIT, NIST and SANS20 should be consulted. These current frameworks for cybersecurity can therefore serve other companies as "idea generators" for the design of internal processes. As an "ISMS-light approach", small and medium-sized companies can be recommended to use, for example, the "VdS 3473", which usually represents a preliminary stage for a possible ISO/IEC 27001 and BSI IT-basic-protection certification.

Please see 3.1 De Jure or De Facto Standards.

Pursuant to the Control and Transparency Act (KonTraG), which came into force on 27 April 1998, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company.

The German Stock Corporation Act stipulates that the management board shall be personally liable if it fails to monitor developments that could pose a risk to the company in the future by means of risk management and take appropriate measures to prevent them (Section 91 (2) and Section 93 (2) of the German Stock Corporation Act). Virtually the same requirements apply:

  • for the managing director of a GmbH, who must exercise the diligence of a prudent businessman in the affairs of the company (Section 43 paragraph 1, GmbHG); this admittedly rather ambiguous stipulation contains in legal practice very similar consequences for risk management as for executive board members according to the German Stock Corporation Act;
  • for other types of corporate entities, such as the general partnership or the limited partnership; these are in fact on an equal footing with corporations with regard to the legal obligations for IT security if they do not have a natural person as a personally liable partner (cf the Corporations and Co-Directives Act, "KapCoRiLiG").
  • if the management or the management board – as the person responsible – does not comply with the above-described risk provisioning obligation and if the company suffers financial damage as a result, this can lead to personal liability of the members of the management board and the management, and possibly also of the members of the Supervisory Board (Section 116, AktG);
  • if the management of a company does not undertake the technical and organisational measures necessary to implement and maintain an appropriate level of IT security (eg, information security plans or programmes and business continuity plans), then in view of the expected damages, which could potentially even trigger an insolvency of the company, there is a high risk that such behaviour will result in a personal liability of the management of the company;
  • Article 33 of the GDPR provides that in the event of a breach of the protection of personal data, the controller must notify the competent supervisory authority without delay and, if possible, within 72 hours; to facilitate notification, the supervisory authorities have set up extensive input masks that can be processed online;
  • notification may only be dispensed with if the violation "is not likely to pose a risk to the rights and freedoms of natural persons". However, when processing data on behalf of a contractor, the contractor must immediately inform the responsible party ("controller") about the data breach and support the responsible party in reporting the data breach by providing the responsible party with the information available to him (Article 28 paragraph 3 litera f, GDPR);
  • where the breach of the protection of personal data is likely to present a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without delay (Article 34 paragraph 1, GDPR); and
  • in the event of a data breach, each party involved must know who to contact for rapid action and the controller must know exactly what needs to be done in which case; in this regard, it is advisable to compile a crisis document and keep it up to date. This should contain:
    1. examples of possible data breaches, sorted by severity;
    2. necessary next steps, short and concise procedure;
    3. tasks of the responsible employees;
    4. contact details of the competent supervisory authority and contact person; and
    5. text modules for information to the persons concerned or necessary places.

The GDPR establishes the concept of a data protection officer (DPO) at European level. The obligation to appoint a data protection officer affects companies according to their core activities; ie, activities that are essential for achieving the company's objectives. If these include the processing of sensitive personal data on a large scale or a form of data processing that is particularly far-reaching for the rights of the data subjects, a company data protection officer must be appointed.

There are two ways for groups and companies to fulfil their obligation to appoint a data protection officer. Either they appoint an employee as internal data protection officer or an external data protection officer is appointed.

The tasks of the data protection officer include:

  • ensuring compliance with all relevant data protection regulations;
  • the monitoring of certain processes, such as a data protection impact assessment; and
  • raising awareness and training of staff and co-operation with the supervisory authority.

Nevertheless, the company itself remains responsible for compliance with data protection regulations. Failure to appoint a company data protection officer constitutes an administrative offence subject to a fine.

As stated above, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company; this includes measures such as internal risk assessments, vulnerability scanning and penetration tests.

Furthermore, Article 35 of the GDPR introduced the instrument of a privacy impact assessment (PIA) or data protection impact assessment (DPIA). Basically, a PIA or DPIA must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The Article 29 Working Party published a list of ten criteria that indicate that the processing bears a high risk to the rights and freedoms of a natural person.

In the course of a PIA or DPIA the effects of data processing on data subjects must be evaluated and effective IT security measures established. Operators of critical infrastructures even have to implement preventative protection measures according to the "state of the art" in order to protect the critical infrastructure from a cyber-attack.

The ENISA provides practical advice and solutions to the public and private sectors of the member states and the EU institutions. Please see 2.3 Overarching Cybersecurity Agency for additional information.

Article 32 of the GDPR provides security requirements for the processing of personal data. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In this process they shall take into account various aspects, like the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The technical and organisational measures may include pseudonymisation and encryption or regular testing, assessments and evaluations of the effectiveness of the technical and organisational measures. What constitutes an appropriate level of protection arises, inter alia, from the risks represented by the processing, in particular by destruction, loss or alteration, whether accidental or unlawful, or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

For additional information, please see 3.3 Legal Requirements.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Pursuant to Section 8 of the BSIG, operators of critical infrastructures must implement IT security in accordance with the "state of the art" and regularly demonstrate compliance with it to the BSI. They are obliged to take appropriate organisational and technical precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are essential for the functionality of the critical infrastructures they operate.

If security deficiencies are discovered, the BSI may order their elimination in agreement with the supervisory authorities. In addition, according to Section 8b of the BSIG, the BSI becomes the central reporting office for IT security of critical infrastructures. Operators must report significant faults in their IT to the BSI if they could have an impact on the availability of critical services. If reportable IT malfunctions occur at a KRITIS operator, the BSI may, if necessary, also require the manufacturers of the corresponding IT products and systems to co-operate. Furthermore, according to Section 7a of the BSIG, the BSI is granted the authority to examine IT products for their security in order to perform its tasks.

For additional information, please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The BSIG uses the word “malfunction” or “disruption” rather than data breach or incident. Relevant is a malfunction to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes that (can) lead to a malfunction or significant impairment of the functionality of the critical infrastructures.

Any data that is personal data according to Article 4 No 1 of the GDPR is covered.

All systems that are used to process personal data are covered.

Pursuant to EU Regulation 2017/745, medical devices are subject to cybersecurity requirements when they include software components. However, in the wake of the COVID-19 pandemic, EU Commissioner Stella Kyriakides announced that the entry into force of the regulation would be postponed by one year. The EU Commission plans to obtain the approval of Parliament and Council in early April 2020.

There are no special or additional legal requirements concerning industrial control systems. However, whenever there is processing of personal data, the GDPR is applicable.

There are no special or additional legal requirements concerning the internet of things. However, whenever there is processing of personal data, the GDPR is applicable.

ENISA has published good practices with respect to security of the internet of things in the context of smart manufacturing and developed an interactive web-based online tool aimed at guiding internet of things operators and industries of the internet of things and smart infrastructure when conducting risk assessments.

Article 33 of the GDPR provides that in the event of a breach of the protection of personal data, the controller must notify the competent supervisory authority without delay and, if possible, within 72 hours. To facilitate notification, the supervisory authorities have set up extensive input masks that can be processed online.

Notification may only be dispensed with if the violation "is not likely to pose a risk to the rights and freedoms of natural persons". However, when processing data on behalf of a contractor, the contractor must immediately inform the responsible party ("controller") about the data breach and support the responsible party in reporting the data breach by providing the responsible party with the information available to him (Article 28 paragraph 3 litera f, GDPR).

Where the breach of the protection of personal data is likely to present a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without delay (Article 34 paragraph 1, GDPR).

Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the Federal Office for Information Security any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.

The independent federal and state data protection authorities (Datenschutzkonferenz, or DSK) have published a short paper that serves as a first orientation (especially for the non-public sector) to the manner in which to conduct a risk assessment. According to this, the risk assessment should be done in the following phases.

Risk Identification

In order to identify data protection risks, the following questions can be used as a starting point.

  • What damage can be caused to natural persons on the basis of the data being processed?
  • What causes the damage; ie, what events can cause it?
  • What actions and circumstances can cause these events to occur?

Estimation of the Probability of Occurrence and Severity of Possible Damage

The probability of occurrence and severity are estimated for each potential loss. In general, they cannot be mathematically summarised or calculated. One way of measuring a risk is to show a gradation of the severity and probability of occurrence of a possible loss on a scale, with four values: slightly/low, manageable, substantial and big/high.

Allocation to Risk Grades

Once the probability of occurrence and the severity of possible losses have been determined, they must be assigned to the risk categories "low risk", "risk" and "high risk". If the potential damage is large and the probability of occurrence is high, there is a high risk. If, on the other hand, the possible damage is small and the probability of occurrence low, there is a low risk.

Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the Federal Office for Information Security any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes. However, a notification is not required if the disturbance does not and/or cannot lead to a significant impairment of the operability of the operated critical system.

According to the minimum requirements for risk management in banks and financial service providers (MaRisk) issued by BaFin, the following risks are to be classified as material:

  • counterparty default risks (including country risks);
  • market price risks;
  • liquidity risks; and
  • operational risks.

The institution must set up appropriate risk management and risk controlling processes that ensure the identification, assessment, management, monitoring and communication of the main risks and associated risk concentrations.

The BSI recommends the following basic measures for cybersecurity:

  • determination of the threat level of the own infrastructure and the transparency of the institution towards attackers;
  • identification and protection of all network transitions;
  • effective prevention of infection with malicious programs;
  • inventory of the IT systems and testing for security controllability;
  • avoidance of open security gaps on IT systems;
  • interaction with the internet only via secure components;
  • central collection and evaluation of log data;
  • providing your own organisation with all necessary information;
  • the organisation is prepared for the management of security incidents;
  • authentication mechanisms to prevent misuse by third parties;
  • sufficient internal resources are available, external service providers are integrated;
  • qualify and sensitise own personnel in questions of cybersecurity;
  • enforcement of user-oriented segregation measures;
  • the organisation and its members move safely in social networks;
  • in the case of higher protection requirements, confidentiality, availability and integrity are ensured by effective measures and penetration tests are carried out; and
  • supporting protective measures are taken to defend against targeted attacks.

Any conflict or issue with cybersecurity will most likely involve personal data. In that case, the GDPR and the BDSG will be applicable.

This underlines the strong connection between cybersecurity, privacy and data protection.

Under Article 33 of the GDPR, in the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory data protection authority.

This includes information about:

  • the nature of the personal data breach, including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures taken or proposed to be taken by the controller to address the personal data breach.

Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the Federal Office for Information Security any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.

The notification shall contain information on the failure, on possible cross-border effects and on the technical conditions, in particular the presumed or actual cause, the information technology affected, the type of facility or installation affected, the critical service provided and the impact of the failure on that service.

The BSI founded the Alliance for Cybersecurity in order to strengthen Germany's resistance to cyber-attacks.

Participants in the Alliance for Cybersecurity will have access to an extended range of services, in particular information on the cybersecurity situation, alerts and further background information. Due to the partially confidential nature of this information, the sharing of this content must be restricted and is subject to restrictions under the Traffic Light Protocol (TLP).

Currently, 4,178 companies and institutions are members of the initiative – and more are joining every day.

IT service and consulting companies and IT manufacturers are equally represented in the network as user companies of all sizes and from all sectors. This diversity is an important guarantee for a rich exchange of IT expertise and application experience, from which all participants benefit.

The web-based online service Knuddels that essentially offers a chat for people aged 14 and over was fined EUR20,000 because the user passwords were not stored with encryption. The website was hacked, which is why the infringement was discovered. Knuddels therefore co-operated with the supervisory authority, which is an essential reason why the fine remained modest.

The highest fine imposed by German data protection authorities is EUR14.6 million. The real estate company Deutsche Wohnen SE stored personal data of its tenants without checking whether this was lawful and necessary. Despite a previous request in 2017 to remedy the deficiencies in data protection, no improvement was achieved. Deutsche Wohnen SE has announced that it will take action against the fine.

The Berlin-based company Delivery Hero was fined almost EUR200,000 for not deleting customer data records and for sending illegal advertising mails.

These fines are all based upon violations of the GDPR. Up until now, the BSI has not exercised the right to impose a fine for violations of the BSIG.

Please see 8.1 Regulatory Enforcement or Litigation.

The applicable legal standards are provided by the GDPR, the BDSG, the TKG, the BSIG, the EnWG and the EU Cybersecurity Act.

There are no known major private enforcement cases yet.

In Germany, class actions are generally not permitted, as German law does not allow for group action. In general, each plaintiff must present and prove his or her individual affectedness, individual damage and the causality between the two.

However, in 2018 the model declaratory action was introduced. This enables claims of a large number of consumers who have suffered similar damage to be efficiently enforced. Registered consumer protection associations have the option to establish factual and legal prerequisites for the existence or non-existence of claims or legal relationships determined in favour of at least ten affected consumers. The model declaratory action is conducted exclusively between the plaintiff, the consumer protection association and the defendant. The affected consumers can register their claims in a register of actions and thus achieve the suspension of the limitation period of their possible claims. The ruling on the model declaratory action has a binding impact on the subsequent actions of the consumers. It is to be expected that this instrument will be used for damage claims according to Article 82 of the GDPR. So far this has not been the case, though.

The GDPR provides for draconian penalties for violations. For this reason and because of the reputational and business risks involved, cybersecurity has become a crucial component of due diligence in the mergers and acquisitions sector. The due diligence process shall at least encompass an analysis of the applicable legal requirements regarding cybersecurity, an analysis of cybersecurity practices and, where appropriate, questions to the management department. Share purchase agreements may include guarantees or safeguards of cybersecurity policies and practices, where appropriate.

There is no regulation requiring disclosure for cybersecurity risk profile or experience.

All significant issues have already been addressed.

Heuking Kühn Lüer Wojtek

Prinzregentenstraße 48
80538 München

+49 89 540 31 160

+49 89 540 31 540

t.jansen@heuking.de www.heuking.de
Author Business Card

Law and Practice

Authors



Heuking Kühn Lüer Wojtek is one of Germany’s major commercial law firms with more than 400 lawyers in nine offices across Germany and in Zurich offering service at the highest level. The lawyers in the firms' data protection, privacy and cybersecurity group are leaders in their fields and help clients develop global privacy and data security strategies for today’s digital economy. They advise clients inter alia on data processing agreements, international data flows within groups of companies and binding corporate rules; development of compliance programs (including GDPR compliance); technology-related data usages; on the setting-up and operation of CRM, personnel or other data bases involving personal identifiable information as well as on setting-up of whistle blowing and other reporting schemes. Furthermore, they represent clients towards administrative authorities and in legal disputes related to (alleged) data protection and data security breaches.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.