Nowadays, it is impossible to imagine our business world without digitalisation – from digital factories to public administration services on the internet and cloud computing. But it also has a downside, as it provides cybercriminals with gateways for their illegal activities. ‘Digitalisation inevitably leads to greater vulnerability,’ says Dr Hauke Hansen, specialist lawyer for IT, copyright and media law and partner at FPS. ‘With that in mind, increased awareness of this vulnerability on the part of companies and authorities is essential.’ Dr Hansen cites the cyberattacks on the automotive supplier Continental and the bicycle manufacturer Prophete as prominent examples. Hackers even drove the latter into insolvency in early 2023: the company was not able to compensate for the losses incurred from stopping operations for several weeks.
 

A wide range of measures are needed in order to implement the best possible protection against cyberattacks – from careful handling of data to protection through technology. In addition, insurance can help limit any damage that does occur. In any case, if a cyberattack takes place, it is important to know exactly what the legal consequences are. At the FPS Future Talk Cybersecurity, experts from Germany and Israel talked about cybersecurity issues. The following films provide an insight into what was discussed.
 

An interview with Dr Hauke Hansen
 

1. What happens in the event of a cyberattack by hackers?

In the majority of cases, hackers carry out a ransomware attack. This is where malware, such as a Trojan virus disguised as a legitimate email attachment, is introduced into a corporate network so that all the data, including that of operating and control systems, is encrypted. This often brings all the systems to a standstill. In addition, the cybercriminals usually copy the data and threaten to publish it if a ransom is not paid. 

2. What does a good emergency plan involve?

Above all, an emergency plan should contain the measures to be taken immediately. After all, in the event of an attack, it is important to be able to react within hours – preferably within minutes – in order to limit the consequences. The questions at the very top of the list include: who should be informed and what happens if the email and phone systems no longer work? Who pulls the plug to prevent the attack from progressing further? And how can business operations be maintained or restored as quickly as possible?

3. Is it true that hacked companies are also threatened with administrative fines and thus required to pay twice over?

That is possible – specifically if the IT infrastructure was not state of the art at the time of the attack. The legislator underlines the importance of IT security through a legal provision in the General Data Protection Regulation and uses financial pressure to make companies aware of this. In other EU countries, data protection authorities have already imposed fines in the millions. Most German regulators are currently taking a different approach: they see the hacked companies as victims who should not be punished further.

4. How does FPS support the companies who have been victim of an attack?

On the day of the attack, we initially provide digital first aid: we establish contact with external experts, including IT forensics experts, cybersecurity companies and crisis communication agencies. If necessary, we lead the crisis team. On the second day at the latest, attention turns to the legal side: by when and in what way is the data protection authority to be informed in order to comply with the legal obligation and to avoid a fine at the same time? Do employees and customers need to be informed? And once operations are up and running again, we take care of fundamental issues such as defending against claims for damages.
 

Text: Silke Bauer
Images: Jens Lindemann