#Cybercrime #Malware #Ransomware #Phishing #Cyberattacks #Loss / misuse of data #Cyberattacks on the German Bundestag #Hackers attack US government authorities #Executive Board member sentenced to damages of EUR 15 million for inadequate compliance organisation
Reports of cyberattacks are increasing rapidly. Companies are falling prey to cyberattacks, data is being compromised, and sometimes companies must halt operations altogether. Just as unpleasant is the issue of executive liability. Has the managing director acted carelessly and must he be held accountable?
How do hackers repeatedly penetrate company systems? Hackers usually select their victims deliberately and launch a targeted attack at a specific company. Technical measures can help, but corresponding processes must be set up in order to react quickly and correctly to an emergency. The legal framework is somewhat vague, however, and can be summarised as follows:
1. The General Data Protection Regulation ("GDPR") and the Data Protection Act ("DSG") stipulate that entrepreneurs must implement technical and organisational measures to ensure IT security, such as pseudonymisation and encryption (Art 32 GDPR). Ultimately, however, companies decide what measures are actually taken. In principle, fines or penalties are directed at the company (Art 83 GDPR, Section 62 DSG), pursuant to Section 9 VStG in conjunction with Section 30 DSG, but can be imposed on the managing director instead of the company. It's also worth remembering that the GDPR and the DSG apply only to personal data processing.
2. On the other hand, the EU Directive on security of network and information systems ("NIS Directive") also prescribes security measures. Here, the concept of "measures" is vague as well. The NIS Directive requires certain "operators of essential services" to take appropriate IT security measures to minimise the security risks for network and information systems, and to manage specific incidents accordingly. These operators are also obligated to report significant disruptions. As operators of essential services, the Directive (and the draft NisG) identifies public or private entities in the energy, transport, banking, financial l market infrastructure, healthcare, drinking water supply and digital infrastructure sectors. Also affected by the Directive are digital service providers (online marketplace, online search engine and cloud computing services).
The Directive also requires Member States to set proportionate and dissuasive penalties for infringements. According to the draft report, a fine of up to EUR 50,000 can be imposed for violations of the NisG. Repeat offences scan be fined up to EUR 100,000.
Section 14 of the draft NisG stipulates that the Federal Chancellor must identify operators of essential services with a subsidiary in Austria. It therefore remains to be seen which companies will be affected by the NIS Directive or the NisG.
3. Irrespective of the application of the aforementioned laws, liability may also arise in the event of a breach of organisational duties, including IT compliance. A managing director of a GmbH must exercise due managerial care in the performance of his duties (Section 25 GmbHG). If he violates this obligation, for example by neglecting to introduce adequate IT compliance, he may be liable for damage. In principle, a liability claim only arises in the case of unlawful and culpable damage, i.e. the general conditions for damages under civil law must be fulfilled Even in the case of slight negligence, damage resulting from successful cyberattacks can result in the managing director being liable to the company. In principle, the company must prove that it has suffered damage because of certain conduct (act or omission) by the managing director. However, if there is an objective violation of due diligence, fault is presumed to have been caused by it, meaning that the burden of proof shifts to the managing director. A comparable standard of due diligence is also provided, for example, for members of the executive board of a limited company (Section 84 AktG).
Since even the most modern security measures do not offer absolute security against cyberattacks and the technical implementation of the legal requirements is at the discretion of the individual company, giving rise to a liability risk, the introduction of an appropriate IT compliance system also includes: (i) technical standards, such as ISO standards, to guide the adequacy of technical and procedural measures;
(ii) cyber-insurance, for example covering claims for damages due to a breach of data protection or confidentiality or claims for damages due to inadequate network security, limiting the economic impact of a claim; and iii) contractual transfer of risks to counterparties (outsourcing providers).
The introduction of corresponding IT compliance, which also takes the risks of cybersecurity into account, is an absolute must.
An amendment to the Administrative Penal Code (BGBl I 2018/57) provides some relief. From 1 January 2019, fault is no longer presumed by law if the administrative offence e is subject to a fine of more than EUR 50,000 (future Section 5 para 1a VStG). This leads to a reversal of the burden of proof. The authority will have to prove the fault of the company or its manager(s). Furthermore, in accordance with Section 371c GewO, the principle of "consulting instead of punishment" is included in the VStG (future Section 33a VStG). The authority will have to call for the establishment of the lawful condition if (i) the fault, (ii) the significance of the legal interest protected under criminal law, and (iii) the intensity of the impairment of the legal interest protected by the offence are low in each case. Initial experience in connection with Section 371c GewO, which came into force in July 2017, can be gained by the Tyrol Regional Administrative Court (LVwG Tirol, 23 August 2018, LVwG-2018/15/0903-6).
This article was up to date as at the date of going to publishing on 10 December 2018.