Martin Braun is a member of the WilmerHale European Union regulatory group and co-chair of the firm’s big data practice group. He focuses his practice on data protection, cybersecurity and information technology law. Dr Braun has advised German and multinational companies on all aspects of privacy and data protection law, and on general compliance issues, including cross-border flows of personal data, data security, electronic discovery and general document retention issues. Moreover, Dr Braun has significant experience litigating technology and breach issues.
Dr Braun is regularly recommended by legal handbooks as a leading lawyer in the fields of data protection and information technology. He is a regular speaker at data protection and cybersecurity conferences, and among the authors of the WilmerHale Privacy and Cybersecurity Law Blog.
GTDT: What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Martin Braun: Cybersecurity has been a hot topic in Germany during the past year; it has become more visible in general media reporting, and board members and legal departments have started paying real attention to the topic. Companies are also looking into cyber insurance in more detail.
Regarding legislation, Germany implemented the Directive on security of network and information systems (NISD) in late June 2017, mainly by changing the provisions of the Act on the Federal Office for Information Security. With these changes, the concepts, terminology and obligations of the NISD have been implemented into national law.
Most German companies are currently very busy preparing for the implementation of the General Data Protection Regulation (GDPR), which will have full legal effect from 25 May 2018. The GDPR also has a direct impact on cybersecurity, as it will harmonise breach response obligations across the EU, contains express obligations regarding encryption and will require new agreements with processors in many instances.
In terms of general regulatory developments, the German Federal Office for Information Security (BSI), under its new president, Arne Schönbohm, has been very active in increasing the general visibility of cybersecurity topics by reaching out to various stakeholders and successfully forming a substantial number of new alliances in this area.
The BSI has also published a number of technical documents, including the first sector-specific technical standard for critical infrastructure (water supply), and certain minimum security standards for IT activities within the jurisdiction of the government, such as setting up data centres, implementing mobile device management, securing interfaces and using external cloud services. There is also new guidance on securing information society services.
The BSI has updated its guidance regarding the suitability of various cryptographic algorithms and has repeatedly warned about the dangers of CEO fraud. In 2016 a new version of the BSI-authored overall IT security methodology was released, the IT-Grundschutz, which is a very popular standard in Germany, similar to the ISO 27001 standard.
Other regulators have also spent considerable amounts of time reviewing cybersecurity topics. One prominent example is the regulators for financial services on a European and German level that have conducted extensive fact-finding, but have also moved to clarify and extend guidance to financial institutions on how to prepare for incidents and report them.
GTDT: When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
MB: Until 25 May 2018, when the GDPR has full legal effect, the national German law provisions regarding breach notification obligations will continue to apply.
The most general provision is section 42a of the Federal Data Protection Act. Under this provision, organisations must first review whether the breach concerns certain categories of personal data, namely sensitive data, personal data subject to professional secrecy obligations, personal data related to criminal offences or administrative offences or the suspicion of punishable actions or administrative offences, or personal data concerning bank or credit card accounts. If these kinds of data are involved, the organisation must check if there is a threat of serious harm to the affected individuals’ rights or legitimate interests, in order to make a determination as to whether there is a notification obligation or not. If a breach notification obligation exists, there is an obligation to notify both the respective data protection authority and the affected individuals. The data protection authorities have issued very detailed guidance to help with the interpretation of each of the steps involved in such assessment.
The German Telemedia Act (TMG), and the German Telecommunications Act (TKG) contain roughly comparable additional breach notification obligations for providers of information society services and providers of electronic communications services, if personal data is involved. The obligations in the TKG are based on the framework in Directive 2002/58/EC. In addition, there are sector-specific obligations (eg, in social security, energy, financial services, electronic signatures).
The implementation of the NISD has created additional notification obligations that are not tied to personal data but to security incidents in general. This has created certain challenges as one breach may require the notification of several regulators. Some regulators have started to actively remind organisations about the breach notification obligations and many have made online tools available for the actual reporting.
In terms of enforcement, fines for failing to report breaches are not common, but warnings have increased. There has been very little litigation commenced by individuals affected by breaches so, in general, the notification obligations to regulators and data subjects take centre stage when evaluating breach response strategies.
GTDT: What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
MB: It would be extremely difficult for companies to meet the legal requirements to notify breaches if they had not planned and prepared for a data security incident. The timelines for the required notifications are ambitious, and investigating the facts and legal consequences of the incident is very often extremely challenging.
Companies must try to quickly determine what has actually happened, prevent any more data from being leaked and then decide whether there is a legal obligation to notify the breach to regulators or affected individuals. Depending on the extent of the breach, there may be obligations to inform shareholders, and there is very often also a need to check the actual insurance status. Finally, the public relations fallout can be very significant and needs to be actively managed.
Following a breach notification, data protection and other regulators might also be interested in the company’s activities in general, so companies should be prepared that such notifications may lead to additional audits in related and unrelated fields.
If a breach or a suspected breach has occurred and needs to be investigated, such investigation itself is subject to German data protection and employment laws. These are highly relevant in a number of respects. Generally, German data protection authorities have been taking a rather strict view regarding the retention of data, such as log files in preparation for possible investigations, which can make it difficult to trace attackers. In addition, the scope of possible investigations may be limited because the authorities have taken the position that employers who permit private use of the internet and email are subject to secrecy of telecommunications, putting them at risk of criminal investigation if the review of a breach or security incident includes data and information that is protected by the secrecy of telecommunications. Finally, many companies have an organised workers’ representation, the works council, which needs to be involved in most IT-related topics.
Third parties involved in investigating and responding to a breach must be contractually bound to maintain confidentiality and to implement appropriate IT security measures. In many instances, they will be acting as processors, which means that there needs to be a written agreement with certain mandatory content as required by German law. If, for example, forensics firms are located outside the EU, there will be additional issues regarding international data transfers.
GTDT: What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
MB: Preparation is crucial. We recommend setting up an internal and external panel of experts, which would include forensics firms and outside lawyers as well as advisers for public relations topics, and to enter into the required contracts well before an incident occurs. This would include the required data protection language in these agreements. This will save critical time if there is an actual incident.
A written detailed breach response plan is another critical element of the preparations. There are still too many companies with a response plan that is essentially: ‘We will inform management, the legal department and IT, and they will work this out.’ These plans need to be much more detailed in order to be useful in practice, and there needs to be a list of individuals assigned to be the core incident response team.
We also suggest testing the plan periodically by simulating an incident or a breach and going through the required steps, including possible additional complications that only develop after the investigation has begun.
For organisations with an international footprint, there must be an alignment of local, regional and international plans. This requires careful consideration with regard to issues such as how to respond to situations where decision makers are located in different time zones.
Finally, given the rapid development of applicable law and regulatory guidance, there is a need to continually monitor legal development and to update the plans accordingly.
GTDT: Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
MB: The German public is quite sceptical of cloud computing, but German organisations are increasingly moving their data to cloud providers.
From a German data protection law perspective, cloud computing is usually a form of a controller-processor relationship. For this, the Data Protection Act requires a written contract with certain mandatory content. In practice, there is an unofficial market standard for this kind of contract based on templates published by data protection authorities and industry associations.
“Law enforcement, while generally understaffed when dealing with the complexities of cybersecurity threats, has set up central units in most German states.”
International data transfers to recipients outside the EU are usually of particular interest: German customers very often demand that the cloud environment be located in Germany, or at least in the EU, even though the European and German legal framework for international data transfers to recipients outside the EU would typically apply and allow transfers in other countries, such as the US. Vendors who have opened data centres in Germany have been able to attract many German customers who had been sceptical about cloud computing beforehand.
Organisations need to remember that the international transfer restrictions still apply if the data is stored in Germany, but there is access to the data from outside the EU.
In dealing with the different means for ensuring a legal basis for international data transfers, German companies have very often expressed scepticism regarding the medium- and long-term survival of the EU-US Privacy Shield and very often demand that vendors enter into standard contractual clauses, even though a vendor is already certified under the Privacy Shield. The Snowden allegations remain at the forefront of German customers’ minds, and vendors from countries outside the EU continue to face very intense scrutiny regarding possible obligations to cooperate with law enforcement in their home countries.
Regarding the use of standard contractual clauses for cloud computing projects, the German data protection authorities have been taking the view that the export of sensitive personal data is, in most cases, not possible despite standard contractual clauses being used. The data protection authorities have taken the view that standard contractual clauses do address the additional requirements of a transfer to recipients outside the EU, but that the provisions of the Data Protection Act must be interpreted as not allowing the transfer of sensitive data if the receiving processor is located outside the European Union. The good news from a German law perspective is that, generally, there is no requirement to obtain approval from the data protection authorities for exports of personal data to recipients outside the EU, and there are also no requirements to notify such transfers to the authorities.
We highly recommend that the technical and organisational measures of the respective cloud provider are reviewed in detail, and that such review is documented. There is also a legal requirement to periodically update such review as IT security standards and measures can change over time. Encryption of data, both at rest and in transit, tends to be a topic that attracts significant interest in this context.
When thinking about using cloud services, organisations should also check for legal requirements arising out of other areas of the law; for example, tax law, which requires that certain tax-relevant documents are kept in Germany (or at least the EU) and restrictions applying to certain sectors, such as public administration, certain forms of insurance and professional services.
GTDT: How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
MB: Germany had implemented national laws very similar to the NISD before it was finalised, but was very quick in implementing the Directive. In the light of recent ransomware attacks, sophisticated attacks against the German parliament and widespread fears of foreign countries trying to interfere with the national election in September 2017, many stakeholders have already argued that additional measures need to be taken to deal with cyberthreats on a national and European level.
The BSI and the domestic intelligence services are very actively involved in raising awareness of cybersecurity threats and in making specific recommendations (eg, in response to ransomware, CEO fraud and general IT security threats).
Law enforcement, while generally understaffed when dealing with the complexities of cybersecurity threats, has set up central units in most German states with special cybersecurity expertise. These units have had some notable successes in the past months in tackling large-scale online crimes. Companies are strongly encouraged to contact law enforcement if they are the target of online criminals.
GTDT: When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
MB: Unfortunately, privacy and data security issues are still very often not treated with the required care in the context of M&A deals. A company’s data and IT systems are very often a crucial factor for the entire operation, and particular care should be used to determine if data, especially customer data, has been collected lawfully and whether it can be used as intended post-closing.
German data protection authorities have started issuing fines where the parties to an M&A transaction have wrongly assumed that they could sell customer data and failed to comply with legal requirements regarding personal data (eg, of customers and employees). There is often a basic legal obligation to inform about the transaction, but there may also be a consent requirement.
In the context of increased attacks against companies’ IT systems, due diligence should be a key focus to determine whether business secrets, critical know-how and personal data have been properly protected against theft.
Valuations of companies are now critically dependent on IT security, and hackers are becoming more sophisticated by the day.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
A key attribute that clients should look for in a cybersecurity lawyer is the ability to build bridges between legal topics and technical topics. The lawyer needs to be able to explain legal concepts and requirements to a non-legal, especially technical audience, but he or she also needs to be able to truly understand what has happened from talking to technical experts. The lawyer must be very familiar with both worlds if he or she is to be an effective leader in a crisis.
Naturally, there is the requirement to know the law, ideally in all relevant areas involved, ranging from breach notification laws and privacy laws, and includes sector-specific regulations, corporate law and an ability to review all developments through the eyes of a litigator. The regulatory framework is evolving quite dynamically, so it is important to be up to date regarding the latest developments.
Project management skills, and experience with internal investigations and crisis situations are also critical skills, allowing the lawyer to take a leadership role in what can very often be an existential crisis for the client. For larger clients, the ability to work in an international set-up and across time zones will be important.
What issues in your jurisdiction make advising on privacy and cybersecurity complex or interesting?
Cybersecurity and privacy work occurs at the intersection of a large number of legal and non-legal areas, making it very interesting for those willing to develop the necessary expertise in these areas.
While preparations for the GDPR are currently taking centre stage, cybersecurity is also moving at high speed. Incidents and breaches can be a threat to the survival of an organisation and helping clients navigate challenges in this kind of crisis is usually very rewarding.
How is the privacy landscape changing in your jurisdiction?
The privacy landscape is currently dominated by preparations for the GDPR and most organisations have a lot of work to do before May 2018.
Unfortunately, international data transfers and their legal bases have been subject to significant changes and uncertainties for years, and these are expected to continue.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Unfortunately, there is a wide range of threats in the cybersecurity field and companies need to prepare for all of these. Recent developments have made it clear that ransomware can have a crippling effect on companies, and all possible steps should be taken to prevent or at least mitigate these kinds of situations. Threats arising out of non-technical attacks, such as CEO fraud, persist and have even increased. This demonstrates that effective defensive measures against cybercrime are not limited to technology, but also need to involve organisational measures and, in particular, increased training of employees.