Cyber and Law – Do's and Don’ts in the Cyber Crisis from a Legal Perspective

With and to co to contribute to this fantastic event with a, a legal topic that is cyber and law, dues and don'ts in the cyber crisis from a legal perspective. Well, I really like these cases actually from a lawyer's perspective. Although the company in, in, in, in many cases is, is breaking down when the, when the client calls and, and says, well, we have a, a little incident, the lawyer says, well, that's gonna be very interesting. And I really like these cases because they're, they, they give you a very good insight into the structure of, of the companies during the crisis. And legally speaking, many legal areas are actually touched. You have, first and foremost the data protection and data security law. You have corporate law, you have labor law, you have intellectual property law. When you think of the disclosure of trade secrets as a result of a cyber incident, and of course you have the question of damages. What, who's, who's liable? And from the perspective of a company, am I able to put the liability away to other people? That is actually the question, the, the core question.
My name is Fabian Baum, I'm lawyer at SKW Schwartz. We are one of the biggest law companies in, in Germany, in the field of IT and digital business law. And I'm very happy and lucky to have been part of many projects in the field of cyber incidents in various industries. And I will give you one or two examples later. Yeah. When this comes outta the printer, as I said, it's gonna be very interesting. What's, what's, what's going on. Then the, the client calls you and says, yes, we have a problem. But I can tell you from a, from a lawyer's perspective, and this is kind of a anticip anticipation of the, the core key takeaways, which I would give you today is three points. Communication from my experience is everything, at least a lot with good communication in the cyber crisis, you can mitigate a lot of legal risks with bad communication.
On the other hand, you can destroy a lot. You can invite many people to claim damages to your company. So be careful of your company and be careful of your communication. Please get involved really good PR professionals, but PR is not enough. Please check every text, every information from a lawyer's perspective because the, the, the communication which you give in the first step is actually the beginning of the litigation, of the litigation, which comes in the end. So that this is really important. The second one is, when I think of damages in the cyber cyber crisis, two, two points are really important. One is the business interruption loss is one of the biggest damages and the, and the most important one. And the second one is the, the damages which data subjects who were affected by the cyber incident and the possible data breach are, are, are coming and the, and the, and the, the damages they claim on the basis of the GDPR as a background for you, the European Court of Justice has made it very easy for them to claim damages.
Like many cases are around five, 500 to 3000 euros per, per, per case. Of course, de depends on the data that is involved and the individual case. This, this is not much when you think of the individual case, but think of you have one 100,000 of customers and you, you multiple this, this amount and then this, this becomes a very, very high amount of possible damage. So these are the two things. And the third point in the cyber crisis have a good cyber insurance. This is the third point from my experience. Otherwise, you have big problems or bigger problems, and if you have it, you can sleep a a little bit better. Yeah. And comply with the insurance contract. Otherwise, the, the insurance will not gonna pay you.
I, I put here on the left hand side some of the reporting obligations, which you have to comply with police. I put a, put a question, this is not compulsory, it is recommendable. Maybe they are gonna help you to, to find the attacker. This is actually a standard, but which we recommend. The next ones are of course, those which arise from the GDPR. You have to inform the supervisor authorities within 72 hours after you have known that you were attacked. So there's a little time and you, and, and in some cases you also have to inform the data subjects affected. But, but not in every case. The presumption is that there must be a high risk that this is in the, in the, in the law in the GDPR, it says it must be a high risk for the data subjects affected. Yeah. And this is not, in every case, the case of course, the interest of a company is always not to inform them because this would again, be an invitation for them to, to claim their potential damages. And, and, and, and trust me, many lawyers and the mass litigation industry is, is following your communication. So if you can avoid to communicate that there's been a cyber incident that, that there's a, a data breach, please think of it and talk to your lawyer in order to avoid this communication.
Which leads me to the second step. Second point in the middle, no communication without a crisis team. Our recommendation, as I said, better, less and well dosed than too much information. Yeah. This is of course depends on the strategy and the philosophy of the, of the individual company. But I give you two examples. In one example, we advised a IT service provider of a big bike leasing company, and the IT provider got hacked and the bike leasing company had the philosophy to communicate very open. They said, oh, sorry, sorry for this, sorry for that. I'm exaggerating. But that was a very open communication strategy. And what happened, we are still, we have still I think more than a hundred cases pending with these claims of damages of customers, of consumers. And on the other hand, this is not a general rule, but on the other hand, we advised a, a department store chain, like or something. It was not called wolf, but, but something, something in this area. And they decided to have a very passive communication strategy. And it actually worked.
We didn't get nearly maybe five or 10, 10 letters of lawyers. So this is not a general rule, as I said, but it's only, should only be an example of the, the importance of the communication strategy. Yeah. And of course information to cyber insurance. This is one, if you have one, this is a core, core instrument. You have to inform them, otherwise they are not gonna pay you. Yeah. Again, centralized control, communication about the crisis team as a lawyer, I'm not saying I'm the communication professional, but it is very important to work hand in hand, get the professionals of the PR industry involved. But let your lawyer look over the, the communication, because this is, as I said, the beginning, the first communication is actually the, the, the beginning and the possible invitation of a, of a litigation process.
Well, that's actually the, the older version. Sorry. Yeah. Another question is ransom to pay or not. This is statistically one third of all companies pay ransoms. I'm not sure actually, from my experience, again, probably less companies pay and the projects I've been involved to and, and as you know, it always depends on, on the case, what possibilities do you have to in your IT and what's, what's actually the, what are the arguments of the blackmailers? Yeah. And, and then you have to decide. And what's quite interesting is in Germany, many people don't know that it's problematic to parents. And because payments to blackmailers are sometimes seen as criminal support for criminal organization. On the other hand, I can tell you I have not not seen any case where the criminal prosecution in the end took place. So, but this is an important aspect also.
Yeah. The potential loss positions in the event of a so incident, the two ones that I considered the most important, I marked in red here on the right hand side. So business interruption loss is the biggest potential damage you have. It's the failure of delivery, it's loss of profit, compensation for data loss. This is this, this can be really, really expensive. And of course the claims were damages on the basis of the GDPR as I explained. Yeah. Who's to blame? This is of course a core question and the decisive question regarding all of the lost positions here, it's nearly always about the question, could the success of the attack have been prevented by different behavior? It's of course the question of is your IT standard compliant with the, with the, yeah, with the, with the standard. And if this is the case, you, you definitely mitigate the risks of, of, of damages, of, of legal damages in the end. And one important point I would like to point out is you have to, or you should carry out your own analysis by your own forensic experts. Don't rely on on the experts of the insurance, for example, because they have a different interest than you and insist on confidentiality, on, on, on confidentiality of the analysis results. So that's really important. Again, a a, a preparation for possible later litigation process.
So yeah. Who pays now? Definitely not the attacker because you don't know him, definitely not the employee. Sometimes the IT service provider, but rarely. And so there are not many players left in the end of the day. It's, again, the cyber insurance in many cases, which on which you rely if it's available, but pay attention to all the insurance exclusions and pay attention to, to the insurance contract and the clauses before you sign it. Yeah. So very, very, this is again, not something really special, but in practice I can say this is, this can be decisive.
Yeah. As I mentioned, three key takeaways from my experience, communication, communication, communication is everything. At least a lot. Pay attention to the claims for damages from affected data subjects. I can tell you maybe what our strategy is when we get all the letters from the lawyers who claim for 2000 euros for their clients, and we, we get them hundreds of those letters in the first step when it's not the, the the on court. Yeah. When it's not on court, we don't react actually. So we let them sue us. Yeah. Let them sue us. We don't pay anything from ourselves. We let, we let our clients be sued. Again, this is a general rule, not a general rule. This is just from my experience. Yeah. And yeah, the last one was, have a good cyber insurance and always comply with all obligations arising from the cyber insurance contract. Very important. So if you pay attention to the three points you will do, you, you will do a good job properly. Thank you very much.