What are the legal implications of IT security incidents and what sensible countermeasures can companies take in advance? In an interview we talk about this with Stefan Hessel , Attorney-at-law at LL.M, who is working as Senior Associate and Co-Head of the Digital Business Unit at reuschlaw Legal Consultants in Saarbrücken. Mr Hessel advises companies on complex issues in the field of data protection, cybersecurity and IT law. On 17 September, the legal expert will be speaking on the Incident Response Agreements at the Internet Security Days.
Mr Hessel, what are the possible legal consequences for companies in the event of IT security incidents?
Mr Hessel: In Germany, there is no uniform law for dealing with IT security incidents. For this reason, the legal consequences for companies can be very diverse. For example, if personal data is affected, a data protection breach may exist, which may oblige the data protection supervisory authority to be notified under the General Data Protection Regulation (GDPR). There are even stricter regulations, for example, for critical infrastructures or other risk areas such as autonomous driving or e-health. If the IT security incident concerns a product, a warranty or manufacturer’s liability may also be involved. Therefore, when we are informed about an incident, we usually ask a lot of questions to get the best possible overview of the facts. We will then check which legal requirements have to be observed.
What makes Incident Response Agreements so important? Which legal requirements do companies have to observe?
Mr Hessel: Incident Response Agreements are contractual agreements for managing IT security incidents that companies can enter into with service providers or business partners. In view of the patchwork of legal regulations, they help to ensure that IT security incidents are dealt with quickly and securely and can help to avoid legal ambiguities. Incident Response Agreements are subject to freedom of contract, which enables companies to determine the content to a large extent. On the one hand, this is a great advantage because the agreements can be very individually designed and adapted to the specific situation. On the other hand, the freedom to draft contracts also entails a certain risk, because many different constellations have to be considered and regulated when drafting the contracts. It is particularly important that lawyers and IT experts work closely together.
What countermeasures can companies take in advance?
Mr Hessel: The most important preventive countermeasure for IT security incidents is to make cybersecurity and compliance with the relevant laws a top priority in the company. Ideally, this can be done, for example, through a binding IT security policy and corresponding instructions to the company’s employees. Furthermore, companies should not underestimate the legal implications of the issue. There are already a lot of legal requirements to be observed in your own company when it comes to IT security measures. Data protection is just one example here. The importance of legal regulations becomes even greater when it comes to IT security for service providers, business partners or even suppliers. Without a contractual arrangement, it is usually not possible to implement certain IT security measures. In such constellations, a combination of legal and technical or organisational measures is also very useful and important from a preventive point of view.
Thank you very much for the interview!
Detailed information on the topic will be available at the Internet Security Days 2021.
Mr Hessel welcomes your questions!