Dusseldorf Around 40 terabytes of data from the Dax group Continental fell into the hands of cyber criminals in the summer of 2022. For a month, the Lockbit extortion group remained undetected in the automotive supplier’s internal network and stole confidential information from many thousands of current and former employees and customers of the automotive supplier.
The group is still working on the data theft to this day. More than 300 employees and a team from the auditing firm KPMG are working on the case.
“The threat situation in cyberspace is tense, dynamic and diverse and therefore higher than ever,” summarized Gerhard Schabhüser, Vice President of the Federal Office for Information Security (BSI) the situation in the management report for 2022.
For lawyers specializing in IT law and data protection, this development is causing a boom. “Cybercrime has increased dramatically, especially in the past two or three years,” reports Eren Basar, a partner at the Düsseldorf law firm Wessing & Partner who specializes in IT and data protection criminal law. “The corona pandemic acted like a fire accelerator,” says Basar.
It has provided a boost in digitization in the globalized working world and opened more and more gateways for hackers, not least through poorly protected home office networks. “Companies have become more vulnerable because the management of security has not grown to the same extent,” says Basar, who advocates a trained cyber board member in management.
Criminal energy is increasing
Because the attackers act more and more professionally. “A veritable industry has developed, with criminals offering their malware for use in cyber attacks by third parties on the Internet,” observes data protection expert Flemming Moos, partner in the Hamburg office of the Osborne Clarke law firm. “They operate worldwide, the majority of such attacks come from Russia or China,” says Moos.
Data theft is often lucrative for cyber criminals. As in the Continental case, they are threatening to publish the data to the detriment of the company – unless a sum of millions is transferred. Another variant is to paralyze the company network until a certain sum is transferred. The company’s business is then affected for days or weeks.
Many companies finally give in to the blackmailers’ demands because otherwise they would find themselves in existential difficulties. The number of unreported cases is high, and the public usually does not find out anything. Payments often flow abroad in the form of cryptocurrencies.
Another variant of cybercrime is CEO fraud, also known as “presidential fraud” or “business email compromise”. The scam: scammers pretend to be the CEO or a high-ranking manager of a company in order to trick employees into transferring money, for example for a short-term company purchase.
The perpetrators often use fake emails or fake identities to appear credible and deceive the victims. They play on the authority and trust of employees, especially in financial matters, and exploit them to achieve their goals. According to estimates by the US federal police FBI, the damage worldwide runs into billions.
Well-known European victims are the Bavarian car supplier Leoni and the Austrian aircraft parts manufacturer FACC. They were each cheated by around 40 million euros. And through the use of artificial intelligence (AI), even more danger threatens in the future. The e-mail attacks are likely to become even more personalized and thus more difficult to understand.
>> Read also: How AI becomes a weapon for hackers
The companies’ chances of getting the funds back are slim. “Companies usually only have to try to freeze the funds,” says Düsseldorf compliance and criminal law expert André Szesny, partner at Heuking Kühn Lüer Wojtek. “There are definitely ways to do this, but the money extorted from cyber attacks is often irretrievably gone,” says Szesny, who regularly deals with the consequences of cyber attacks.
Osborne-Clarke lawyer Moos not only advises numerous companies where attacks have taken place, but also those who want to arm themselves. “Many are aware of how great the risks have become. They want to eliminate weak points and be prepared for the worst-case scenario,” says Moos. The weakest link in the security chain is the staff: According to the US company Verizon’s Data Breach Investigations Report 2022, 82 percent of security breaches can be traced back to a human factor.
More on the topic: Best Lawyers 2023
Increasingly, clients want to use so-called table top exercises to simulate emergencies. The potential effects of a targeted cybersecurity attack are demonstrated and weaknesses of various possible responses are identified. “It helps a lot to sensitize employees and to study processes,” says Moos.
Stricter legal requirements
Not only are the attacks becoming more numerous and more violent, the legal requirements for companies have also changed a lot in recent years. In particular, the General Data Protection Regulation (GDPR), which came into force in May 2018, poses new challenges for companies.
The legislator has obliged companies to protect a lot of their customers’ and business partners’ data more carefully. Violations can result in high fines. If they are serious, the fine is up to 20 million euros or, in the case of a company, up to four percent of the total annual turnover achieved worldwide in the previous financial year, whichever is the higher.
Data protection lawyer Tim Wybitul regularly comes into play after a cyber attack. The lawyer is a partner at Latham & Watkins in Frankfurt and assists companies in data protection disputes with authorities or in court. Wybitul’s work for the real estate group Deutsche Wohnen, for which he averted the highest fine that authorities in Germany had imposed to date in 2021, is well known.
>> Read the interview with Tim Wybitul about Tesla: “The company is facing a whole mountain of tasks”
“Even after a cyber attack, a lot can still go wrong,” he knows. “Legal sanctions threaten not only if the data has not been adequately protected, but also if the company does not communicate properly afterwards,” says Wybitul. If companies become aware of a personal data breach, they must report this to the data protection supervisory authorities – unless the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.
“The company must inform the competent authority immediately and if possible within 72 hours,” explains Wybitul. If a company does not comply, there is a risk of high fines.
Higher demands on lawyers
Therefore, there should be detailed plans for responding to emergencies. “The emergency plans should provide for specific assignments of tasks and roles to clarify and document the incident and to minimize damage, but also for communication with the authorities, those affected, business partners and employees,” says Wybitul. The managing director or board of directors and not the data protection officer are responsible for data protection and the reporting of violations.
The law firms have reacted to the developments. They support companies in questions of cybercrime with teams that bring different qualifications. “In addition to IT and data protection experts and criminal law experts, we also involve corporate lawyers, because the liability risks for board members have increased,” says Heuking partner Szesny.
Also read:
According to Wessing partner Eren Basar, anyone who wants to provide advice on IT and data protection must not only have legal, but also technical know-how: “Advice on cyber issues requires much more than mastering the legal trade. Lawyers have to constantly deal with the IT tool and how to optimize it for the benefit of the client.”
Another risk for companies are civil lawsuits from private individuals or companies whose data has not been adequately protected. A leak at the online broker Scalable Capital, for example, gave unauthorized persons access to highly sensitive personal data. At the end of 2021, the Munich I Regional Court awarded a customer 2,500 euros in damages.
“There is a litigation industry developing here. In individual cases, it is usually only a matter of a few hundred euros. But if many thousands of customers are affected, the total sums can be high,” explains Moos. The plaintiffs benefit from the fact that there are new instruments, such as class action lawsuits, which reduce the burden of legal action. Legal tech firms are also lowering the hurdles for such privacy violation lawsuits.
Increasingly, companies are protecting cyber risks with special insurance policies. However, there is a catch: Coverage is usually very limited. Very serious cyber accidents that cause major damage are usually only partially covered.
More: 139,000 euros at the big law firm, 60,000 at the state – that’s how big the salary differences for lawyers are