Are attacks on mail servers = reportable data protection incidents?

At the beginning of March 2021, Microsoft announced that Microsoft Exchange had security vulnerabilities. Microsoft Exchange is a mail server product that is used millions of times worldwide, so this was a threat to servers that are used millions of times and can be accessed from the Internet, and which were often already infected / actively attacked by this vulnerability.

Although Microsoft quickly provided security updates that could be installed by those affected and also a check script for Exchange Server, with which those affected could check whether their servers had been hacked, it was already too late for some of those affected: numerous companies became victims of a hacker attack.

For the companies concerned, the question now arises as to when a reportable data protection incident exists and what information obligations they are then subject to, and whether such an incident exists in the specific case of Microsoft Exchange.

When is a data protection incident subject to notification?

Art. 33 GDPR regulates when a data protection incident must be reported. According to this, there is a reporting obligation "in the event of a data breach personal data [...] unless the infringement of the protection personal data is not likely to result in a risk to the rights and freedoms of natural persons".

It is therefore first of all questionable when a "violation of the protection personal data" exists at all. Art. 4 no. 12 GDPR provides a definition for this. According to this, a breach of the protection personal data "a breach of security leading to the destruction, loss or alteration, [...] or unauthorized disclosure of or access to unauthorized access to personal data leads [...]."

Personal data is any information relating to identified or identifiable natural persons in accordance with Art. 4 No. 1 GDPR.

A breach of the security of this data pursuant to Art. 4 No. 12 GDPR occurs if it is destroyed, lost, altered, disclosed without authorization or made accessible without authorization. This therefore initially includes all Data breaches and data leaks. Technical problems and system crashes with corresponding consequences are also covered, as are hacking attacks and data theft.

In order to obtain a better overview of reportable incidents, there are information options in individual federal states via the supervisory authorities. In addition, the Guideline of the European Data Protection Board of 19.01.2021 provides many examples and a good overview.

What are the information requirements?

If there is a reportable data protection incident, the next question that affected companies ask themselves is: Who must be informed?

First of all, there is a notification obligation towards the competent supervisory authority according to Art. 33 DSGVO.

In addition, however, data subjects such as customers, clients or employees must also be notified individually if a high risk to the personal rights and freedoms of natural persons is to be assumed (Art. 34 I GDPR). This is usually the exceptional case and occurs when serious consequences or impairments for the data subject are to be expected (for example, identity theft or breach of confidentiality of professional secrecy). The fact that affected persons must be notified individually is particularly the case for the loss of bank data or patient data. However, the individual case is always decisive and the data protection officer should always be consulted.

Is there a reportable data protection incident in the Microsoft Exchange case?

Whether this is a reportable incident is actually disputed. While the supervisory authority in Hamburg states that a reporting obligation only exists if it has actually been determined that data has been leaked, the supervisory authority in Baden-Württemberg states that there is a general reporting obligation, and the supervisory authorities in Lower Saxony and Bavaria state that even the late installation of Microsoft updates leads to a reporting obligation.

Companies that discover that they have been affected should therefore report this immediately to the supervisory authority. However, if no data leakage could be detected, a report is probably not necessary, but should always be assessed by experts on a case-by-case basis. In any case, all incidents and measures should be documented and the IT systems should be checked regularly by experts.

Professional advice and help is essential.