Are attacks on mail servers = reportable data protection incidents?

At the beginning of March 2021, Microsoft announced that Microsoft Exchange had security vulnerabilities. Microsoft Exchange is a mail server product that is used millions of times worldwide, so this was a threat to servers that are used millions of times and can be accessed from the Internet, and which were often already infected / actively attacked by this vulnerability.

Although Microsoft quickly provided security updates that could be installed by those affected and also a check script for Exchange Server, with which those affected could check whether their servers had been hacked, it was already too late for some of those affected: numerous companies became victims of a hacker attack.

For the companies concerned, the question now arises as to when a reportable data protection incident exists and what information obligations they are then subject to, and whether such an incident exists in the specific case of Microsoft Exchange.

When is a data protection incident subject to notification?

When a data protection incident is subject to notification is regulated in Art. 33 GDPR. Accordingly, there is a notification obligation "in the event of a personal data breach [...] unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

The first question is therefore when a "personal data breach" actually exists. Article 4 No. 12 GDPR provides a definition in this regard. Accordingly, a personal data breach is "a breach of security leading to the destruction, loss or alteration, [...] or unauthorized disclosure of, or access to, personal data [...]".

According to Art. 4 No. 1 GDPR, personal data is any information relating to identified or identifiable natural persons.

A breach according to Art. 4 No. 12 GDPR of the security of this data occurs when it is destroyed, lost, altered, disclosed without authorization or made accessible without authorization. This therefore initially includes all data mishaps and data leaks. Also included are technical problems and system crashes that have corresponding consequences, as well as hacking attacks and theft of data.

In order to obtain a better overview of reportable incidents, there are information options in individual federal states via the supervisory authorities. In addition, the Guideline of the European Data Protection Board of 19.01.2021 provides many examples and a good overview.

What are the information requirements?

If there is a reportable data protection incident, the next question that affected companies ask themselves is: Who must be informed?

First of all, there is a notification obligation towards the competent supervisory authority according to Art. 33 DSGVO.

In addition, however, data subjects such as customers, clients or employees must also be notified individually if a high risk to the personal rights and freedoms of natural persons is to be assumed (Art. 34 I GDPR). This is usually the exceptional case and occurs when serious consequences or impairments for the data subject are to be expected (for example, identity theft or breach of confidentiality of professional secrecy). The fact that affected persons must be notified individually is particularly the case for the loss of bank data or patient data. However, the individual case is always decisive and the data protection officer should always be consulted.

Is there a reportable data protection incident in the Microsoft Exchange case?

Whether this is a reportable incident is actually disputed. While the supervisory authority in Hamburg states that a reporting obligation only exists if it has actually been determined that data has been leaked, the supervisory authority in Baden-Württemberg states that there is a general reporting obligation, and the supervisory authorities in Lower Saxony and Bavaria state that even the late installation of Microsoft updates leads to a reporting obligation.

Companies that discover that they have been affected should therefore report this immediately to the supervisory authority. However, if no data leakage could be detected, a report is probably not necessary, but should always be assessed by experts on a case-by-case basis. In any case, all incidents and measures should be documented and the IT systems should be checked regularly by experts.

Professional advice and assistance is essential in this regard.