I'm freaking out!

ByPascal Rytz Hours Posted on

My company was recently the target of a cyber attack. Our IT specialist is currently mobilised to assess the extent of the loss: financial losses, recovery of compromised data, identification of potentially stolen information... Everything is under the microscope. One question worries me though: am I legally obliged to tell anyone about this incident if I don't want my insurance to kick in? I have the impression that, in many cases, companies prefer to remain silent, out of shame or fear of tarnishing their image.
Jean-Daniel, Geneva.
Yes, in Switzerland, companies are in principle obliged to report a cyber attack if it poses a high risk to those affected.
Under the Federal Data Protection Act (DPA), any company subject to the Act that becomes aware of a data security breach must notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible if the breach is likely to result in a high risk to the personality or fundamental rights of the persons concerned (art. 24 DPA). In certain situations, the Federal Office for Cybersecurity must also be informed. Therefore, not all computer breaches must be reported, but only those that are serious enough to compromise the security or privacy of individuals.
In practical terms, this could involve a hacker exposing sensitive data - health information, bank details or identification data - to unauthorised third parties. In such circumstances, the notification to the Data Protection Commissioner must contain a description of the nature of the breach, the likely consequences for those affected and the measures taken to remedy the situation. If these people can protect themselves with this information, they must also be notified individually.
On the other hand, a simple computer breakdown or a quickly aborted intrusion attempt, with no actual access to personal data, does not require notification. However, the company must document the incident, assess the risks and be prepared to demonstrate that no serious breach has occurred.
In your case, it will be necessary to determine whether the cyber-attack has actually compromised personal data and whether the risk to the individuals concerned is deemed to be 'high'. If this is the case, an official communication is required, even if it may appear delicate in terms of reputation. Failure to do so could expose the company to administrative sanctions under the DPA.
In the digital world, silence is not always golden. So it's much better to manage this crisis both internally and with the people concerned, to avoid any further nasty surprises.

A lawyer since 1998, Pascal Rytz has founded several law firms in Geneva and the canton of Vaud. He specialises in real estate and construction law and has 25 years' experience in business law.

Atypical and visionary, he combines legal expertise and new technologies to simplify access to the law. A columnist for the Tribune de Genève for 20 years, he makes it a point of honour to make the law accessible to everyone.

His philosophy: "Think outside the box".

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *