Last week, FRA Director Kaisa Karvonen attended the GIR Live conference in Frankfurt, hosted by Freshfields Bruckhaus Deringer and Debevoise & Plimpton. The conference focused on two interesting and current topics: “Cyber incidents: Data breach – investigations and defense” and “Internal investigations, reform and legal privilege.”
Below are Kaisa’s key insights from the event:
Cyber incidents: Data breach – investigations and defense
The panel chaired by Thomas Schürle (Debevoise & Plimpton) discussed the type and occurrence of cyber incidents, the do’s and don’ts in reacting to compromised systems and the involvement of the authorities in the process. An initial question was posed around the risk of exposing a company to a secondary investigation in the event that a company approached the authorities and no perpetrators were found – would this be a double-edged sword, opening up potential vulnerabilities e.g. in the area of GDPR?
The insightful conversation with Mirko Manske, Detective Chief Inspector and Team Leader at the Federal Criminal Police Office of Germany, highlighted that the correct and most effective thing to do was to contact the authorities immediately. According to Mr Manske, the chances of tampering with evidence is high where internal investigations into cyber incidents are conducted, and that deploying active investigative measures (not letting the attacker know they are being watched) is a more effective strategy. If the attacker is not caught and the company merely remediates the affected systems and processes, the likelihood is high that the attacker will return.
Rebutting the concerns about a double-edged sword, Mr Manske said that the aim of law enforcement was to go after the perpetrators and “not to throw mud” on the company. In fact, finding a nexus in jurisdictions tougher on the perpetrators is sometimes the best outcome with the prospect of higher penalties on attackers leading to better information obtained.
Cyber criminals today are very sophisticated and the private market is seeing the second-hand use of state sponsored attack tools. At the same time, the corporations’ defense mechanisms have matured and simple attack techniques will not suffice anymore. Mr Manske attributed the latest new tools and cyber-attack schemes in Germany to Russian, Iranian and Chinese military and government operations. Encryption Trojans and ransomware represent the current major trend in Germany, and there is currently no end in sight. At the same time, the easiest attack vectors still remain human error and the fact that companies’ information security is not controlled on a “need-to-know” basis.
Luke Dembosky from Debevoise & Plimpton stressed the fact that companies have much more to loose with the cyber-attacks than GDPR relevant data – if the company’s strategic systems are compromised, it might fail to operate at all going forward. An incident response plan should include current schemes such as ransomware attacks, and maintain a cross-functional responsibility on cyber security and incident response in the company. Having the IT team be the sole responsible team in an attack, or distributing the response functions too widely without coordination, will result in failure. In the best case, a company might deploy a core team model with an initial point of escalation and decision, and then pull in the relevant functions such as communications, IT, legal and regulatory compliance, where required. It is good practice to also involve cyber insurance; maintain SoW:s with forensic and cyber specialists, and conduct live exercises once or twice a year to maintain awareness. These are currently areas where Europe still lags behind the US in practice.
The panel found that rather than increase the regulation around cyber defense, “Digital Darwinism” is seen as key to a better protection. Effective cyber incident responses will become a prerequisite for survival in the future. And whilst law enforcement is helping companies in this area it also relies on close connections with the companies and collective information gathering to strengthen its capability in cyber-crime responses.
Internal investigations, reform and legal privilege
Martina de Lind van Wijngaarden (Freshfields Bruckhaus Deringer) led this panel focused on the upcoming German legislation around corporate criminal law and how this is anticipated to change the investigative landscape in a country that has seen so many high profile white collar cases in the recent years, but only a few convictions and relatively small local fines and penalties.
According to Ms de Lind van Wijngaarden, a draft of the act on corporate criminal law was “officially leaked” to a couple of law firms and industry bodies in Germany and is expected to become a law maybe even as soon as 2020. Germany, as one of the few EU member states without an existing corporate criminal law in place, is now expecting inter alia:
- Principle of legality, with the public prosecutor required to investigate where an initial suspicion of a company-related offence exists. 15’000 convictions per year anticipated;
- Tougher penalties (the draft foresees penalties of 10% of global group revenues for a single act);
- Extension to crimes committed abroad, not just Germany;
- Strong incentives to conduct internal investigations (50% reduction of fines/sanctions for cooperation); and
- Premium on compliance, whereby deferred prosecutions become available in certain circumstances, whereby monitorships are introduced.
The panel contemplated the effectiveness of the execution of this new act in light of the decentralized German prosecution office, and the reality that the prosecutors did not regularly share information. The specialists also judged the expectation of 15,000 prosecutions annually as unrealistic due to current resourcing constraints in the public prosecutors offices. In comparison, the UK experience had shown that 5 years of allowing for deferred prosecution agreements had resulted in exactly 5 of them.
Another significant issue discussed in the new investigation process was the requirement in the proposed law for a company to maintain a strict separation between the defense and the internal investigations (‘Chinese Walls’). As the company is expected to decide on a potential cooperation with the authorities already early in the investigative process (to obtain the potential relief in sanctions), it has to make the difficult call between the DPA and the defense options quickly, including handing over data to the prosecution.
In line with the considerations around potential employee self-incrimination as referred to in the US vs Connolly case, the new act provides for the internal investigator to give the employees notice, allow for legal assistance, and maintain a choice of testimony against a company as the statements may be used as part of the criminal proceedings and against the employees themselves. More generally, the topic of investigative process and its due requirements will be observed by the prosecution when deciding on the potential reduction of sanctions.
On the topic of maintaining legal privilege, the panelists remained cautious. Whilst legal privilege in an investigation seems uncertain under the current laws, there is no significant change expected with the new legislation. This casts doubt on the appeal of the 50% reduction in fines and sanctions for cooperation. The panelists concluded with some thoughts on the importance of solving the issue of legal privilege before the new law’s enactment as it was a fundamental element in an investigation that enables the protection of witnesses.
For more information about this topic, please reach out to one of the authors or your regular FRA contact.