Compensation in the event of cryptotrojans / encryption trojans / ransomware

Crypto Trojans (also known as encryption Trojans, ransomware or blackmail Trojans) often lead to considerable damage, as all of the company's data is encrypted and the data is missing for further business operations and invoicing. Often "indirect damage" also occurs, e.g. if data is no longer accessible for reporting to the tax office. If up-to-date backups are available, the situation can often be resolved with a "scare" and the damage is still manageable. But what happens if there are no up-to-date backups? What are the options? Update (2020): Please also see our article Ransomware: Ransom payments can be illegal.

Claiming compensation for damages

As a rule, an external IT service provider is responsible for making backups. However, as backups are ideally never needed, it is often only in the event of damage that it becomes apparent that the backups are inaccessible, incomplete or out of date. This usually results in considerable damage. The damage usually consists of

  • Personal expenditure for data reconstruction,

  • Costs for external service providers for data reconstruction,

  • loss of profit because data is missing for billing purposes or service provision,

  • a loss of image, as the data has to be requested again from customers,

  • damages to be paid to third parties because the company's own services cannot be provided or cannot be provided on time.

When claiming damages, it depends on the agreement made with the IT service provider. In practice, it is often the case that there is either no written agreement at all or, if there is a written agreement, it is very general. However, it is sometimes possible to deduce which agreements apply from e-mail or correspondence. This information must be used to clarify who was responsible for which backup services, the extent to which obligations were breached and therefore the reason and amount of damages that can be claimed.

The question of contributory negligence often arises. This can be the case, for example, if your own system was not secured according to the state of the art or if an obviously "dubious" email attachment was opened and the cryptotrojan got into the system as a result.

There is also often the problem of precisely quantifying one's own damage. For example, how should the above-mentioned damage to your image be quantified, what amount can be set for your own expenses and what costs of a third party for the reconstruction were reasonable?

Early notification to the insurance company

If insurance is available, it should be clarified at very short notice whether the claim needs to be reported. This applies to your own insurance as well as to the insurance of the potentially liable IT service provider (so that recourse does not fail due to the insolvency of the IT service provider). This is because many insurance policies provide for a cut-off period within which claims must be reported.

Update (15.01.2019): If the actions of a third state can be assumed behind the Trojan deployment, there is a risk that the insurance company will refuse reimbursement due to "war-like action". The insurance terms and conditions often contain exclusions of liability for "war-like actions". This is what happened in the case of the "NotPetya" Trojan.

Reporting obligations and duties

In the short term, there may also be a need for action on a completely different front. Contractual and statutory reporting obligations may have to be complied with. Sector-specific laws must be observed in this regard. For example, anyone who is an operator of critical infrastructures in accordance with the IT Security Act (more precisely: the BSIG) must comply with the following reporting obligations. The reporting obligation applies in the event of significant disruptions to the availability, integrity, authenticity and confidentiality of IT systems or other critical infrastructures. However, an operator of a critical infrastructure only exists in the case of activities in certain sectors and only if certain thresholds are reached.

However, data protection law also generally provides for immediate reporting obligations and notification obligations to the supervisory authority and the data subject. Article 33 GDPR even provides for a deadline of just 72 hours. According to Article 34 GDPR, there may also be an obligation to notify the data subject in the event of a "high risk". Article 33 f. GDPR apply more generally in the event of a "personal data breach".

Under telemedia law, service providers may also have an obligation to provide information in the event of unlawful acquisition of inventory and usage data in accordance with Section 15a of the German Telemedia Act (TMG).

However, in the case of a cryptotrojan that merely encrypts data and does not forward it to third parties, the requirements for the reporting obligation may not be met.

In addition to the statutory reporting obligations, contractual agreements should also be reviewed. For example, a non-disclosure agreement (NDA) may result in an obligation to inform the contractual partner. Contracts that do not expressly regulate a reporting obligation may also give rise to an obligation to report, e.g. if there is a fear that third parties have obtained access data (e.g. credit card data) that could be used to cause damage to third parties. Here too, however, it must be examined with a sense of proportion whether such damage is to be expected at all. To this end, it should be clarified which cryptotrojan is actually present and whether data may have been transmitted in addition to mere encryption.

Update (2018): Adjustments due to change from BDSG old version to GDPR.