Microsoft Exchange – should affected companies report to the regulatory authorities as late as now?

Authors: Silvia C. Bauer, Elena Jopke


A huge Microsoft Exchange data breach went viral in early March 2020. After Microsoft had been aware already for two months of the four vulnerabilities in the programme through which hackers were able to intercept data and install malware, the company released a software update on 2 March 2020 that was able to close the security holes. While hackers were still covertly infiltrating servers during the period from January to March, after the update was released they specifically targeted companies that did not install this update quickly enough. According to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), they managed in this way to gain access to 57,000 servers in Germany alone within a very short time. Once a system has been successfully accessed, the attackers can read e-mail accounts and address books, intercept data and install malware for further use without hindrance, even after the update. You can read the information from the Federal Office for Information Security about the classification of the incident as belonging to the highest threat level here. You can use the Microsoft investigation guidance to find out whether you are affected.

What does the law say about the obligation to report the data breaches (if any)?

Pursuant to Article 33(1) GDPR, companies as controllers must notify data breaches to the supervisory authorities. The notification should describe the nature of the personal data breach including, where possible, the categories and the number of data subjects concerned and the categories and the number of personal data records concerned, communicate the contact details of the data protection officer (or other contact point), and describe the likely consequences of the data breach, the measures taken to address the personal data breach and any measures to mitigate the damage caused.

The aforesaid information may be provided gradually, in line with the knowledge of the breach, pursuant to Article 33(4) GDPR. The (first) notification must be made as soon as the controller is aware of the nature, circumstances and time of the data breach and the categories of data concerned. Only exceptionally, where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, may the notification of the breach be dispensed with. The controller must carry out a risk assessment, which can be performed using the guidelines issued by the so-called Data Protection Conference (Datenschutzkonferenz – DSK), the body of the German data protection supervisory authorities. Aspects to be taken into account include, in particular, the nature of the breach, the type and scope of the data concerned, whether third parties will be able to attribute the data to data subjects, the severity of the consequences for the data subjects and the worthiness of protection of the data subjects (e.g. children).

The notification must be made to the competent supervisory authority within 72 hours. Whether a supervisory authority is competent depends on the place where the processing of the personal data takes place, Article 55 GDPR. The notification may also be made later; in this case, however, specific reasons must be given for the delay. The more serious the breach and the longer the delay, the more difficult it will be to justify a delay. The notification can be made in writing in order to comply with the documentation obligation pursuant to Article 5(2) GDPR.

If the notification is not made, or it if is made late without justification, the supervisory authority may order the company to provide any information it requires without delay, Article 58(1) GDPR, or impose an administrative fine of up to EUR 10 million or 2% of the worldwide turnover of the entire group of companies in the previous year pursuant to Article 83(4)(a) GDPR.

Pursuant to Article 34 GDPR, in the event of a high risk to the rights and freedoms of natural persons, for example, if particularly sensitive data within the meaning of Article 9 GDPR (e.g. health data) is affected, the controllers must additionally inform the data subjects of the data incident without undue delay. Whether a high risk exists can be assessed using the guidelines issued by the Data Protection Conference. The obligation to inform does not apply if the data was encrypted or pseudonymised or other appropriate technical and organisational measures have been implemented to protect the data, or if the risks have been completely eliminated by means of subsequent measures. Supervisory authorities may require controllers that have not already communicated the personal data breach to the data subjects to do so. If a company does not comply with the order, it may be subject to an administrative fine of EUR 20 million or 4% of the group’s worldwide turnover in the previous year, pursuant to Article 83(6) GDPR.




The crucial question is: do companies have to notify the Exchange data incident?

The Microsoft Exchange data breach was made public at the beginning of March through numerous press reports and information from public authorities. It is unlikely that this has escaped the attention of companies, who could, therefore, expect that a data incident might also have occurred in their own business during this period of time. As a result, companies would have been obliged to immediately check whether and to what extent they were affected and data had been tapped and malware installed on their servers. They would have been obliged to notify the data breach (if any) to their competent supervisory authority within 72 hours.

What do the data protection supervisory authorities say about this?

Unfortunately, the data protection supervisory authorities do not all take the same view: while the majority of state commissioners for data protection, including those of Hamburg[EJ1] , Saxony-Anhalt, Mecklenburg-Western Pomerania, Rhineland-Palatinate, Saxonyand Lower Saxony, stated that a notification “only” had to be made if the company had been compromised, the state commissioner of Baden-Württemberg took the view that the notification could probably only be dispensed with in exceptional cases. The state commissioner of Bavaria was even stricter in his assessment of the situation: in his opinion, any company that has knowledge of a data breach in its business and has not installed the security updates by 9 March 2021 must notify the supervisory authority, given that after said date the risk can no longer be expected to be small. According to the Hessian state commissioner, companies must take action “at the latest now” (as per 12 March 2021) in order to comply with their obligations under Article 32 GDPR. The state commissioner for data protection and freedom of information of North Rhine-Westphalia was also more lenient in his assessment. According to him, a notification is only necessary if a data leakage or manipulation has been detected, and only if particularly sensitive data within the meaning of Article 9 GDPR is affected, while in all other cases internal documentation of the incident suffices.

According to the information available, the supervisory authorities are currently trying to independently identify and contact as many of the affected companies as possible, irrespective of the notifications received from the affected companies and third parties.


What do we recommend now?

Companies should install the security updates immediately if this has not already been done. In addition, they should check whether a data breach has already occurred in their business and, where applicable, determine its scope. The 72-hour deadline has by now probably expired for all affected companies, so that making a timely notification to the supervisory authorities is no longer an option. Whether a late notification of the supervisory authorities would be expedient depends on the specific circumstances of the individual case. Only a comprehensive risk assessment can help decide what action to take to prevent greater damage. If necessary, you should obtain support from experienced data protection experts.

Silvia C. Bauer

Silvia C. Bauer
+49 221 9937 25789