Cybercrime poses a real and serious threat to every company. Even if IT specialists are successfully implementing security measures to reduce the overall vulnerability of IT systems (especially operating systems are now less prone to successful hacking attempts than in previous years) and hacking gets more difficult, cyber-attacks against IT systems are always increasing.

Increased awareness

Not only is the danger of being attacked increasing; the awareness of victims whose data has been hacked is much higher now than it was even just a few years ago. Companies are more aware that, due to the extended use of IT systems in all types of business processes and decisions, the potential damage from a breach of IT security is enormous. Attacks on the security or integrity of sensitive client- and customer data stored on company servers thus also pose a threat from increased data protection awareness.

Claims against the company

Clearly, the hackers should be the primary target of damage claims and criminal proceedings. But hackers almost never get caught. So companies must be aware that being the victim of a cybercrime attack means that third parties may raise claims against the hacked company. This means that being hacked usually results not only in serious image problems but also damage claims against the company. The risk of being exposed to such damage claims is higher the more sensitive the third party data the company is storing or processing.

Protection from claims

Companies cannot protect against such claims by focusing only on the core aspects of IT security. Instead, an integrated security concept for IT compliance must be developed, implemented and – most importantly – observed in day-to-day business. There are two sides of IT compliance in this respect. First, IT systems can and should be used to support compliance systems throughout the company. Second, IT systems themselves need to be compliant. This is the only way to actually reduce the risk of being open to damage claims if the company has been hacked.

Austrian legislation

Austrian legislation does not regulate IT security in detail. Section 347 Commercial Code (Unternehmensgesetzbuch) sets the general level of diligence an entrepreneur must observe. Section 84 Companies Act (Aktiengesetz) is the corresponding provision for CEOs of stock corporations. Section 22 Limited Liability Companies Act (GmbH-Gesetz) stipulates that a company must implement an internal accounting- and controlling system suitable for the purposes of that company. As the stipulations do not give any practical guidelines for setting up compliant IT systems or defining security measures, international standards such as COBIT (Control Objectives for Information and Related Technology), ISO 27001 (Information technology – Security techniques – Information security management systems – Requirements) and SAS 70 (Statement on Auditing Standards – Service Organizations) are usually used to determine the requirements for IT security. A company can reduce its exposure to damage claims from faults in IT compliance only by integrating these (or comparable) technical standards to the extent necessary into its legal framework.

This article was originally published in the schoenherr roadmap`12 - if you would like to receive a complimentary copy of this publication, please visit:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.