LITS 2021: Swiss Business Protection: Challenges of Digital Enterprises

This year's Lucerne Law & IT Summit (LITS) focused on the future of the Swiss economy with the theme «Swiss Business Protection: Challenges of Digital Enterprises».

Organized by the Chair of Mira Burri in collaboration with Advokatur Fanger, Sidler Information Security and Swiss Business Protection, this year's Lucerne Law & IT Summit (LITS) took place on May 4, 2021. This was dedicated to the future of the Swiss economy with the theme " Swiss Business Protection: Challenges of Digital Enterprises". After the introductory welcome by Mira Burri and moderator Nicole Fritschi, Chris Eckert, criminologist and senior consultant, owner and managing director of econplus GmbH, CEO and partner Swiss Business Protection AG spoke about economic protection in Switzerland. Eckert described Switzerland as a popular target for cyberattacks. Not only criminal organizations are involved, cyberattacks are also economically profitable for states. Eckert reports that cyberattacks can be very dangerous for companies. Nevertheless, he has the impression that economic protection is not sufficiently addressed by the federal government. But it's not just governments that lack sensitivity to the issue. Information security should also be considered a high priority by companies. Eckert describes companies as consisting of infrastructure, people and organization, and information. Special precautions should be taken with regard to processes, technology and people. People in particular are extremely important. Sensitization of employees as well as intensive screening of applicants when filling important positions and contractual safeguards for important key positions are central. Although companies may go bankrupt due to the consequences of cyberattacks, only 20% seek external help. In fact, the open gaps and attack targets are manifold, even in the aftermath of a cyberattack.

Marc Ziegler, CEO and Chairman of the Executive Board Auto AG Group, spoke next about an attack on his company. Ziegler described that Auto AG Group is a company listed on the secondary stock exchange with 460 employees, which makes about 120 million in sales per year. In doing so, he made it clear that such an attack can certainly be characterized by a very high level of professionalism. Continuing operations and restoring the IT infrastructure is therefore very costly in terms of time and personnel. It also has to be considered that some of the infrastructure still has to be cleaned up and replaced, especially to rule out the possibility of another attack. Personally, Marc Ziegler describes a feeling of insecurity and of being "left alone". This is also due to the fact that the police have little experience with cyber attacks and have already made it clear at the beginning that attacks are rarely resolved. Ziegler assumes he runs a company that is usually the focus of cybercrime. Often, these are medium to large SMEs, of which their turnover is known due to their stock market coding. From an after-the-fact perspective, Ziegler recommends a physically separate backup with regular restore tests.

Stephan Walder, Deputy Chief Public Prosecutor, Cybercrime Competence Center, Canton of Zurich then gave a presentation entitled "Cybercrime Quo Vadis? Possibilities and limits of prosecution". The Cybercrime Competence Center has been operational since 2012. It involves very close cooperation - also in terms of space - between technicians, investigators and the public prosecutor's office. The facts of cybercrime are rarely difficult to establish, but it is all the more difficult to identify and locate the perpetrators. The initial situation is often a server trail that must be followed within the confines of the rule of law. Walder describes that it is indeed difficult to solve cybercrimes against private companies. The public prosecutor's office is dependent on the cooperation of the companies, he says, because only they can provide the right data at a proportionate cost for securing evidence. In addition, it is advantageous to be able to keep track of the extortionists for as long as possible and to be in contact with them. To a certain extent, this can run counter to the interests of the companies, which want to recover their content as quickly as possible. Walder advises against paying the extortion sum in any case. Most crimes of this kind are in fact to be qualified as low-risk economic crimes. The perpetrators are correspondingly organized and one is often "blacklisted" and attacked again.

René Hirsiger, Dr. iur., Attorney at Law, Partner Blesi & Papa then presented various labor law challenges facing the digitalized company. In doing so, he covered possible aspects of labor law in great detail and comprehensively. This went from well-known topics such as employee monitoring to less well-known aspects such as Big Data. Central to this, he said, is that economic protection certainly comes into conflict with employment law at a certain point. This area of conflict should be addressed proactively and important points should be set out in the employment contract and regulations, and prudent action should be taken in individual cases.

The last speaker was Thomas Steiner, Dr. iur., LL.M., Senior Advisor, LAUX LAWYERS AG on information security. Steiner noted that the previous speakers had already made clear why information security is central. Yet there is no overarching law that regulates it. An information protection law of the federal government is planned, but this only refers to requirements for public administration. The revised Data Protection Act partially regulates information protection. However, this only applies to data security and data breaches relating to personal data. Otherwise, various standards can be found in special laws, e.g. in the healthcare or banking sectors. In explaining them, Steiner shed light in particular on various reporting obligations. Finally, he described the central measures that should be taken by companies. However, these should always be in proportion to the risk. Nevertheless, the topic should be dealt with at the highest level in the company.

Finally, all participants could ask their questions to the speakers and Reto Fanger and Mira Burri concluded the conference with closing words.

The LITS series of events takes place within the framework of "Further Education" (only available in German) at the Faculty of Law of the University of Lucerne. Its goal is to bring law and information technology (IT) together and to initiate a practice-oriented dialogue between lawyers and IT professionals in order to map current topics as well as future developments at the interface of law and IT.

Contact: Prof. Dr. Mira Burri, mira.burri@unilu.ch