Random Audit of Security Measures by Bavarian Supervisory Authority
Published on 19th Jan 2022
The Bavarian Supervisory Authority (Bayerisches Landesamt für Datenschutzaufsicht, BayLDA) has established a new department responsible for audits. As announced in December 2021, the first random audit to be carried out by this new department will focus on appropriate security measures to prevent ransomware attacks. We have prepared an English convenience translation of the checklist used by the BayLDA for this audit . Further random, issue-specific audits shall follow.
Who may be subject to this audit?
The BayLDA has already contacted those companies and institutions that shall be audited. The targets are small and mid-sized companies, smaller hospitals, schools and doctors’ offices. Nevertheless, we recommend that companies compare its IT security measures against the BayLDA’s checklist to determine whether its security measures against ransomware attacks are appropriate.
Was there a specific reason that triggered this ransomware audit by the BayLDA?
Apparently, there was no specific incident, however, the BayLDA noted an increased number of ransomware attacks in Bavaria. A general increase in complex cyber-attacks has also been noted by the IT security experts of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). Oftentimes, ransomware attacks qualify as personal data breaches under the GDPR which may result in notification obligations vis-à-vis the competent Supervisory Authority and the data subjects.
Is there a legal requirement to follow the checklist?
No. The checklist is not binding, so there will be no immediate consequences if companies do not comply with it.
Is there a legal benefit in following the checklist?
The checklist should be understood as best practice. Being able to prove that a company has implemented the IT security measures recommended in the checklist helps demonstrating compliance with articles 24 and 32 GDPR. Thus, the checklist can serve as valuable guidance and benchmark tool because it lists the basic requirements that the BayLDA deems to be appropriate to minimize ransomware related risks. We recommend using it to examine which of the recommended measures have already been implemented and to supplement IT security measures where necessary.
Where can we find the checklist?
The checklist has been published in German language only on the BayLDA’s website together with accompanying information. We have prepared an English convenience translation of the checklist which you can view and download here.