In October 2019, unidentified hackers encrypted a Canadian insurance company’s IT systems, and demanded a USD 950,000 ransom in exchange for their decryption. The ransom was paid in bitcoin, some of which were linked to a wallet on Bitfinex, one of the largest cryptocurrency exchanges, by a specialist company, Chainanalysis. The case was brought before a UK court, where the injured Canadian company’s insurer sought a proprietary injunction against Bitfinex (for more information on this case, see the precedent-setting and widely commented judgment in the case of AA v Persons Unknown [2019] EWHC 3556 (Comm)). Potentially some of the assets will be successfully recovered this way. However, the ransom itself is not the crucial issue here: even after injured party paid it and received the decryption software, it took them almost 10 working days to decrypt some of their devices. For duration of time, the company’s operations were effectively frozen, unauthorized persons potentially had access to sensitive data (e.g. personal data, trade secrets, technological secrets, valuable know-how, etc.), and the company’s reputation was put to the test.

As e-commerce and new technologies develop, hacking attacks are becoming more commonplace. In 2017, a ransomware attack on the Dutch branch of Fedex cost the company USD 350 million. Some have predicted that by 2021 a ransomware attack will occur every 11 seconds, and that related damages will exceed USD 6 trillion.

There is no doubt that these threats also affect business in Poland. Today, it is fundamental that businesses implement security mechanisms and develop internal procedures in the event of a cyber attack. In some cases, regulatory obligations will also come into play. Below, we discuss the most important of these.

Obligations under national cybersecurity legislation

The Polish legal system does not include a general obligation to notify cybersecurity incidents. Consequently, only some entities are required to notify cyber-attacks against them. This issue is regulated by the 2018 Act on the national cybersecurity system, which implements the EU NIS Directive (Directive (EU) 2016/1148). The system focuses on 2 categories of entities: operators of essential services and digital service providers.

An operator of essential services is defined as an entity operating in essential sectors from the perspective of maintaining state functions. These sectors are listed in detail in Annex 1 to the Act, and include, among others, the energy, transportation, digital infrastructure, banking and health sectors. Operators of essential services include, among others, credit institutions, banks, air carriers, railway infrastructure managers, power companies or entities providing DNS services. Importantly, the Act only applies to entities which operate an organisational unit within the territory of Poland, provided that the authority competent for cybersecurity matters issues an appropriate decision recognizing this entity as an operator of essential services. Such decisions are constitutive in nature, i.e. the statutory obligations of an operator of essential services are not imposed on entities which are not covered by such an administrative decision.

Operators are required, among others, to implement systems for security management, the notification of serious incidents (which may cause a reduction in the quality or the interruption of essential services provided), and conducting IT security audits. An operator is obliged to notify serious incidents (defined as incidents which cause, or are likely to cause, serious deterioration in the quality of essential services provided, or their interruption) without undue delay, but in no case later than 24 hours after their detection. Notifications should be made to the relevant CSIRT (Computer Security Incident Response Team), which depends on the nature of the operator (CSIRT MoD, NASK-Research and Academic Computer Network, and GOV).

A digital service provider is an entity operating in Poland and providing one of the digital services specified in the Act:

  • Online marketplaces
  • Cloud computing services
  • Internet search engines

Note that digital service providers are not pre-qualified as such on the basis of a constitutive administrative decision confirming that they are bound by cybersecurity regulations. Therefore, providers should analyse the statutory requirements themselves and assess whether they are subject to the obligations arising from these regulations.

The obligations of digital service providers are less extensive than those of operators of essential services. According to the Act, providers shall take ‘appropriate and proportionate technical and organisational measures as set out in Implementing Regulation 2018/151 to manage the risks to which information systems used to provide digital services are exposed‘’. Providers should detect, analyse and classify cybersecurity incidents which affect their systems. In the event that they detect any significant incidents (defined as incidents affecting the provision of digital services), providers are obliged to notify the relevant CSIRT within 24 hours.

Failure to comply with certain statutory obligations may result in a fine being imposed on the entity obliged to fulfill them (the amount of such penalties varies between PLN 15,000 and PLN 1,000,000, and depends on the type of obligation and the type of entity concerned). Furthermore, in some cases fines may also be imposed on the appropriate manager of an operator of essential services (a fine of up to 200% of their monthly remuneration).

Obligations related to personal data

From the point of view personal data protection, it is critical that appropriate technical measures be implemented to protect and prevent data leakage. If, despite such measures being taken, a data leak occurs, the data controller will be responsible for the notification of the President of the UODO (Personal Data Protection Office) and the data subjects affected.

Notification to the supervisory authority should be made without undue delay and no later than 72 hours after a breach is discovered. There is an exception for situations where the controller is able to demonstrate that the breach is unlikely to result in a risk that the rights or freedoms of individuals are infringed.

Notification to the data subject is substantiated by the possibility of minimising the risk of damage to them. The faster they receive information on a leak, the more likely they will be able to take the necessary preventive measures. Together with such a notification, the controller should also provide data subjects with recommendations on how to minimise the potential adverse effects of the data leak.

Specific sectoral and contractual obligations

Additional notification obligations may also result from sector-specific regulations, particular to the nature of the business, as well as the provisions of agreements with clients or contractors. Such an obligation will normally arise if a cyberattack affects an entity’s operational activities to some extent. The regulations usually applicable in such cases are typically aimed at counteracting the effects of such an event, regardless of its nature (the legislature has not provided for specific regulations regarding cyberattacks, and so all types of events with specific effects are relevant). For example, accounting regulations on the reporting of financial events aim to standardize the types of financial information reported; these regulations will apply when an attack affects the an entity’s financial situation. Health regulations include notification obligations related to ensuring the safety of manufactured and distributed medicinal products or medical devices. Thus, they would come into play, e.g., if the integrity of the medical devices manufactured was violated as a result of a cyberattack, thus endangering their users. A cyberattack could lead to a medical incident, as defined in the Act on medical devices, such as, among other, a malfunction, defect, deterioration in the characteristics or performance of the device, as well as irregularities in their labelling or usage instructions, which may or may not lead to a patient’s or user’s death or serious injury. In this cases, notification obligations should be taken into account.

Failure to comply with such obligations will justify the imposition of sanctions provided for in specific regulations. For example, failure to report a medical incident caused by a cyberattack may result in a fine, limitation of liberty or imprisonment for up to one year. Therefore, in the event of any cyberattack, it is extremely important to act quickly, according to a predefined plan and taking into account all applicable regulations. Covering up an incident could be far more costly than admitting it openly and taking the appropriate corrective action.