1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
While there is quite a clear definition of the scope of the data protection laws, there are no statutory definitions of the terms ‘cybersecurity' and ‘cybercrime in Switzerland. There is also no specific cybersecurity or cybercrime statute.
Different statutes deal with cybersecurity and cybercrime matters. For example, certain cybersecurity topics are dealt with in the Federal Data Protection Act of 19 June 1992 (Article 7 deals with data security and the prevention of unauthorised access to personal data) and also some sector-specific regulations (the regulations for banking institutions require the implementation of technical and organisational measures to prevent or limit operational risks, and cyber incidents are explicitly mentioned).
The Swiss Criminal Code contains many cybercrime-related provisions. There are provisions dealing with specific cyber incidents. Switzerland has also ratified the Convention on Cybercrime of the Council of Europe. However, Switzerland has filed certain declarations with exemptions or limitations to the provisions of the convention. These were necessary to harmonise the requirements of the convention with the existing Swiss provisions on cybercrime.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
The following statutes and regulations are most relevant regarding cyber in Switzerland:
- The FDPA and the ordinance thereto: Article 7 of the FDPA requires data controllers to protect personal data through adequate organisational and technical measures. Article 9 of the Ordinance to the FDPA lists specific measures. The Federal Data Protection and Information Commissioner (FDPIC) issued revised guidelines for the implementation of Article 7 FDPA in 2018. The FDPA is under revision. The revised provisions should enter into force at the end of 2020.
- Swiss Criminal Code: This contains the following provisions:
- Article 143 on unauthorised obtaining of data that is stored or transmitted electronically or in some similar manner, and which is not intended for the accessing person and has been specially secured to prevent such access;
- Article 143bis on unauthorised access by means of data transmission equipment to a data processing system that has been specially secured to prevent such access;
- Article 144bis on damage to data that is stored or transmitted electronically or in some other similar way without approval; and
- Article 147 on computer fraud.
- Ordinance on the Protection of Federal Information of 4 July 2007: This defines the classification and treatment of information that is collected and processed by federal agencies, including the armed forces.
- Ordinance on IT and Telecommunications in the Federal Administration of 9 December 2011 (available in German, French, and Italian): This contains specific IT security measures and processes.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
There are certain sector and industry-specific security requirements, as follows:
- Swiss Financial Market Supervisory Authority (FINMA) Directive 2008/21 on Operational Risks explicitly mentions in "Principle 4: Technology Infrastructure" the implementation of appropriate IT security measures.
- Article 96, paragraph 2 of the Ordinance to the Federal Act on Telecommunications grants the regulator the right to issue technical and administrative regulations concerning the handling of the security of information and so on.
- Critical infrastructure and national security are subject to the Ordinance on the Protection of Federal Information, Ordinance on IT and Telecommunications in the Federal Administration, and the National Strategy on Critical Infrastructure Protection 2018-2022 (see question 4.1).
In its National Strategy for the Protection of Switzerland against Cyber Risks 2018–2022, issued on April 2018, the Federal Council mentioned "standardisation and regulation" as one of the measures to be taken. Based on its assessments, the Federal Council has identified the following objectives and needs for action:
The growing importance of ICT standardisation and regulation must be taken into account. Binding and verifiable minimum ICT standards are relevant for security and confidence in the digital economy and society, and they must be evaluated in cooperation with the private sector and introduced where appropriate. It should also be examined whether and how an obligation to report cyber incidents should be introduced. The measures take account of the international context, which has a significant influence on them, which is why developments must continue to be monitored. Switzerland therefore contributes its interests and values to the most important processes.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The FDPA and the cantonal data protection laws specifically deal with personal data.
These also apply to health information, as such information relates in many cases to identifiable individuals. It is then qualified as sensitive personal data and is thus subject to enhanced security requirements, as well as a stricter data protection regime. Regarding health information, there are also certain specific statutes – such as the Federal Statute on Research with Human Beings and the regulations regarding clinical trials – which contain provisions on the processing and disclosure of health-related data. Finally, the Federal Statute on the Electronic Patient File and the ordinances thereto also set forth data security requirements.
Financial information often qualifies as personal data. However, financial information is not qualified as sensitive personal data and therefore is not subject to enhanced security requirements. An exemption must be made for financial information collected, processed and stored by financial institutions that are subject to the supervision of FINMA. FINMA has issued guidelines containing specific cybersecurity requirements for financial institutions (see question 1.3(a)).
The Ordinance on the Protection of Federal Information deals with classified information collected, processed and stored by federal agencies (see question 1.2). Classified information of cantonal agencies is dealt with in cantonal laws.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Swiss statutes have certain extraterritorial effect. However, there must be a noticeable impact on the Swiss market or on individuals and entities in Switzerland. Whether there is such an impact is assessed on a case-by-case basis. Swiss courts have accepted such an extraterritorial reach for the FDPA (see the Google Streetview decisions of the Federal Administrative Court (A-7040/2009) and of the Federal Court (BGE 138 II 346)). The new revised FDPA shall explicitly mention this limited extraterritorial reach (similar to the extraterritorial reach in Article 3 of the General Data Protection Regulation).
With respect to the above-mentioned provisions of the Criminal Code, Article 3 in connection with Article 7 determines that either the place of action or success must be in Switzerland. This means that criminal conduct abroad may be subject to the Swiss Criminal Code if the place of action or success is in Switzerland.
However, despite the limited extraterritorial reach of Swiss law, there are often enforcement difficulties where alleged infringers are located abroad.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Switzerland has ratified the Convention on Cybercrime of the Council of Europe. Furthermore, Switzerland is a party to bilateral and multilateral judicial assistance treaties, which shall foster the enforcement of Swiss cyber laws in an international context and the exchange of information between the different cyber-related Swiss agencies and their counterparts abroad.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
- Article 143 of the Criminal Code (unauthorised obtaining of data): Imprisonment for up to five years or a monetary penalty.
- Article 143bis of the Criminal Code (unauthorised access to data processing system): Imprisonment for up to three years or a monetary penalty.
- Article 144bis of the Criminal Code (damage to data): Imprisonment for up to three years or a monetary penalty. In case of substantial damage, the prison term may be increased to up to five years.
- Article 147 of the Criminal Code (computer fraud): Imprisonment for up to five years or a monetary penalty. If the infringer acts as a professional enterprise, the prison term can be increased to up to 10 years.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
The regulatory landscape regarding cyber is quite decentralised. The most important agencies are as follows:
- Federal Data Protection and Information Commissioner (FDPIC): The FDPIC is responsible for the enforcement of the Federal Data Protection Act (FDPA). It has certain investigatory powers. However, the FDPIC cannot impose civil and criminal penalties under the current FDPA; it is only entitled to issue recommendations. If the data controller is not willing to follow the recommendations, the FDPIC (or the data controller) may appeal to the Federal Administrative Court.
- Swiss Financial Market Supervisory Authority: This is responsible for the supervision of financial institutions. It also enforces the guidelines on operational risks. It has broad investigatory and sanction powers. It may issue administrative orders against financial institutions, but also against directors and officers.
- Criminal prosecution offices/criminal courts: These are responsible for the enforcement of the cybercrime provisions in the Criminal Code. The criminal provisions are mainly addressed at, and impose sanctions on, the individuals who are responsible for the criminal conduct (eg, directors and employees). Article 102 of the Criminal Code deals with the corporate criminal liability: "If a felony or misdemeanour is committed in an undertaking in the exercise of commercial activities in accordance with the objects of the undertaking and if it is not possible to attribute this act to any specific natural person due to the inadequate organisation of the undertaking, then the felony or misdemeanour is attributed to the undertaking. In such cases, the undertaking is liable to a fine not exceeding 5 million francs."
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
The following individual data privacy rights are contained in the FDPA:
- access right (Article 8 of the FDPA);
- correction right (Article 5, paragraph 2 of the FDPA);
- blocking right (Article 15 of the FDPA);
- deletion right (Article 15 of the FDPA); and
- disclaimer of objection (Article 15, paragraph 2 of the FDPA).
The data subject may, in particular, request that:
- the data processing be stopped;
- no data be disclosed to third parties; or
- the personal data be corrected or destroyed.
To this end, data subjects can file a complaint with the competent civil court. Data subjects can also claim damages and seek preliminary injunctions. The respondent is generally the data controller (ie, a legal entity).
Data subjects are entitled to monetary damages or compensation. However, it must be assessed in the specific case whether there has been actual financial damage – a requirement for a damages claim; or a sufficient injury of feelings – a requirement for a satisfaction claim. In many cases of breach of the data privacy laws, there will be no actual financial damage. The requirements for a satisfaction claim are rather high.
Depending on the circumstances, affected individuals could also bring actions based on breach of contract (Article 97 of the Code of Obligations) or tort (Article 41 of the Code of Obligations). Breach of contract claims are addressed at the legal entity itself and not directors or employees. Tort claims can also be addressed at directors and employees.
2.3 What defences are available to companies in response to governmental or private enforcement?
There are no specific cyber-related defences. Depending on the nature of the enforcement procedure (civil litigation, criminal procedure, administrative procedure), companies have the following defences:
- Civil litigation: Companies have the right to challenge the claims. The burden of proof is generally on the plaintiff. However, companies will often be forced to prove that they have implemented adequate cybersecurity measures. They can also challenge a potential damage calculation. Companies can appeal negative decisions.
- Criminal procedure: Companies have the right to defend themselves in the criminal procedure. They can appeal negative decisions of the criminal courts.
- Administrative procedures: Companies are party to the administrative procedure and have the right to defend themselves – for example, by proving that they have implemented the necessary cybersecurity measures. They can challenge orders of governmental agencies and ask administrative courts to review the order. Often, companies can appeal a negative decision of the first administrative court.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
There have been few enforcement actions and decisions in Switzerland. The Reporting and Analysis Centre for Information Security (MELANI), to which cyber incidents can be reported on a voluntary basis, is of the opinion that few individuals and entities file criminal complaints in case of cybercrime.
The following cases published by the Federal Data Protection and Information Commissioner (FDPIC) (data breaches) and the Federal Police Office are still worth mentioning:
- At the end of December 2017, Swisscom informed the FDPIC that the contact data of around 800,000 customers had been accessed without authorisation. The FDPIC investigated the case. Since Swisscom had implemented protective measures, limited the damage and informed the affected data subjects, the FDPIC closed the matter without any further action.
- Debt collection company EOS became the victim of a data leak in 2017. Several gigabytes of sensitive patient data were transmitted. EOS informed the FDPIC about the suspected data leak. The FDPIC closed the investigation without any further action because EOS had implemented the necessary security measures.
- An individual received an email from his banking institution – at least, that was his understanding – in which he was informed about a security update. The individual was referred to a website where he entered his password. Shortly thereafter, the individual received a call from an employee of the banking institution and the individual disclosed a security code to the employee. There were more than 100 similar incidents in other cantons. After two years of investigations (in cooperation with different Swiss and foreign prosecution offices), the alleged criminals were arrested in Rotterdam, the Netherlands.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Regarding incidents, see question 3.1. Regarding legislative activity, see question 6.1 below.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
Some best practices are incorporated in guidance issued by the regulatory agencies, as follows:
- With respect to data security, according to the Federal Data Protection Act (FDPA), best practices are incorporated in the Guidance of the Federal Data Protection and Information Commissioner on the Implementation of Article 7 of the FDPA. The guidance focuses on four so-called focal points, describes each of these focal points and recommends measures to reduce security risks. The focal points are ‘data access', ‘data lifecycle', ‘data exchange' and ‘right to information'. Subsections of the ‘data access' focal point include ‘security of premises', ‘server room security', ‘workplace security', ‘identification and authentication', ‘data access by insiders' and ‘data access from outside the organisation'.
- In 2018 the Reporting and Analysis Centre for Information Security (MELANI) published an Information Security Checklist for Small and Medium-Sized Enterprises. The measures are divided into organisational and technical measures.
- In 2018 the Federal Office for National Economic Supply published its Minimum Standard for Improving ICT Resilience (in German). This minimum standard is aimed at operators of critical infrastructure. However, MELANI also recommends these standards to other companies. Section 2 of the standard contains measures for specific constellations, such as supply chain risk management, access control, use of protective technology, security monitoring and detection processes, response and recovery planning.
- On 8 December 2017 the Federal Counsel issued a new National Strategy on Critical Infrastructure Protection 2018-2022 (available in German, French and Italian). The strategy paper contains a list of critical infrastructure and the responsible agencies. Based on this strategy paper, the Federal Office for Civil Protection published its Guidance on Critical Infrastructure Protection, which explains how to execute a threat and vulnerability analysis.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
See question 4.1.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
The board of directors is exposed to certain risks. According to Article 716a of the Swiss Code of Obligations, the board of directors has the irrevocable and non-delegable task of the company's top management and thus of designing an appropriate risk management system, including cybersecurity. There is therefore also a duty under company law to ensure adequate cybersecurity. If the board of directors fails to implement adequate cybersecurity measures and this failure results in damage for the entity, Article 754, paragraph 1 of the Code of Obligations sets out that members of the board of directors and all persons involved in the management of the company shall be liable both to the company and to the individual shareholders and creditors of the company for any damage caused by them through intentional or negligent breach of their duties.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
There are no such special rules.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
There is such scope. However, companies are reluctant to report or disclose cyber incidents to industry or other stakeholders, due to the risk of becoming subject to an investigation. Unless there is a statutory reporting duty, companies instead tend to fix the technical or organisational leaks. Some companies additionally avail of the possibility to report incidents to MELANI on a voluntary basis. MELANI has no enforcement powers and does not conduct investigations. It rather provides on-the-spot recommendations to reporting companies and, more importantly, collects and analyses different incident reports to publish incident patterns and security recommendations.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
The current Federal Data Protection Act (FDPA) includes no explicit duty to notify security breaches to the Federal Data Protection and Information Commissioner (FDPIC). However, the FDPIC argues that such a notification duty might arise implicitly from the general data processing principles – in particular, from the requirement to process personal data bona fide and from the transparency principle. The FDPIC recommends that a data breach be notified in case of high risk to the privacy of data subjects. Data subjects should be notified of a data breach in constellations in which notification is important for the implementation of risk minimisation measures by the data subjects (eg, by blocking their credit cards, if credit card data was lost). The cantonal data protection laws provide for mandatory notification duties that apply to public authorities, publicly owned companies and private entities when involved in public services or mandated to carry out public tasks.
Whether reporting duties apply in specific industries must be assessed on a case-by-case basis. For some industries, there are mandatory reporting obligations for specific incidents – for example:
- Article 96, paragraph 1 of the Ordinance to the Federal Act on Telecommunications requires telecommunications service providers to report disruptions in the operation of their networks affecting a relevant number of customers to the regulator.
- Financial institutions under the supervision of the Swiss Financial Market Supervisory Authority (FINMA) must report severe incidents regarding the confidentiality of customer data to FINMA (see Annex 3 to the FINMA Directive 2008/21 on Operational Risks). A ‘severe incident' is defined as an incident relating to the confidentiality of customer data, which is considered a significant leak compared to the total number of accounts/total size of the client portfolio.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
There is currently no central reporting agency. Apart from sector-specific agencies such as those mentioned in question 5.1, the key agencies for cyber incident reports are the FDPIC (in relation to unauthorised accesses to personal data) and the Reporting and Analysis Centre for Information Security (MELANI) (voluntary reporting). Reports can be filed electronically. MELANI has an electronic form on its website.
The case law of the FDPIC requires in certain constellations that affected data subjects be informed of a data breach. There is no statutory obligation to compensate the affected data subjects. However, data subjects are permitted to claim damages in civil litigation. For that purpose, they must prove effective financial damage.
As the current FDPA does not explicitly include a reporting obligation in case of a data breach, there is no timeframe for notification. However, the notification should be filed as soon as the data breach has been detected. The affected company may take some time to internally investigate the breach in order to get a better picture. However, the company should not wait too long, as otherwise the risk reduction function of the notification might be limited.
Notification to the FDPIC is not necessary if there is no risk of harm for the data subjects (eg, because the company implemented countermeasures within due time). If the breached data is encrypted, the data does not qualify as personal data and the FDPA does not apply.
Notifications required by cantonal data protection laws must comply with the requirements according to such laws. They must be made to the cantonal data protection authority and, depending on the seriousness of the threat for the data subjects' rights, involve mandatory notification of the relevant data subjects.
5.3 What steps are companies legally required to take in response to cyber incidents?
Immediately after detecting a data breach, companies must analyse the data breach and take measures to limit or avoid any misappropriation of the data and avoid any further breaches.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
See question 4.3. Officers and directors are responsible for ensuring that the company has implemented adequate cyber incident response measures in order to avoid damage to the company.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
The maintenance of such cyber-incident insurance policies has become quite common in Switzerland in recent years.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The cyber landscape in Switzerland remains quite decentralised. However, there are some centralisation and coordination actions.
The following developments are worth mentioning:
- The National Strategy on Critical Infrastructure Protection 2018-2022 will result in further measures and the development of standards for the protection of critical infrastructure.
- The National Strategy for the Protection of Switzerland Against Cyber Risks (NCS) 2018-2022, issued in April 2018, contains specific measures which might be implemented – at least partly – in the coming months.
- The Federal Council decided to establish a centre of excellence for cybersecurity, the National Centre for Cyber Security. The core of this new centre will be the Reporting and Analysis Centre for Information Security. The centre is still under construction.
- In a report published in December 2019, the Federal Council evaluated different alternatives for a general cyber incident reporting duty. It is contested whether there should be a central notification office or a decentralised reporting system. The aim is to decide on the reporting model and the next legislative steps in mid-2020.
- Parliament is debating the draft Federal Statute on Information Security, which would apply to federal agencies. The statute consolidates existing ordinances dealing with information security matters. However, it also includes responsibilities, processes and provisions promoting the exchange of information between authorities.
- As mentioned, the revised FDPA will likely enter into force at the end of 2020. The aim of the revision is to harmonise the FDPA with the General Data Protection Regulation. With respect to cybersecurity and data security, one of the most important novelties is the introduction of a mandatory reporting duty in case of a data breach (Article 22). The data controller must notify the FDPIC as soon as possible of any data security breach which might result in high risk for the personality or fundamental rights of data subjects. The data controller must notify the data subjects if necessary for their protection or at the request of the FDPIC. There are exemptions from this requirement to notify. The revised FDPA also sets out criminal sanctions in case of the infringement of specific information, notification and diligence duties (Articles 54 and following). Individuals who intentionally infringe their duty to notify data security breaches may, upon complaint, be subject to penalties of up to CHF 250,000. The same penalties may be imposed on individuals who intentionally infringe the data security requirements specified by the Federal Council. The sanctions are addressed at individuals, rather than companies. This increases the legal risks for officers, directors, internal data protection officers and so on.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
The following three issues are the top priorities for companies:
- Distributed denial-of-service (DDoS) attacks are some of the commonly most reported cyber incidents. Many Swiss companies are subject to such attacks. The motivation behind such DDoS attacks is mostly political activism, extortion or damage to competitors. Extortion DDoS attacks demand payment of a ransom in the form of cryptocurrencies such as bitcoin or litecoin. Measures against DDoS attacks may be divided into preventive measures and countermeasures. The Reporting and Analysis Centre for Information Security (MELANI) has issued a checklist with measures against DDoS attacks.
- User accounts and therefore data assets are vulnerable because of employees' carelessness with regard to phishing mails. Such emails not only seek to phish for passwords, but may also contain malware, which assists criminals in accessing networks and data assets. In addition to the implementation of firewalls and spam filters, the education and training of employees is one of the most important measures to address this risk. MELANI has issued a Home Office End User Guideline, which also contains guidance on phishing emails, enabling macros and so on.
- In the second half of 2019, the number of ransomware attacks increased, with attackers scanning the Internet in search of VPN servers and open RDP ports and trying to gain access with brute force attacks. The ransomware business model was previously based purely on the concept of data decryption for money. Recently, some attacker groups have exfiltrated data before the encryption attack, in order to increase the pressure on the victim through its partial publication. MELANI has published specific countermeasures against ransomware attacks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.