A data breach does not begin only when data is being misused. It begins the moment it becomes accessible to unauthorised parties. It is precisely this realisation that makes the recently publicised case involving the parking monitoring companies Funkwache AG and Unisecur GmbH a cautionary tale for businesses with digital business models.
According to media reports, databases containing several hundred thousand entries were accessible via the internet for an extended period. The data reportedly included names, addresses, vehicle details, locations, as well as information on criminal proceedings and penalty orders. The Federal Data Protection and Information Commissioner (FDPIC) has announced that it will investigate the matter.
Regardless of the outcome of the investigation in this specific case, the incident serves as a prime example of where the greatest risks of digital business models lie today: less in spectacular hacker attacks and more in organisational weaknesses, a lack of governance and inadequate information security.
Data protection starts with senior management – not with IT
Many companies still view data protection primarily as a legal obligation or as the responsibility of the IT department. This is not enough.
Companies that offer digital services or process personal data bear responsibility for the entire lifecycle of that data – from collection and storage to deletion. Data protection, information security and governance are not separate disciplines, but are interlinked.
Companies whose business models are based on digital processes or platforms, in particular, should therefore view this case not so much as an isolated incident but as an opportunity to critically examine their own organisation.
One of the key lessons concerns the definition of a personal data breach. Under Swiss law, a breach exists as soon as unauthorised access cannot reasonably be excluded. It is not necessary to demonstrate that personal data has actually been viewed, copied or misused. The mere exposure of confidential information through an unsecured administrative interface may already constitute a personal data security breach.
Side note: What is a data breach?
Under the Swiss Data Protection Act, a data security breach does not only occur when personal data is stolen or disclosed. Article 8 of the DPA requires that appropriate measures be taken to prevent data security breaches.
For instance, a breach is deemed to have occurred simply if,
- that personal data could become accessible to unauthorised third parties,
- that administrator areas are accessible without adequate protection,
- that data is inadvertently disclosed, or
- that the availability, integrity or confidentiality of personal data is compromised.
Whether abuse actually took place is not, for the time being, decisive for the legal assessment.
Seven lessons for businesses from the data breach
1. Information security is a legal obligation
This case clearly demonstrates that fundamental security measures are not merely technical recommendations.
Under the Data Protection Act, personal data must be protected by appropriate technical and organisational measures. These include, amongst other things, access controls, authentication, secure system architectures, and up-to-date vulnerability and patch management. For public authorities, organisations subject to specific obligations and certain companies, applicable laws such as the ISG or standards such as ISO 27001 or BSI IT Grundschutz apply to information security.
The much-cited principle of ‘security through obscurity’ – that is, the hope that no one will ever find a technical vulnerability – does not meet today’s requirements.
The incident further illustrates that technical and organisational measures must be implemented consistently throughout the entire lifecycle of digital systems. Secure authentication, access management, encryption, software maintenance, vulnerability management, logging, penetration testing and secure system configuration are no longer optional—they represent fundamental elements of responsible data governance.
2. Sensitive data requires a particularly high level of protection
It is particularly significant that, according to media reports, information relating to criminal proceedings and summary penalties is also said to have been affected.
Under the Data Protection Act, such information is classified as personal data requiring special protection. Consequently, the requirements regarding access control, encryption, logging and organisational controls are significantly heightened.
The more sensitive the data, the higher the requirements for its protection.
3. Outdated systems pose a compliance risk
Another issue concerns the software platform apparently in use, the development and support for which are said to have been discontinued years ago.
Outdated software does not automatically constitute a data protection breach. However, if known security risks are no longer addressed or security updates are permanently unavailable, this can lead to legal complications.
Lifecycle management and regular security updates are therefore just as much a part of compliance today as traditional data protection policies.
4. Data must not be collected indefinitely
The scope of the information stored also raises questions regarding data minimisation.
According to the reports, some data records are said to date back as far as 2001. Whether such a long period of storage was necessary and proportionate in each case will have to be assessed on a case-by-case basis.
However, the Data Protection Act requires adherence to a simple principle: personal data may only be processed and retained for as long as is necessary for the specific purpose.
5. Data protection does not end with outsourcing
The case is particularly interesting because it appears that the same software platform or technical infrastructure was used by several companies.
A common misconception often arises, particularly in relation to cloud solutions, SaaS offerings or outsourced IT services: outsourcing IT does not mean that responsibility for data protection is also outsourced.
Even when using external providers, companies remain responsible for compliance with data protection regulations. This includes, in particular, the careful selection of the service provider, clear contractual arrangements, appropriate technical and organisational measures, and ongoing monitoring of the outsourced services.
You can find out more on our ICT outsourcing page and in our specialist article on ICT outsourcing.
6. Incident response is part of corporate governance
Equally noteworthy is the statement by the FDPIC that, at the time of the media reports, it had apparently not received any notification of the data breach.
Where there is a high risk to the privacy or fundamental rights of data subjects, the Data Protection Act generally requires companies to inform the FDPIC of the data breach as soon as possible.
Whether these conditions were met in this specific case will be the subject of further investigations.
Regardless of this, the case highlights how important effective incident response processes are today. Companies should not wait until a crisis arises to clarify who decides whether there is a reporting obligation and how quickly the relevant procedures must be triggered.
7. Data protection also safeguards reputation and trust
Perhaps the most important lesson, however, lies outside the text of the law.
Even if a technical incident can be resolved quickly, the loss of trust often persists for much longer. Today, customers, business partners and investors assess not only products or services, but increasingly also how data is handled professionally.
Data protection and information security have therefore long since become an integral part of responsible corporate governance and effective risk management.
Key takeaways for management
The case of Funkwache AG and Unisecur GmbH serves as a prime example of how data breaches today are often not caused by highly complex cyberattacks, but by avoidable organisational and technical weaknesses. For companies with digital business models, this points to clear areas for action:
- Information security is a management responsibility and not solely the remit of IT.
- Personal data requiring special protection necessitates enhanced technical and organisational safeguards.
- A data security breach occurs as soon as unauthorised access becomes possible – not only once data misuse has been proven.
- Outdated software and a lack of lifecycle management can lead to compliance risks.
- Data minimisation and limited retention periods are key principles of legally compliant data management.
- ICT outsourcing does not relieve companies of their responsibility for data protection and information security.
- Clear reporting and incident response processes are now an integral part of effective corporate governance.
Companies that integrate data protection, information security and digital governance at an early stage do more than simply meet legal requirements. They build trust among customers, employees and business partners – thereby strengthening the long-term resilience of their digital business model.
FAQs
-
When does a data breach occur under Swiss data protection law?
Even the mere possibility that unauthorised third parties may gain access to personal data can constitute a data security breach. It is not necessary for data to have actually been stolen or misused. Companies must therefore implement technical and organisational measures designed to prevent unauthorised access as far as possible. If there is a high risk to the privacy or fundamental rights of the data subjects, there may also be an obligation to report the matter to the Federal Data Protection and Information Commissioner (FDPIC).
-
What technical and organisational measures does Swiss data protection law require?
The Data Protection Act requires appropriate technical and organisational measures (TOM) to ensure the confidentiality, integrity and availability of personal data. These include, in particular, access restrictions, authentication, encryption, access logging, regular security updates, penetration tests, data backups and structured access control. The measures required depend on the risk associated with the specific data processing operation.
-
What responsibility does senior management have for data protection and information security?
Data protection and information security are management responsibilities. Senior management remains responsible even when IT services or cloud solutions are outsourced to external providers. It must establish appropriate governance structures, regularly assess risks, define responsibilities and ensure that service providers comply with legal and contractual requirements.
-
What data protection requirements apply to ICT outsourcing?
Even when outsourcing, the company remains responsible under data protection law. Before outsourcing, service providers should be carefully vetted, suitable contracts drawn up and appropriate security measures agreed upon. Particular attention must be paid to international data transfers, access from abroad, and audit and monitoring rights in relation to the service provider.
-
What consequences can a data breach have for businesses?
Data breaches can have far-reaching legal, financial and reputational consequences. In addition to reporting obligations to the FDPIC, organisations face the risk of regulatory investigations, criminal sanctions under the Data Protection Act, civil claims from data subjects, and significant reputational damage. Particularly in the case of digital business models, it is clear that information security and data protection are essential components of good corporate governance and sustainable risk management.
