IT-security as a management obligation
As part of its obligation to orderly manage the company (cf. for example Sec. 43 Limited Liability Company Act) the company´s management is responsible for the initial implementation and the continued maintenance of an adequate IT-security within the company especially in order to prevent new risks for the company´s operational reliability.
The following summary of management obligations related to IT-security focuses on IT-security’s legal foundations (I.), explains how IT-security can be initially implemented (II.), that it needs to be subject to recurring analyses (III.) and that there are some limits for IT-security, which must be respected (IV.).
I. IT-security as management obligation
1. No uniform act on IT-security
A uniform act on all aspects of IT-security does not exist. This can be explained with the diversity of objectives connected with the legal aspects of IT-security. Just as one example a comparison of organizational duties on the one side and duties concerning data protection on the other illustrates this further. Organizational duties form an important part of IT-security and are addressed to a company’s management. Technical and organizational measures based on data privacy obligations such as contained in the appendix to Sec. 9 Federal Data Protection Act may also serve IT-security in some way but only insofar as personal data are concerned.
2. IT-security as management obligation
The implementation and maintenance of IT-security is a management obligation. For managers it is mandatory to take care that protective IT-security technology is used in the company, such as firewalls or virus-scanners and to make sure that non-technical measures are undertaken with the objective of preserving the availability, integrity and confidentiality of information within the company. The obligation of a secure organization of the company and of corporate governance comprises furthermore the obligation to avert IT-risks in general from the company, for example through the issue of an IT-guideline concerning the handling of the IT-technology used in the company (e.g. the appropriate use of e-mail and internet and the obligation to encrypt certain e-mail messages) or through the nomination of an IT-security officer. IT-risks in the aforementioned sense are all possibilities of detriment (especially through human misconduct) to the company due to the use of information technology or in connection with it. Examples for such risks are breakdowns of the company network because of an avoidable virus infection due to incorrect handling of the security software or delay-based threat of customer relationships because of the incorrect use of a supply software. The main cause for such IT-risks is incorrect human intervention.
3. Data protection as part of IT-security
As regards information in form of personal data the data protection laws are to be mentioned as part of IT-security law. In this context the safety measures contained in the annex to Section 9 Federal Data Protection Act are of particular relevance. The technical and organizational measures described therein have
- to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used
- to prevent data processing systems from being used without authorization, e.g. by means of encryption, (access control),
- to ensure, e.g. by means of encryption, that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage (access control),
- to ensure, e.g. by means of encryption, that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (transmission control),
- to ensure that it is possible to check and establish whether and by whom personal data have been entered into data processing systems, modified or removed (input control),
- to ensure that, in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the principal (job control),
- to ensure that personal data are protected from accidental destruction or loss (availability control),
- to ensure that data collected for different purposes can be processed separately.
The appointment of a data protection officer also helps improving IT-security, albeit in form of the protection of personal data. Pursuant to section 4g (1) Federal Data Protection Act the data protection officer works towards the compliance with the FDPA and for this reason is responsible for the implementation of appropriate measures. The control of the correct use of software processing personal data undertaken by the data protection officer has a positive impact upon the integrity of the company’s IT-security because of the prevention of IT-risks. As a consequence of the legal requirement to involve the data protection officer already in software development projects, e.g. projects like the implementation of SAP, a positive effect on the IT-security can already be expected when it comes to configuring the system environment. The same applies to the work of the data protection officer in the framework of the preparation of a risk analysis, a concept of data protection, the control of access concepts and access rights within the company and the involved data processors, such as the technical and organizational measures undertaken by them. The amended Sec. 11 Federal Data Protection Act furthermore contains a list of issues to be covered in data processing agreements such as regarding data security, the use of sub-processors and the measures to be undertaken on the occasion of demigration.
4. Liability in cases of non-compliance
Non-compliance with the IT-security requirements may trigger consequences and sanctions under corporate, civil and public law. According to Sec. 43 (2) Limited Liability Company Act for example the director of a limited liability company is liable for the financial damage caused as a consequence of non-compliance with his organizational obligations (see above). The amount of such claim is not limited. Additional claims against the director might be based on violation of duties under his management agreement or of specific management obligations. Where the non-compliance with IT-security leads to the unlawful transfer of personal data to third parties fines of up to EUR 300.000 or, in cases of intent, imprisonment may result according to Sections 43, 44 Federal Data Protection Act. Some sorts of data breaches additionally require the notification of the data subjects and the competent data protection authorities according to Sec. 42a Federal Data Protection Act.
II. Initial implementation of IT-security
The most important step of achieving an adequate IT security within the company is an initial risk analysis.
1. Starting points
Starting points are always the four most important (internationally accepted) objectives of IT-security namely confidentiality, availability, integrity and verifiability. The risk analysis must not be limited to the information technology used in the company in the form of company computers and the permanently used hard- and software, but has to comprise every sort of electronic utilities such as mobile storage media, mobile phones, handhelds, mobile devices for receiving emails, laptops that are left to the employee to serve the company and not for private use or only within certain limits.
2. Exemplary questions
As part of the risk analysis the following questions may be exemplarily asked:
- Which hardware is used? How is it serviced and how often is it changed or modernized?
- Which software is used (operating system, application software) and which processes exist in order to identify in each case the existing risk potential of the software which is employed (e.g. viruses or well-known weaknesses inherent to the system) and to take appropriate preventive measures?
- Which software users within the company have access, which extern service providers are involved and with which authorizations?
- Where does the relevant data come from and which applications in the company use them?
- How is the integrity of the company’s network secured against attacks from the outside (e.g. via a firewall)?
- How and in which intervals is data backed up, how and after which periods of time is data deleted and how are replaced data carriers disposed of?
- Does an IT-security guideline or comparable employee information exist, e.g. concerning the correct use of e-mail-software, dangers of viruses in e-mail-attachments or risks when surfing the Internet?
3. Outsourcing as specific concern
Finally, the sectors and functions outsourced by the company must not be excluded from the risk analysis. Even if there is insofar as a rule no direct (in well drafted outsourcing contracts via a contractual right to give instructions, however, at least an indirect) way to exert influence, the affected sectors have to be considered in the framework of an integrated risk analysis because of the ultimate responsibility of the company outsourcing the respective functions. In the corresponding risk analysis it has to be examined whether the requirements of IT-security factually exist at the service provider and whether the maintenance and modification are subject to a contractually enforceable claim against the service provider. As a consequence each decision to outsource the hosting and operation of technical services, such as the e-mail hosting, needs to be carefully analyzed. The outcome of such analysis might even be that some services are so important for the company's business that they must not be outsourced at all; in some businesses this might be the case for outsourcing the entire e-mail system as the company’s communicative backbone. Even if a less important function shall be outsourced the responsible manager has to take into account what contractual precautions can be imposed on the carefully chosen outsourcing provider in order to alleviate the corresponding risks for the company (e.g. failure of the outsourced technical systems, security breaches etc.). Such contractual precautions should include arrangements regarding the provider's obligation to implement
- reasonable service levels,
- intrusion protection,
- regular and easy-to-reach data backups,
- business continuity and disaster recovery plans,
- demigration and migration (e.g. in case the provider changes) assistance etc.
Furthermore, the outsourcing contract needs to reflect the company's obligation to check the its IT-security infrastructure in regular intervals. Should the size of the company, its structure or the scope of business change, management must have the possibility to claim a corresponding change of the provider’s services.
4. Scope of analysis
The risk analysis must not exclusively relate to the direct handling and suitability of hard- and software within a company. In the framework of an analysis of the IT-infrastructure it has to be examined as well, if there is a sufficient and secure network infrastructure, a secure infrastructure (buildings, rooms) and the appropriate facility management (protection of buildings with structural measures, access rules relative to engineering and server rooms, protection of offices, key management, air conditioning of engineering rooms and engineering cabinets, protection against water, fire, lightning and excess voltage, protection against power blackout through emergency power supply and against facility disasters).
III. Typical risks and importance of recurring analyses
1. Typical risks
The most frequent exposures for the IT-security in companies are
- the lack of an adequate strategy adapted to the actual needs of the company to generate and maintain the IT-security,
- a configuration and security of IT-systems not adapted to the environment of the company,
- weaknesses of security in the field of internal networks as well as regarding the connection to the Internet,
- the lack of adequate service cycles for central IT-systems,
- the permissive dealing with passwords and other mechanisms of safeguarding the IT-security,
- the deficient protection against burglars and fundamental damages and
- in case of outsourced business units the lack of sufficient rights to exert influence on measures of IT-security adopted by the service provider.
2. Recurring analyses
The mentioned and other typical defaults can only be avoided with the help of an individual risk analysis taking into account the specific requirements of IT-security applicable to the company, its branch of activity, its size, the occurring amount of data etc. Such a risk analysis requires a substantial investment of time, personnel and in case of lacking own competence also of financial resources, if and to the extent third parties have to be contracted for the analysis. The analysis must not be limited to the mere identification of the current security status. The running business must be controlled on a recurring basis, since the potential of dangers and the requirements linked hereto may change daily.
IV. Limits for achieving complete IT-security
1. IT-security as compliance risk
With regard to the fact that high-grade security technology is normally not prohibitively expensive and that the protection of information can be developed to a maximum extent through organizational measures as well as the prevention against IT-risks, there is a conflict with the rights of the addressees of such measures. From this point of view IT-security can turn into a compliance risk.
Taking this facet into account IT-security law is constituted
- by all legal provisions, which require the use of information technology or the implementation of non-technical organizational measures with the objectives of availability, integrity, confidentiality or authenticity of information as well as protection against IT-risks on the one side
- but also by those legal provisions, which limit the complete realization of IT-security within a company.
2. Constitutional limitations
Where IT-security measures are to be taken vis-à-vis employees limitations might result from their fundamental rights. Even though fundamental rights have the primary function to serve as “defense rights“ against the State, doctrine unanimously deduces a protective effect for civil law relationship from them.
The total surveillance of an (or by an) IT-administrator might for example help to optimize IT-security but it constitutes a violation of human dignity and there not permissible as violation of Article 1 of the German Constitution. Also the so-called IT-Fundamental Right constitutes a limitation for the permissibility of IT-security measures. It was developed by the German Constitutional Court in a decision of February 27, 2008 where the Court decided that the General Personality Right (Art. 2 para. 1 and Art. 1 para. 1 of the German Constitution) also comprises the Fundamental Right to Claim the Confidentiality and Integrity of IT systems. The IT-Fundamental Right shall apply if no more specific protection, for example based on data protection law, applies.
3. Data Protection Law as limitation
As already mentioned also data protection law can entail limitations of IT-security measures. This becomes obvious where IT-security measures lead to the massive collection of surveillance data in the form of personal data. The basic principle of data protection law that the collection, processing and use of personal data require a statutory obligation or permission or consent (which is a problematic choice in employment relationships) therefore also requires companies to always check the legality of IT-security measures from a data protection law point of view before actually implementing them. This prior analysis is important in order to avoid the sanctions of up to EUR 300.000 or, in cases of intentional non-compliance, imprisonment provided for in Sections 43, 44 FDPA in the case of unlawful collecting, processing and use of personal data.
4. Limitations by criminal law
Eventually there are some important limitations for IT-security measures contained in the Penal Code. Filtering out certain e-mails for example may be desirable from an IT-security point of view in order to avoid unsolicited e-mails within the company. It can, however, be a criminal act for a company to filter out, block or delete its employees’ private e-mail if the private use of e-mail is generally permitted or at least tolerated within the company. This limitation for IT-security measures is contained in Sec. 206 Penal Code, which protects the secrecy of telecommunications pursuant to Section 88 of the Telecommunications Act as well as the integrity of the telecommunication process as such.