Legal Guide obligations in the area of IT security
by RA Robert Niedermeier and Dr. RA Markus Junker
2 Legal obligations in the area of IT security Robert Niedermeier is a member of the Information Communication Technology (ICT) working group at the law firm and Heussen mainly concerned with questions of th e areas of law, technology, and organization for data protection and IT security . With his international team he designed for banks, insurance companies and int ernational companies to the global rollout of homogeneous data protection and IT security structures in the Group and is developing new models (homogeneous Priv acy cell Custodian Concept) for legally compliant data sharing. As a teacher of Privacy in Electronic Marketing program at the Bavarian Academy of Advertising, he deals with data protection requirements for advertising via the Internet and data warehousing. In his capacity as Chairman of the European Institute for Comp uter Anti-Virus Research (www.eicar.org), he discussed with the IT security indu stry liability and exposure to current issues of IT security managers. Created on behalf of SurfControl by Note This document provides a general guide dar. It should therefore not be rega rded as legal advice. We make no guarantee and assume no liability for the accur acy or adequacy of the guidelines contained. We advise companies before any impl ementation in rendering legal advice be sought. 3 Legal obligations in the area of IT security Content 1st 2nd 3rd 4th 5th Legal aspects of IT security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 4 What are the risks if legal obligations are not met to ensure the IT security? . . . . . . . . . . . . . . . . Page 4 W hat is the legal duty to ensure the IT security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 10 What can I do as a manager? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 page summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 16 Related Links: www.cybercourt.de www.recht.de www.internet4jurists.at www.juris.de www.jura.uni -sb.de www.meta-jur.de www.jura.uni-muenster.de www.metalaw.de Relevant laws: European Directive on Data Protection in Electronic Communications Privacy Feder al Telecommunications Act, Civil Code, Criminal Code Industrial Commercial Code Copyright Law of Minors Act 4 Legal obligations in the area of IT security 1st Legal aspects of IT security Companies today understand IT security is still largely a subject of the areas o f technology and organization. Only a few professionals among the IT managers ha ve recognized that the field of IT security is next to the field of technology a nd organization and from the field of law. The law requires a professional in ch arge of IT security knowledge of the essential legal relations to his area of re sponsibility, just as a motorist must know the highway code. Without this knowle dge, IT security managers can not do their job correctly and bound to remain ama teurs of IT security. 2nd What are the risks if legal obligations are not met to ensure the IT securit y? With the increasing complexity and networking of IT systems increases the risk p otential rapidly. Although in the past have reached spectacular cases to the pub lic, so is the implementation of complete IT security policy is not yet a realit y today. 5 Legal obligations in the area of IT security There are subjected to very different scenarios, what threats a company in the u se of information technology. Who his staff, for example, to access the Internet at work opens up, you can expect not only with cost implications when working p rivately for surfing and used the Internet or intranet connection is impacted by increased traffic or the media will be affected by increased demand for space ( eg as a result of spamming or downloading large amounts of data). With access to the Internet conversely also get viruses, worms, Trojans and other harmful cont ent, access to IT infrastructure of the company, so this may be significantly af fected. Employees can celebrate by downloading and installing unlicensed softwar e copyright infringement and create a liability of the company and even the mana gement of this. By downloading or sending files to extremist,Âsexist, or even p ornographic content may be significantly disrupted the peace operation. Finally, there is even a risk that uncontrolled e-mail or business secrets are revealed, perhaps because the message is sent unencrypted, and a third-reads, or because an employee wishes to reveal specific information. Any event that occurs due to lack of or inadequate unreacted IT security, has a significant financial impact on your business, with generally much higher costs than those suitable for an IT security concept. Who can take precaution to prevent future issues or at least reduce (Return on Security Investment). A complete IT security policy always tak es into account beyond the technical solutions, the organizational measures and in particular legal aspects in the field of IT security. 2.1 Top Ten of the exposure From the experience of recent years reveals the following Top Ten determine the legal consequences: a. damages Companies and managers who litigate without regard to legal requirements of pers onal data liable for damages for injuries occurring disadvantages. b. Fine Managers who litigate personal data without appropriate consent of the parties w ithout appeal or on a legal basis for authority shall be punished by a fine of u p to 250,000 â ¬. 6 Legal obligations in the area of IT security c. Imprisonment or a fine litigate in charge, the data in breach of the secrecy of telecommunications or r egulations of the Federal Data Protection Act risk a fine or imprisonment. d. Trade and Industry and Competition Companies that can continuously detect due to their conduct of business in the a rea of IT Security deficits will be displayed at the trade office of competition and fear because of lack of necessary reliability their business license to los e. e. loss of reputation Companies and leaders that stand by the lack of professionalism in IT Security w ill be considered in the industry as "risk factor". f. Supervisors Companies and leaders that stand out by not legally compliant processing of pers onal data to risk, a review to be addressed by the Data Protection Inspectorate. g. problems of proof If beweisrelevante data in violation brought against legal requirements, so you can work in some court proceedings not be used. h. Insurance Companies that do not meet their organizational commitment, and the benchmark fo r operational safety acc. Art 4 meet the European Directive on data protection i n electronic communication, at least pay part of their public liability insuranc e premium for nothing. For insurance claims in connection with deficiencies in t he field of IT security insurer, insurance benefits subject to a contributory ne gligence will reduce and increase if necessary for future cases the insurance pr emium. There is also the risk that insurance companies, such as Directors & Offi cers insurance, unfold in support of the Board, no full protection. 7 Legal obligations in the area of IT security i. copyright infringement Diving in corporate IT infrastructures music or movie files that are subject to foreign copyright, those responsible are liable for damages and injunctive, and according to the rules of criminal law. A Exculpation is only considered if to p rove the charge that they have implemented structures to monitor such content, s uch as a suitable software. k. Child Companies that employ young people and give them access to the Internet must ens ure that access is possible to harmful content. In the case of the violation thr eatens the manager of the company's consequences in the form of a fine and a cri minal prosecution. 2.2 Who is responsible for IT security in the company? For IT security is legally responsible corporate governance, such as the managem ent or the Board. You decide whether and what technical and organizational measu res are needed. The directors may delegate decision-making rights to employees o f the company, especially to senior executives, such as the manager or the Head of IT department. This may in turn delegate responsibility within their area of responsibility, as to the administrators or other employees of the IT department . In any case, the persons concerned to carefully select and monitorÂand it is - for example through training and the provision of the necessary material resou rces - to ensure that they can perform their tasks. The management receives assi stance from special agents that monitor the IT security, tell her about this and will submit proposals without, however, have their own decision-making or repor ting relationships. This applies to the company or the Data Protection Officer, who is ordered mandatory under the conditions of data protection law, and one fo r the IT 8 Legal obligations in the area of IT security Security officer, whose appointment is true only in exceptional cases - for exam ple in telecommunications law, or of certain authorities - regulated by law, but in fact, to ensure the IT security. 2.3 Am I was responsible for IT security with one foot in prison? If an IT-related crime in the task pane of an IT Please direct detected, the lat ter may have either personally or as representatives of the company representati ve made for this offense. The legal risks in the use of technical means to ensur e the IT Security are diverse and often poorly known. This applies to unauthoriz ed surveillance measures (such as the intervention in the telecommunications sec recy), or the unauthorized deletion of data (such as an unauthorized e-mail filt ering). It can therefore only be recommended to accompany the use of surveillanc e software with the legal department or external consultants. Another risk is th e unauthorized disclosure of secret information about the company (business and trade secrets) or employee (personal data) dar. The management here is subject t o strict requirements. Punishable makes itself who it (about reasons of cost) fa ils to duty to implement the necessary security while accommodated, taking, for example, secret information to third parties. In practice it is rarely in a conv iction. Often the investigation on receipt of funds is set. There are also the c osts incurred by the process and, where searches and seizures in the company. 2.4 Am I liable as the person responsible with my private property? Are undertaking the necessary IT security structures not been implemented or are insufficient, the risk of IT managers, the liability of the company and his own person, that he must pay, where appropriate, with his personal assets for damag e suffered. Unlike criminal law, the IT manager is liable in civil law for negli gence. 9 Legal obligations in the area of IT security Negligent act, who violates the commerce in an ordinary businessman duty of care . Bringing benefit to these duties of care may have already been described above . Who grossly negligent security fails, you can expect the way, so that he suffe red no damage or can not be replaced completely. This allows the wrongdoer to le ad the defense of contributory negligence because the damage would be caused onl y to a lesser extent. The insurance can refuse service if the IT security have b een violated relevant obligations in the insurance conditions. 2.5 What other penalties threatening? A liability to the private property is only eligible for financial losses. In ad dition, IT managers in the management threaten the recall and termination of con tracts of employment or at least a warning. Not to be underestimated is the indi rect consequences of an IT security incident. The company created under circumst ances of high effort to eliminate the consequences. Where the incident in the pr ess or otherwise in the public, it also threatens a loss of image. 6.2 Who controls the compliance with legal obligations to ensure the IT security ? The density of control measures for IT security is generally underestimated. In practice, the spot is first to the Employee, if such exist, and to think of the Supervisor. In IT security-claims court proceedings threaten with a review of IT security with the court and the opponent with the help of experts. such an inci dent concerning competitive company, it also threatens to charges warnings from competitors. If he has criminal implications, threatening trial the prosecution. Is it the insurance case, as already mentioned investigations threaten the insu rer.ÂBut also want independent of an IT security-related incident, the IT secur ity checks, such as when banks examined in the context of a rating the creditwor thiness of a company or general investors assess the risks of a company. For sim ilar considerations also take grantors to proof of IT security into their tender conditions. 10 Legal obligations in the area of IT security IT managers in listed companies should remember that accountants in the examinat ion of the financial statements are required to assess whether the Board has tak en the measures necessary to establish the monitoring system and whether this sy stem can do its job. Finally there is the possibility of a review of IT security in businesses by the data protection supervision, and labor and specific sector al regulators, such as professional societies. 3rd What is the legal duty is to ensure IT security? Often those who are responsible for IT security is not aware of, and under what legal standpoint they are legally obliged to meet certain technical and organiza tional measures to guarantee the safe operation of the corporate IT infrastructu re. 1.3 Wirtschaftserwaltungsrecht Companies are obliged to gewerbeordnungsrechtlichen principles, their IT infrast ructure according to the nature and extent of auszugestalten operated businesses such as proper for carrying out the operation is necessary. These include the n ecessary security measures, several organizational obligations to provide for th e proper handling of an IT operation and ensure. Where there are certain sectors in certain confidentiality obligations (for example on the bank, clients, patie nts or telecommunications secrecy), subject to specific standards. After the Tel ecommunications Act, for example, the operator of telecommunications facilities serving the commercial provision of telecommunications services, including that the offering of e-mail and other Internet services for employees of the enterpri se for the appropriate for this purpose operated telecommunications and data pro cessing systems, technical devices or take other measures. These should include the following: protection of telecommunications secrecy and personal data, prote ction of the programmable telecommunications and computer systems against unauth orized access, protection against interference, leading to significant impairmen t of telecommunications networks and, finally, protection of telecommunications and computer systems against external attacks and impacts of disasters . 11 Legal obligations in the area of IT security What measures are appropriate does not derive directly from the law. The protect ion to be provided for the technical and economic effort to a about the importan ce of the protected rights and the other by the state of technological developme nt depends. The Regulatory Authority for Telecommunications and Post should crea te, in agreement with the Federal Office for Information Security a set of secur ity requirements for the provision of telecommunications and data processing sys tems in order to achieve adequate according to the state of the art internationa l standards and standard security. As the Federal Commissioner for Data Protecti on criticized several times, corresponding to the catalog not submitted these st andards. In practice, therefore, to determine the state of technological develop ment for expert advice and professional publications to fall back. Evidence for the demands of regulators may be publications of the data protection authorities or the Federal Office for Information Security (BSI), about the IT Baseline Pro tection Manual. 2.3 Data protection law A further obligation to ensure IT security is clear from the data protection law . The obligation to do so is enshrined at the European level in many privacy-rel ated guidelines and was implemented at the national level in the different data protection laws. The German data protection law is regulated in a variety of law s. Thus, between the Federal Data Protection Act,Âthe various national data pro tection laws as well as a variety of different area-specific data protection law s (such as in the field of social affairs of the Social and the area of the Inte rnet, including the Telecommunications Act Telecommunications Data Protection Or dinance and the Teleservices Data Protection Law and the Media Services State Tr eaty). 3.3 European regulations for the design of IT security Like the "Directive on Privacy and electronic communications" determines must ta ke the provider of publicly available electronic communications service to appro priate technical and organizational measures to ensure the security of its servi ces, is to network security necessary in conjunction with the operator of public communications network respect. These measures must take into account the state of the art and the cost of their implementation to ensure a level of security t hat is appropriate to the risk. 12 Legal obligations in the area of IT security Similar formulations are found in the individual German data protection laws. An appendix to the Federal Data Protection Act and sector-specific privacy laws in different types of such activities are listed below. Thus, under the so-called transmission control, for example by encryption software, and by monitoring soft ware to ensure that personal data can not be transferred without authorization. Furthermore, under the so-called availability control is to ensure that personal data are protected against accidental destruction or loss. For this example, fi lters can make a valuable contribution software, block out the harmful contents such as viruses. 4.3 Contractual arrangements The parties may expressly IT Security made the subject of a contractual agreemen t. This can range from arrangements concerning the encryption of information or the use of virus scanners when sending messages through to compliance with certa in IT security policies such as outsourcing projects range. The Court had to dea l with the way already with the requirements for contracts for the creation and implementation of IT security (Landgericht Köln, JurPC Web-Dok. 62/2004 - URL: http://www.jurpc.de/rechtspr/20040062. htm). A requirement for the creation and maintenance of a secure IT infrastructure can also derive from unwritten seconda ry obligations of a contract (responsibility to protect the contractor). Thus, i n the online sector banks operating in circumstances required to take appropriat e technical and organizational measures, for example, by software-control mechan isms to ensure that the Internet gave implausible and obviously erroneous orders and incorrect entries are recognized as such or that, when online processing of deposit transactions can not come to a double sale of an investment portfolio ( see Oberlandesgericht Nürnberg, JurPC web Doc. 85/2003 - URL: http://www.jurpc. de/rechtspr/20030085.htm, and Oberlandesgericht Schleswig, JurPC web Doc 87 / 20 03 - URL: http://www.jurpc.de/rechtspr/20030087.htm). A duty to protect the cont ractor is also in employment, in the ratio of the employer to the employee in te rms of duty of care. This is particularly important and also in terms of minors in relation to the employer's legal guardian to his underage student. It is - mo st appropriate to ensure by appropriate software solutions - that these emails o r web pages is made available with harmful content. 13 Legal obligations in the area of IT security 5.3 early warning system for KonTraG By on 05.01.1998 came into force on control and transparency in business (so-cal led KonTraG) the obligation to create an early warning system in the internal la w of joint stock companies has been introduced: The Board has taken after approp riate measures to ensure the continued existence at risk developments are identi fied early. Jeopardize the continued existence of society can include a lack of IT security. Whether such a risk detection system exists, it may be necessary by the auditors as part of the annual accounts check. If it was not set up properl y and will there be damage, to the Board a liability threatens his private asset s. How did the District Court Berlin also in 2002,Âmay be the violation of the obligation to establish such a system is an important reason for an extraordinar y termination of the employment relationship of the board. 3.6 rating according to Basel II The management is ultimately contractual and legal obligation to prevent foresee able financial losses of the company. Such a loss of property threatens example, if the company is not sufficient for a rating on the proposals of the Basel Com mittee on Banking Supervision ("Basel II") prepared for this purpose and provide s for a secure corporate IT infrastructure. This has the following background: I n nearly every insolvency of a company are also affected banks as lenders. Most sit they stay on at least part of their claim, because any existing assets is of ten not sufficient to cover the outstanding amounts or the bankruptcy estate is not sufficient to fully satisfy the demand. These debts can jeopardize the solve ncy of the bank itself. To prevent this, loans should be highlighted from the ou tset with a certain percentage of equity of the bank. Under the proposals of Bas el II is to the individual for the credit amount of the deposit is no longer as in Basel I standard rate determined by the division in certain groups, but the d efault risk in individual cases. As a result, a company receives the better the loan terms, the less likely the risk of its insolvency. To assess this risk, ban ks serve the credit ratings that allow the company's situation will be reviewed comprehensively. The importance of IT infrastructure is in turn connected with t he fact that currently used in all key business processes, IT systems, and these therefore form the backbone of the company. In addition to business, therefore, flow and IT security-specific risk assessments in the rating. 14 Legal obligations in the area of IT security 4th What can I do as a manager? IT security is a technical, organizational and a technical column. 4.1 What are technical options? One of these is recommended to implement the protection of the IT security infra structure, appropriate software, which allows it within the legal framework to s can traffic to save the log files and filter if necessary certain content in e-m ails or requests to to block Web sites. IT security managers who do not have too ls to the security of the IT infrastructure under control, must face the accusat ion of lack of professionalism. 4.2 What are organizational measures? Technical measures must be accompanied by a series of organizational measures. M ost important is to coordinate the IT security policy and to develop some on the basis of an IT security policy, an IT security policy and to implement. Such a project also helps to weaknesses within the IT Security Infrastructure identifie d. In preparation of and in addition, a ITSicherheitsaudit carried out and its s uccess will be documented with a "seal of approval". In addition to the purely c ivil audits, it makes more sense also exposed companies are to undergo an audit by military benchmarks. A written IT security documents the organization's IT in frastructure and their monitoring. Only in this way, it is reliably possible to use in the dispute to the (discharge) proof of having met the legal requirements for IT security. An essential part of organizational measures is in the psychol ogical field. In the implementation of the IT security awareness of employees ar e for IT Security (IT Security Awareness) and the acceptance of necessary measur es critical. Where an Employee is, this should be included early on. Without pro per IT security policy is at least possible in larger firms no proper operation of the IT infrastructure. As the technical and legal requirements are subject to constant change, the IT security must be dynamic and are updated at regular int ervals. 15 Legal obligations in the area of IT security Where the employer wishes to use e-mail and World Wide Web controlled by its wor kers, it is strongly recommended as part of the implementation of the IT securit y an IT use policy in employment law effective way in service to introduce and a ban on lay down the private use of the Internet. Is also discouraged by comprom ises, such as the permissionÂthe Internet only at specified times or at least W eb-based e-mail services using privately. In order to prevent the occurrence of a "business practice, those responsible must not tolerate the private use withou t comment. Precaution should be specified that the withdrawal may be the ban on private Internet use in writing. be part of the organizational measures to furth er facilitate the securing of electronic evidence (Network Forensic Services). N o usable evidence in a subsequent prosecution is usually futile. In addition to structural investigative measures is to think with the traffic for suspicious pa tterns can be monitored. In addition, crisis papers should be developed, such as the event that searches and seizures threaten prosecution, or if that is discov ered on a memory device in operation criminal content such as child pornography or pirated material. 4.3 What are the legal options? The technical and organizational measures must be kept within the legally permit ted framework. Therefore, it is strongly recommended to be accompanied to the us e of monitoring software legally. Otherwise, there is the risk to become liable to prosecution for instance by filtering e-mail due to data suppression and viol ation of the telecommunications secrecy. Must also - where appropriate, in consu ltation with employee representatives - in view of the data protection legislati on, the details of the surveillance. As already mentioned, for legal reasons, we strongly recommend to prohibit the private use of the Internet in operation. 16 Legal obligations in the area of IT security 5 Summary The existence of IT security risks is an objective. IT security is therefore top priority. Who is responsible for IT security should therefore be informed about the legal requirements and resulting risks to initiate the necessary steps and instruct its employees accordingly. In any case, the IT infrastructure recommend ed by appropriate software tools will monitor and implement the same correspondi ng structures to ensure lawful operation. What matters is the extent to which it is possible to identify existing risks and to minimize technical, organizationa l and legal measures. RA Robert Niedermeier Dr. RA Markus Junker Heussen law fir m in Munich