Legal Guide obligations in the area of IT security

by RA Robert Niedermeier and Dr. RA Markus Junker

2
Legal obligations in the area of IT security
Robert Niedermeier is a member of the Information Communication Technology (ICT)
working group at the law firm and Heussen mainly concerned with questions of th
e areas of law, technology, and organization for data protection and IT security
. With his international team he designed for banks, insurance companies and int
ernational companies to the global rollout of homogeneous data protection and IT
security structures in the Group and is developing new models (homogeneous Priv
acy cell Custodian Concept) for legally compliant data sharing. As a teacher of
Privacy in Electronic Marketing program at the Bavarian Academy of Advertising,
he deals with data protection requirements for advertising via the Internet and
data warehousing. In his capacity as Chairman of the European Institute for Comp
uter Anti-Virus Research (www.eicar.org), he discussed with the IT security indu
stry liability and exposure to current issues of IT security managers.
Created on behalf of SurfControl by
Note This document provides a general guide dar. It should therefore not be rega
rded as legal advice. We make no guarantee and assume no liability for the accur
acy or adequacy of the guidelines contained. We advise companies before any impl
ementation in rendering legal advice be sought.
3
Legal obligations in the area of IT security
Content
1st 2nd 3rd 4th 5th Legal aspects of IT security. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . Page 4 What are the risks if legal obligations
are not met to ensure the IT security? . . . . . . . . . . . . . . . . Page 4 W
hat is the legal duty to ensure the IT security? . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . Page 10 What can I do as a manager? . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 14 page summary. . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 16
Related Links:
www.cybercourt.de www.recht.de www.internet4jurists.at www.juris.de www.jura.uni
-sb.de www.meta-jur.de www.jura.uni-muenster.de www.metalaw.de
Relevant laws:
European Directive on Data Protection in Electronic Communications Privacy Feder
al Telecommunications Act, Civil Code, Criminal Code Industrial Commercial Code
Copyright Law of Minors Act
4
Legal obligations in the area of IT security
1st Legal aspects of IT security
Companies today understand IT security is still largely a subject of the areas o
f technology and organization. Only a few professionals among the IT managers ha
ve recognized that the field of IT security is next to the field of technology a
nd organization and from the field of law. The law requires a professional in ch
arge of IT security knowledge of the essential legal relations to his area of re
sponsibility, just as a motorist must know the highway code. Without this knowle
dge, IT security managers can not do their job correctly and bound to remain ama
teurs of IT security.
2nd What are the risks if legal obligations are not met to ensure the IT securit
y?
With the increasing complexity and networking of IT systems increases the risk p
otential rapidly. Although in the past have reached spectacular cases to the pub
lic, so is the implementation of complete IT security policy is not yet a realit
y today.
5
Legal obligations in the area of IT security
There are subjected to very different scenarios, what threats a company in the u
se of information technology. Who his staff, for example, to access the Internet
at work opens up, you can expect not only with cost implications when working p
rivately for surfing and used the Internet or intranet connection is impacted by
increased traffic or the media will be affected by increased demand for space (
eg as a result of spamming or downloading large amounts of data). With access to
the Internet conversely also get viruses, worms, Trojans and other harmful cont
ent, access to IT infrastructure of the company, so this may be significantly af
fected. Employees can celebrate by downloading and installing unlicensed softwar
e copyright infringement and create a liability of the company and even the mana
gement of this. By downloading or sending files to extremist,€sexist, or even p
ornographic content may be significantly disrupted the peace operation. Finally,
there is even a risk that uncontrolled e-mail or business secrets are revealed,
perhaps because the message is sent unencrypted, and a third-reads, or because
an employee wishes to reveal specific information. Any event that occurs due to
lack of or inadequate unreacted IT security, has a significant financial impact
on your business, with generally much higher costs than those suitable for an IT
security concept. Who can take precaution to prevent future issues or at least
reduce (Return on Security Investment). A complete IT security policy always tak
es into account beyond the technical solutions, the organizational measures and
in particular legal aspects in the field of IT security.
2.1 Top Ten of the exposure
From the experience of recent years reveals the following Top Ten determine the
legal consequences:
a. damages
Companies and managers who litigate without regard to legal requirements of pers
onal data liable for damages for injuries occurring disadvantages.
b. Fine
Managers who litigate personal data without appropriate consent of the parties w
ithout appeal or on a legal basis for authority shall be punished by a fine of u
p to 250,000 â ¬.
6
Legal obligations in the area of IT security
c. Imprisonment or a fine
litigate in charge, the data in breach of the secrecy of telecommunications or r
egulations of the Federal Data Protection Act risk a fine or imprisonment.
d. Trade and Industry and Competition
Companies that can continuously detect due to their conduct of business in the a
rea of IT Security deficits will be displayed at the trade office of competition
 and fear because of lack of necessary reliability their business license to los
e.
e. loss of reputation
Companies and leaders that stand by the lack of professionalism in IT Security w
ill be considered in the industry as "risk factor".
f. Supervisors
Companies and leaders that stand out by not legally compliant processing of pers
onal data to risk, a review to be addressed by the Data Protection Inspectorate.
g. problems of proof
If beweisrelevante data in violation brought against legal requirements, so you
can work in some court proceedings not be used.
h. Insurance
Companies that do not meet their organizational commitment, and the benchmark fo
r operational safety acc. Art 4 meet the European Directive on data protection i
n electronic communication, at least pay part of their public liability insuranc
e premium for nothing. For insurance claims in connection with deficiencies in t
he field of IT security insurer, insurance benefits subject to a contributory ne
gligence will reduce and increase if necessary for future cases the insurance pr
emium. There is also the risk that insurance companies, such as Directors & Offi
cers insurance, unfold in support of the Board, no full protection.
7
Legal obligations in the area of IT security
i. copyright infringement
Diving in corporate IT infrastructures music or movie files that are subject to
foreign copyright, those responsible are liable for damages and injunctive, and
according to the rules of criminal law. A Exculpation is only considered if to p
rove the charge that they have implemented structures to monitor such content, s
uch as a suitable software.
k. Child
Companies that employ young people and give them access to the Internet must ens
ure that access is possible to harmful content. In the case of the violation thr
eatens the manager of the company's consequences in the form of a fine and a cri
minal prosecution.
2.2 Who is responsible for IT security in the company?
For IT security is legally responsible corporate governance, such as the managem
ent or the Board. You decide whether and what technical and organizational measu
res are needed. The directors may delegate decision-making rights to employees o
f the company, especially to senior executives, such as the manager or the Head
of IT department. This may in turn delegate responsibility within their area of
responsibility, as to the administrators or other employees of the IT department
. In any case, the persons concerned to carefully select and monitor€and it is
- for example through training and the provision of the necessary material resou
rces - to ensure that they can perform their tasks. The management receives assi
stance from special agents that monitor the IT security, tell her about this and
will submit proposals without, however, have their own decision-making or repor
ting relationships. This applies to the company or the Data Protection Officer,
who is ordered mandatory under the conditions of data protection law, and one fo
r the IT
8
Legal obligations in the area of IT security
Security officer, whose appointment is true only in exceptional cases - for exam
ple in telecommunications law, or of certain authorities - regulated by law, but
in fact, to ensure the IT security.
2.3 Am I was responsible for IT security with one foot in prison?
If an IT-related crime in the task pane of an IT Please direct detected, the lat
ter may have either personally or as representatives of the company representati
ve made for this offense. The legal risks in the use of technical means to ensur
e the IT Security are diverse and often poorly known. This applies to unauthoriz
ed surveillance measures (such as the intervention in the telecommunications sec
recy), or the unauthorized deletion of data (such as an unauthorized e-mail filt
ering). It can therefore only be recommended to accompany the use of surveillanc
e software with the legal department or external consultants. Another risk is th
e unauthorized disclosure of secret information about the company (business and
trade secrets) or employee (personal data) dar. The management here is subject t
o strict requirements. Punishable makes itself who it (about reasons of cost) fa
ils to duty to implement the necessary security while accommodated, taking, for
example, secret information to third parties. In practice it is rarely in a conv
iction. Often the investigation on receipt of funds is set. There are also the c
osts incurred by the process and, where searches and seizures in the company.
2.4 Am I liable as the person responsible with my private property?
Are undertaking the necessary IT security structures not been implemented or are
insufficient, the risk of IT managers, the liability of the company and his own
person, that he must pay, where appropriate, with his personal assets for damag
e suffered. Unlike criminal law, the IT manager is liable in civil law for negli
gence.
9
Legal obligations in the area of IT security
Negligent act, who violates the commerce in an ordinary businessman duty of care
. Bringing benefit to these duties of care may have already been described above
. Who grossly negligent security fails, you can expect the way, so that he suffe
red no damage or can not be replaced completely. This allows the wrongdoer to le
ad the defense of contributory negligence because the damage would be caused onl
y to a lesser extent. The insurance can refuse service if the IT security have b
een violated relevant obligations in the insurance conditions.
2.5 What other penalties threatening?
A liability to the private property is only eligible for financial losses. In ad
dition, IT managers in the management threaten the recall and termination of con
tracts of employment or at least a warning. Not to be underestimated is the indi
rect consequences of an IT security incident. The company created under circumst
ances of high effort to eliminate the consequences. Where the incident in the pr
ess or otherwise in the public, it also threatens a loss of image.
6.2 Who controls the compliance with legal obligations to ensure the IT security
?
The density of control measures for IT security is generally underestimated. In
practice, the spot is first to the Employee, if such exist, and to think of the
Supervisor. In IT security-claims court proceedings threaten with a review of IT
security with the court and the opponent with the help of experts. such an inci
dent concerning competitive company, it also threatens to charges warnings from
competitors. If he has criminal implications, threatening trial the prosecution.
Is it the insurance case, as already mentioned investigations threaten the insu
rer.€But also want independent of an IT security-related incident, the IT secur
ity checks, such as when banks examined in the context of a rating the creditwor
thiness of a company or general investors assess the risks of a company. For sim
ilar considerations also take grantors to proof of IT security into their tender
conditions.
10
Legal obligations in the area of IT security
IT managers in listed companies should remember that accountants in the examinat
ion of the financial statements are required to assess whether the Board has tak
en the measures necessary to establish the monitoring system and whether this sy
stem can do its job. Finally there is the possibility of a review of IT security
in businesses by the data protection supervision, and labor and specific sector
al regulators, such as professional societies.
3rd What is the legal duty is to ensure IT security?
Often those who are responsible for IT security is not aware of, and under what
legal standpoint they are legally obliged to meet certain technical and organiza
tional measures to guarantee the safe operation of the corporate IT infrastructu
re.
1.3 Wirtschaftserwaltungsrecht
Companies are obliged to gewerbeordnungsrechtlichen principles, their IT infrast
ructure according to the nature and extent of auszugestalten operated businesses
such as proper for carrying out the operation is necessary. These include the n
ecessary security measures, several organizational obligations to provide for th
e proper handling of an IT operation and ensure. Where there are certain sectors
in certain confidentiality obligations (for example on the bank, clients, patie
nts or telecommunications secrecy), subject to specific standards. After the Tel
ecommunications Act, for example, the operator of telecommunications facilities
serving the commercial provision of telecommunications services, including that
the offering of e-mail and other Internet services for employees of the enterpri
se for the appropriate for this purpose operated telecommunications and data pro
cessing systems, technical devices or take other measures. These should include
the following: protection of telecommunications secrecy and personal data, prote
ction of the programmable telecommunications and computer systems against unauth
orized access, protection against interference, leading to significant impairmen
t of telecommunications networks and, finally, protection of telecommunications
and computer systems against external attacks and impacts of disasters .
11
Legal obligations in the area of IT security
What measures are appropriate does not derive directly from the law. The protect
ion to be provided for the technical and economic effort to a about the importan
ce of the protected rights and the other by the state of technological developme
nt depends. The Regulatory Authority for Telecommunications and Post should crea
te, in agreement with the Federal Office for Information Security a set of secur
ity requirements for the provision of telecommunications and data processing sys
tems in order to achieve adequate according to the state of the art internationa
l standards and standard security. As the Federal Commissioner for Data Protecti
on criticized several times, corresponding to the catalog not submitted these st
andards. In practice, therefore, to determine the state of technological develop
ment for expert advice and professional publications to fall back. Evidence for
the demands of regulators may be publications of the data protection authorities
or the Federal Office for Information Security (BSI), about the IT Baseline Pro
tection Manual.
2.3 Data protection law
A further obligation to ensure IT security is clear from the data protection law
. The obligation to do so is enshrined at the European level in many privacy-rel
ated guidelines and was implemented at the national level in the different data
protection laws. The German data protection law is regulated in a variety of law
s. Thus, between the Federal Data Protection Act,€the various national data pro
tection laws as well as a variety of different area-specific data protection law
s (such as in the field of social affairs of the Social and the area of the Inte
rnet, including the Telecommunications Act Telecommunications Data Protection Or
dinance and the Teleservices Data Protection Law and the Media Services State Tr
eaty).
3.3 European regulations for the design of IT security
Like the "Directive on Privacy and electronic communications" determines must ta
ke the provider of publicly available electronic communications service to appro
priate technical and organizational measures to ensure the security of its servi
ces, is to network security necessary in conjunction with the operator of public
communications network respect. These measures must take into account the state
of the art and the cost of their implementation to ensure a level of security t
hat is appropriate to the risk.
12
Legal obligations in the area of IT security
Similar formulations are found in the individual German data protection laws. An
appendix to the Federal Data Protection Act and sector-specific privacy laws in
different types of such activities are listed below. Thus, under the so-called
transmission control, for example by encryption software, and by monitoring soft
ware to ensure that personal data can not be transferred without authorization.
Furthermore, under the so-called availability control is to ensure that personal
data are protected against accidental destruction or loss. For this example, fi
lters can make a valuable contribution software, block out the harmful contents
such as viruses.
4.3 Contractual arrangements
The parties may expressly IT Security made the subject of a contractual agreemen
t. This can range from arrangements concerning the encryption of information or
the use of virus scanners when sending messages through to compliance with certa
in IT security policies such as outsourcing projects range. The Court had to dea
l with the way already with the requirements for contracts for the creation and
implementation of IT security (Landgericht Köln, JurPC Web-Dok. 62/2004 - URL:
http://www.jurpc.de/rechtspr/20040062. htm). A requirement for the creation and
maintenance of a secure IT infrastructure can also derive from unwritten seconda
ry obligations of a contract (responsibility to protect the contractor). Thus, i
n the online sector banks operating in circumstances required to take appropriat
e technical and organizational measures, for example, by software-control mechan
isms to ensure that the Internet gave implausible and obviously erroneous orders
and incorrect entries are recognized as such or that, when online processing of
deposit transactions can not come to a double sale of an investment portfolio (
see Oberlandesgericht Nürnberg, JurPC web Doc. 85/2003 - URL: http://www.jurpc.
de/rechtspr/20030085.htm, and Oberlandesgericht Schleswig, JurPC web Doc 87 / 20
03 - URL: http://www.jurpc.de/rechtspr/20030087.htm). A duty to protect the cont
ractor is also in employment, in the ratio of the employer to the employee in te
rms of duty of care. This is particularly important and also in terms of minors
in relation to the employer's legal guardian to his underage student. It is - mo
st appropriate to ensure by appropriate software solutions - that these emails o
r web pages is made available with harmful content.
13
Legal obligations in the area of IT security
5.3 early warning system for KonTraG
By on 05.01.1998 came into force on control and transparency in business (so-cal
led KonTraG) the obligation to create an early warning system in the internal la
w of joint stock companies has been introduced: The Board has taken after approp
riate measures to ensure the continued existence at risk developments are identi
fied early. Jeopardize the continued existence of society can include a lack of
IT security. Whether such a risk detection system exists, it may be necessary by
the auditors as part of the annual accounts check. If it was not set up properl
y and will there be damage, to the Board a liability threatens his private asset
s. How did the District Court Berlin also in 2002,€may be the violation of the
obligation to establish such a system is an important reason for an extraordinar
y termination of the employment relationship of the board.
3.6 rating according to Basel II
The management is ultimately contractual and legal obligation to prevent foresee
able financial losses of the company. Such a loss of property threatens example,
if the company is not sufficient for a rating on the proposals of the Basel Com
mittee on Banking Supervision ("Basel II") prepared for this purpose and provide
s for a secure corporate IT infrastructure. This has the following background: I
n nearly every insolvency of a company are also affected banks as lenders. Most
sit they stay on at least part of their claim, because any existing assets is of
ten not sufficient to cover the outstanding amounts or the bankruptcy estate is
not sufficient to fully satisfy the demand. These debts can jeopardize the solve
ncy of the bank itself. To prevent this, loans should be highlighted from the ou
tset with a certain percentage of equity of the bank. Under the proposals of Bas
el II is to the individual for the credit amount of the deposit is no longer as
in Basel I standard rate determined by the division in certain groups, but the d
efault risk in individual cases. As a result, a company receives the better the
loan terms, the less likely the risk of its insolvency. To assess this risk, ban
ks serve the credit ratings that allow the company's situation will be reviewed
comprehensively. The importance of IT infrastructure is in turn connected with t
he fact that currently used in all key business processes, IT systems, and these
therefore form the backbone of the company. In addition to business, therefore,
flow and IT security-specific risk assessments in the rating.
14
Legal obligations in the area of IT security
4th
What can I do as a manager?
IT security is a technical, organizational and a technical column.
4.1 What are technical options?
One of these is recommended to implement the protection of the IT security infra
structure, appropriate software, which allows it within the legal framework to s
can traffic to save the log files and filter if necessary certain content in e-m
ails or requests to to block Web sites. IT security managers who do not have too
ls to the security of the IT infrastructure under control, must face the accusat
ion of lack of professionalism.
4.2 What are organizational measures?
Technical measures must be accompanied by a series of organizational measures. M
ost important is to coordinate the IT security policy and to develop some on the
basis of an IT security policy, an IT security policy and to implement. Such a
project also helps to weaknesses within the IT Security Infrastructure identifie
d. In preparation of and in addition, a ITSicherheitsaudit carried out and its s
uccess will be documented with a "seal of approval". In addition to the purely c
ivil audits, it makes more sense also exposed companies are to undergo an audit
by military benchmarks. A written IT security documents the organization's IT in
frastructure and their monitoring. Only in this way, it is reliably possible to
use in the dispute to the (discharge) proof of having met the legal requirements
for IT security. An essential part of organizational measures is in the psychol
ogical field. In the implementation of the IT security awareness of employees ar
e for IT Security (IT Security Awareness) and the acceptance of necessary measur
es critical. Where an Employee is, this should be included early on. Without pro
per IT security policy is at least possible in larger firms no proper operation
of the IT infrastructure. As the technical and legal requirements are subject to
constant change, the IT security must be dynamic and are updated at regular int
ervals.
15
Legal obligations in the area of IT security
Where the employer wishes to use e-mail and World Wide Web controlled by its wor
kers, it is strongly recommended as part of the implementation of the IT securit
y an IT use policy in employment law effective way in service to introduce and a
ban on lay down the private use of the Internet. Is also discouraged by comprom
ises, such as the permission€the Internet only at specified times or at least W
eb-based e-mail services using privately. In order to prevent the occurrence of
a "business practice, those responsible must not tolerate the private use withou
t comment. Precaution should be specified that the withdrawal may be the ban on
private Internet use in writing. be part of the organizational measures to furth
er facilitate the securing of electronic evidence (Network Forensic Services). N
o usable evidence in a subsequent prosecution is usually futile. In addition to
structural investigative measures is to think with the traffic for suspicious pa
tterns can be monitored. In addition, crisis papers should be developed, such as
the event that searches and seizures threaten prosecution, or if that is discov
ered on a memory device in operation criminal content such as child pornography
or pirated material.
4.3 What are the legal options?
The technical and organizational measures must be kept within the legally permit
ted framework. Therefore, it is strongly recommended to be accompanied to the us
e of monitoring software legally. Otherwise, there is the risk to become liable
to prosecution for instance by filtering e-mail due to data suppression and viol
ation of the telecommunications secrecy. Must also - where appropriate, in consu
ltation with employee representatives - in view of the data protection legislati
on, the details of the surveillance. As already mentioned, for legal reasons, we
strongly recommend to prohibit the private use of the Internet in operation.
16
Legal obligations in the area of IT security
5 Summary
The existence of IT security risks is an objective. IT security is therefore top
priority. Who is responsible for IT security should therefore be informed about
the legal requirements and resulting risks to initiate the necessary steps and
instruct its employees accordingly. In any case, the IT infrastructure recommend
ed by appropriate software tools will monitor and implement the same correspondi
ng structures to ensure lawful operation. What matters is the extent to which it
is possible to identify existing risks and to minimize technical, organizationa
l and legal measures. RA Robert Niedermeier Dr. RA Markus Junker Heussen law fir
m in Munich