Categories
Cybersecurity Technology- & IT-Law

Contract design for IT security services in Germany

IT security services: IT security is – quite rightly – the dominant topic today and continues to play an increasingly important role in everyday life. The question of how to deal with it when companies engage external service providers to secure their systems is still somewhat out of focus.

This article provides a clear overview of what should be considered when drafting a contract for an IT security service in Germany in order to protect both parties – provider and customer.

IT security as a service?

Now that IT security is not only on everyone’s lips, but money is also increasingly being spent, numerous offers are naturally emerging. But just because you know technology (or think you know technology) does not mean that such an offer is a sure-fire success.

IT people only like to see the technical side of things, legal issues are dismissed as annoying extras. If they do, then a sample contract with just a few lines should suffice, preferably copied free of charge from the Internet. And while the topic of data protection is still reasonably present on the screen in IT, the really important questions, first and foremost those of one’s own obligations and liability, are then completely lost.

This is now solely about a contract for IT security consulting services and the installation of corresponding products (“IT security service”). There is a separate article on the topic of penetration test contracts in the German-language blog.

Contractual issues for IT security services

Without providing a sample contract for an IT security service and even if it is clear that the individual case always plays a role, there are some general tips that can sometimes seem quite trivial.

The area of IT security is always associated with consulting, even if you (supposedly) only sell products – because the sale of products can trigger (pre-contractual) consulting obligations. However, things get complicated at the latest when not only the simple sale, but also the installation or integration into a specific environment is agreed. It must then also be considered that the hardware sold must not only fit, but can also be used in the long term, the existing case law on the non-existent obligation to provide information on existing security gaps is not applicable in this scenario.

Clear definition of the scope of services

The services to be provided by the IT security service provider must be described in detail in the contract. It is important that the description of IT security measures such as firewall configuration, monitoring, support and maintenance is precisely defined. This also includes additional services such as deep packet inspection, stateful packet inspection and network security monitoring. A detailed service description helps to avoid discrepancies later on and ensures that the services provided meet expectations. At the same time, this lays the foundation for the question of what type of contract should ultimately be concluded.

Definition of quality and safety standards

It is strongly recommended to agree specific security standards and quality requirements that must be met during the term of the contract. Certain certifications or standards such as ISO/IEC 27001 can of course serve as a reference. In addition, regular reviews and audits should be carried out to ensure compliance with these standards. In my view, the abstract requirements of Section 30 of the NIS2 Implementation Act will provide an absolute guideline to follow. You can find explanations of the law implementing NIS2 in Germany in the German-language blog.

Duties to cooperate and responsibilities

As a rule, the client must fulfill certain obligations to cooperate so that the service provider can perform its tasks effectively. This includes the timely provision of the necessary information and infrastructure. At the same time, it must be clearly regulated what measures the service provider will take in the event of security incidents and what steps will be taken to rectify the problem. It must be clear to all parties involved that a lack of cooperation not only plays a role within the scope of the contract, but can also lead to contributory negligence on the part of the customer in the event of a security incident, with the result that compensation payments must be made on a pro rata basis in the internal relationship.

Liability and warranty

Liability must not be limited to the actual service! If an IT security package is offered that is inadequate and is ultimately (partly) responsible for a security incident, then the liability will extend in all directions. A contract for IT security services should precisely define the extent to which the provider is liable for damages caused by security gaps or other service problems. Care should be taken to ensure that a clear distinction is made between services that are owed and those that are no longer owed, so that obligations do not arise unnoticed that could lead to liability in the event of a security incident.

Liability is often limited in general terms and conditions to intent and gross negligence. Specific assurances should also be given regarding the absence of malware and other harmful programs in the services provided. Please also note the detailed information on liability below.

Contract term and termination rights

The contract term should be clearly defined, with details of the start and end dates and the conditions under which the contract can be extended or terminated. The provisions on ordinary and extraordinary termination rights must be explicit in order to give both parties clarity about their options.

Data protection and confidentiality

As IT security service providers often have access to sensitive data, data protection agreements and confidentiality obligations must be an integral part of the contract. Compliance with the GDPR and other relevant data protection laws is essential here.

Attention: Liability!

IT professionals must learn to think about the issue of liability – in a different scenario than before: on the one hand, consultant liability has high hurdles; on the other hand, it can be incredibly pervasive. Cybersecurity in particular offers the risk that a supposedly minor error can quickly “eat away” and lead to massive damage.

The first step is already decisive here: it is conceivable that a contract for an IT security service will be classified as a contract for work even if it is expressly described as a service contract and invoiced on the basis of time. Ultimately, it will have to be examined on a case-by-case basis whether it is an agency contract, a contract for work, a service contract or a mixed-type contract.

But it goes even further: with the proliferation of case law, one will generally have to assume a (consulting) contract with protective effect in favor of third parties (see only BGH, IX ZR 56/22; OLG Düsseldorf, I-2 U 78/13). Therefore, if advice is only given to a board member, this may nevertheless result in a duty towards the company as a whole.

IT-Sicherheitsberatung und Haftung

IT security services: When advice becomes expensive …IT security services: When advice becomes expensive …

IT consultants are responsible for ensuring that their IT security services comply with contractual agreements and general professional standards. If the consultant breaches these obligations, they can be held liable, especially if this results in damage. First of all, this means that IT consultants working under a service or work contract must provide the contractually agreed services carefully and in accordance with recognized professional standards.

An IT security consultancy agreement will – by the way, analogous to a management consultancy agreement (see Müller-Feldhammer in NJW 2008, 1777) – regularly be a mixed contract for work and services. It is legally divided into a preparatory analysis phase and a subsequent implementation phase. Poor performance, e.g. incorrect or inadequate advice that leads to damage for the client, can trigger claims for damages in accordance with Sections 280, 281 BGB. In addition to this contractual liability, tortious liability pursuant to Section 823 BGB may also arise if the client’s legal interests, such as his property or assets, are damaged as a result of the incorrect advice.

Liability for the breach of cardinal obligations is likely to be of particular relevance: cardinal obligations are essential contractual obligations, the fulfillment of which makes the proper execution of the contract possible in the first place and on the observance of which the contractual partner regularly relies and may rely. The breach of such obligations can lead to liability even if limitations of liability have been agreed in the contract.

Regardless of whether one assumes more contractual obligations (in which case it depends on the quality) or mainly assumes a service (in which case, sooner or later, one ends up with §280 I BGB), the requirements of the NIS2 Implementation Act will play a significant role.

In particular, Section 30 II of the Act will be the standard against which IT security consulting must be measured; in addition, there are requirements for certificates for hardware used, and Section 30 VI in particular must be observed, whereby (particularly) important institutions may only use certain ICT products, ICT services and ICT processes by statutory order in accordance with Section 58 III if they have cyber security certification in accordance with European schemes pursuant to Article 49 of Regulation (EU) 2019/881. It will apply that a defective (consulting) service in this area will also lead to compensation for damages with regard to subsequent security incidents. In this respect, it is already foreseeable that the dispute will be less about the “whether” of liability and more about the “how much” of liability. Affected companies will have to deal with their own contributory negligence in the occurrence of the security incident (Section 254 BGB) as well as with the problem of proving the amount of damage.

Note: In practice, IT consultants often attempt to limit their liability through general terms and conditions. However, such limitations of liability are only permissible within the statutory limits. For example, the exclusion of liability for intent, gross negligence or the breach of cardinal obligations is not permitted.

IT security services - liability and contract design for IT security services; lawyer and IT specialist lawyer Ferner zur IT-Sicherheitsdienstleistung

IT security services are demanding and can be ruinous if you end up being liable for a significant data leak!


Caution with IT security performance

IT security is not a purely technical term, but a legal and technical one: it is foreseeable that a huge market will emerge here, and everyone wants a slice of the pie. But if you want to earn money as an IT consultant with IT security, you have a lot to do. And they need to be aware of the risks. If you think too small, you are walking into an unmanageable risk: IT security is first and foremost a conceptual project, which automatically makes it difficult to set strict limits on the services owed.

The liability risk is undeniable and enormous. Consultants who do not protect themselves with a suitable legal form and liability insurance are not only living riskily, they are also engaging in business madness.

Due to the direct liability of managing directors for security incidents in Germany, recourse claims are already pre-programmed and are enforced by force. Be it through the managing director or their D&O insurance.

The drafting of a comprehensive contract for IT security services therefore requires careful consideration of various legal and technical aspects. Only precise contractual provisions can minimize risks and ensure effective cooperation between the client and service provider. A well-structured contract is an essential component of a successful security strategy in the digital world.

German Lawyer Jens Ferner (Criminal Defense & IT-Law)