Categories
Cybersecurity

Management liability for IT security breaches

How does the liability situation in the subject complex of IT security, especially for management (managing directors and board of directors), present itself in Germany?

In my presentation on liability in the event of IT security breaches, tailored to management and board members, I address the relevant circumstances: After a presentation of general liability issues, and building on this, specific liability issues for employees & board members will be highlighted, and finally, very briefly, ways of limiting liability will be presented – up to the question of whether it is not a reason for liability if a company does not buy Bitcoin as a precaution. In the following, I present essential parts of the lecture on the liability of the management board in case of IT security breaches.

IT security is the core topic of modern information technology and is increasingly the focus of political developments as well – nevertheless, there is still a lack of a differentiated, binding set of regulations; although there are specifications at the EU level and initial legal regulations at the national level. However, in the area of original problems, especially in the development and use of software or the liability of a company’s board of directors, unclear liability situations immediately arise. In legal practice, IT security as such seems to wither away and boil down to the practical application of sub-areas of the GDPR – but in fact there are immediate liability scenarios.

Haftung & IT-Sicherheit bei Software

There is currently no genuine liability law of its own in the area of IT security. This means that the existing legal foundations, some of which have been established for decades, together with the associated case law, must be transferred to IT security liability issues and applied accordingly.

It is important to emphasize that there is indeed an IT security law, which has also received a great deal of media attention. However, this law is not an actual law in its own right, but rather a so-called “article law” with which existing regulations have been adapted step by step. The focus of the legislator’s efforts to date has been less on actual liability and more on support in dealing with security vulnerabilities and the creation of competencies at public authorities.

If liability plays a role in IT security issues, this means that it is possible to focus on a number of legal areas, which will be described below, before selected exciting issues are discussed by way of example:

  • Contractual agreements
  • Legal obligations
  • Data protection law
  • Product liability law

Contractual agreements

While contractual agreements in the area of IT security have taken place virtually under a “blue sky” and have been predominantly characterized by the traditional general terms and conditions control, the first serious regulation is emerging as of January 1, 2022 through the newly created “contracts for digital products”, which basically only apply to contractual relationships for consumers. However, as shown by the example of smart devices, the law on sales in general has been adapted as of 2022 in such a way that a lack of security constitutes a material defect in all sales contracts.

Gesetzliche Schuldverhältnisse

In the case of legal obligations, the focus should remain on the issues of liability for tortious acts in accordance with Section 823 of the German Civil Code, since this is where the main problems currently arise: this norm provides a two-pronged protection; on the one hand, the first paragraph protects the so-called absolute legal interests, which include in particular life, limb, health and freedom, but also property.

In addition, there is a claim for damages (para. 2) if a law is violated that is expressly intended to protect another person. For further understanding, it is essential to know that the liability standard does not only describe intentional behavior – but also negligent behavior, which also includes only slight negligence. This means that, without a separate additional contractual agreement, any misconduct that is even slightly negligent can lead to liability.

It is also important to note that negligent misconduct is not limited to active behavior, i.e., deliberately disregarding duties of care, but can also be caused by omission, i.e., ignoring specified or expected duties of care, which makes the other regulations – listed as examples – relevant to the question of whether all duties of care have been fulfilled. In this context, general duties of IT security are likely to be of particular importance in the context of the duty of care, which has been underestimated to date.

In this context, a violation of the norms of criminal law, for example in the case of negligent bodily injury or even homicide, as recently occurred in the case of the successful hacker attack of a university (Düsseldorf) including the university hospital, has a high significance. This example, which needs to be elaborated on, also tragically illustrates how not only attackers but also victims of a “cyberattack” can be the focus of criminal law: Anyone who makes a “cyberattack” possible by disregarding current security standards is acting negligently not only under civil law, but also under criminal law. The fact that this does not necessarily have to lead to criminal liability, but can lead to it, will be explained in an exemplary consideration.

Data protection regulations

In terms of data protection regulations, the GDPR is of course the first to be mentioned. Article 82 of the GDPR is the direct legal basis for obtaining non-material damages in the event of violations of data protection principles, whereby Article 25 of the GDPR also plays a role here, which provides for data protection through technology design and data protection-friendly default settings. As can be seen, this is more of a “toothless tiger” that can, however, play a serious role in the question of negligent conduct.

In this context, the special obligations for providers of telemedia, previously regulated in Section 13 (7) of the German Telemedia Act (TMG) and now adopted in identical wording in Section 19 (4) of the German Telemedia Data Protection Act (TTDSG), must also be presented. The standard of negligence will have to be closely examined here, which may lead to liability problems in boards of directors.

Product liability law

In the area of product liability law, the current state of dispute regarding the coverage of software, which makes a rather arbitrary distinction between software on physical data carriers and digitally distributed software, must be presented very briefly. This aspect is to be addressed primarily with regard to the EU product liability law to be reformed. According to our analysis, this will lead to an intensification of the problems with software; companies that develop or distribute software should take care of their own liability at an early stage. Supply chain attacks and service provider attacks such as Solarwinds will also lead to serious liability problems in the future.

Liability of those responsible for open source software

Is one liable as a responsible service provider just because one uses opensource software? Certainly not, as I had already made clear to Log4J! Also the fact that opensource software is often maintained voluntarily and at the same time increasingly used, is not an increased security risk, the freely accessible and always checkable source code should always absorb such a “minus”. However, responsible persons, depending on their own role, meet very own obligations, who, for example, develops software and thereby uses Opensource software, should rely on standard tools such as OSS-Fuzz or Sonarqube, the former was just also aimed at Log4J. In this respect, it should be recalled that since 1.1.22 the security in general became the criterion for freedom from defects (in the law on sales), which again increases the obligations.

In general, the following applies: In principle, liability can be considered, even if one is not responsible for the security vulnerability, but “only” uses the software. Depending on one’s own role, one’s own obligations will increase, but at least one will have an obligation to observe and update the software. The update obligation in commercial transactions arises, according to old and new law, first as a contractual secondary obligation in such a serious gap – against consumers it is since 1.1.22 even codified in the law main obligation..

Cyberausfälle als Risikotreiber in der Wirtschaft: Rechtsanwalt Ferner zur Haftung bei IT-Sicherheit

The Allianz Risk Barometer 2022 makes it clear that cybersecurity is at the top of the list of threats to ongoing operations – and then so is the question of board liability for failures!

IT-Compliance

IT security as a compliance task

IT security has long since become an issue in (IT) compliance. Poor compliance alone can result in liability on the part of the management – and good compliance can have the opposite effect of privileging liability. IT security can be regarded as a central component in this context (as explicitly stated by Jacobs in CB 2017, 299, 302). The issue of IT security is the responsibility of both the management board and, due to the supervisory mandate, the supervisory board, if one exists.

It should generally be remembered here that the management of a company must exercise the care of a prudent and conscientious business manager within the scope of management. Today, this is particularly true with regard to the use of IT in the company, whereby compliance must ensure lawful conduct not only with regard to employees (internal), but also with regard to third parties (external). However, it is important not to think too sweepingly here – the Federal Court of Justice has emphasized, for example, that the simple position of managing director/board member does not give rise to a guarantor’s duty with regard to financial losses suffered by third parties (see BGH, VI ZR 341/10).

This responsibility falls on the management board or management as a whole, even if delegation is possible – and remains precisely after delegation: each member of the management board has a duty of supervision and control vis-à-vis “his” compliance section and also vis-à-vis the other members of the management board (who have a corresponding duty to report; Hoffmann/Schieffer in NZG 2017, 401 for a very comprehensive discussion). The special feature here is also a duty to investigate: if a member of the management board suspects that another person is not performing his duties properly, he must investigate this suspicion, otherwise this alone constitutes a breach of duty on his part. The principle applies that, in the event of a corresponding risk situation, a member of the management board is only sufficient if a compliance system has been installed in the first place (instructive: LG München I, 5 HK O 1387/10). A good compliance system is a factor that affects the question of the amount of a fine (BGH, 1 StR 265/16).

Another emerging issue in Germany is the topic of critical components: With §9b BSIG, there is a risk that specifications for IT will be created for a sector at virtually any time – and components used will have to be removed. A currently well-known example is the question of whether hardware from Huawei can continue to be used in the telecommunications sector. This is currently threatening all critical sectors and is due to a special legal situation in Germany. Here, there is a threat of personal liability on the part of the management if the use of critical components is not assessed in advance.

Das Fazit der IT-Sicherheit ist damit im Bereich der Compliance überschaubar: Wenig überraschend wird sein, dass mit Blick auf die allgemeinen Compliance-Grundlagen natürlich eine Haftung bei schlechter IT-Sicherheits-Compliance im Raum steht. Dabei kann sich eine Haftung des Gesamtvorstands bei Delegation weiterhin ergeben; mit Blick auf die wechselseitigen Überwachungspflichten ist es dabei kaum denkbar, dass diese Überwachungsfunktion überhaupt ausgeübt werden kann, wenn nicht bei jedem Vorstand zumindest absolute (überschaubare!) Basics der Grundzüge von IT-Sicherheit vorhanden sind.

If a compliance system is in place and errors have nevertheless occurred, a good compliance system is not only a factor in the assessment of a fine, but also allows for discussions on the gradation of the degree of negligence. With regard to immaterial damages, the discussion of the level of responsibility will also have to be sought in individual cases in the case of non-responsible board members.

Exemplary legal questions on IT security

The update obligation

As a result of the aforementioned reform in the BGB the newly created § 327f BGB explicitly clarified for the first time that – not further defined – “security updates” are a service owed for the intended period of use, regardless of the type of contract. The delivery of such updates becomes part of the legal concept of defect via the new § 327e BGB.

In the future, the existence of software updates will therefore help to determine when a software defect exists. It is currently completely open whether and to what extent this regulation, which is intended for contractual relationships with consumers, will also play a role in contractual (dispute) issues between entrepreneurs. In this context, it makes sense to use the definitions of a defect in digital goods provided for in the law at least as a supplement in questions of interpretation of contracts between entrepreneurs as well, whereby it is noteworthy that the law also explicitly refers to the characteristics of compatibility and interoperability in the question of a defect. In this respect, the new version of the law is in line with previous case law, which is to be illustrated specifically using the examples of legal changes and also the occurrence of security vulnerabilities.

Examination of software for security vulnerabilities permissible

I also explain that the independent analysis of software with respect to software defects and especially security problems is permissible, in particular that neither trade secret protection laws nor copyright laws stand in the way of reverse engineering for the purpose of testing IT security. This case law has recently been slightly reinforced by the European Court of Justice. Overall, I expect reverse engineering to be more rather than less permissible in the future – but at the same time, in extreme situations, it may even become mandatory as part of the catalog of measures to be taken when using outdated or older software.

Compulsory PenTesting?

There is currently no general obligation to perform penetration testing; at least it does not result directly from the current legal requirements.

However, my legal analysis comes to the conclusion that especially in a high-risk environment, specifically where sensitive data is handled to a significant extent, the indirect necessity of conducting a PenTest will arise in order to meet the heightened duties of care to avoid an allegation of negligence; but also to meet heightened requirements of the GDPR.

Concrete obligation to report a security breach

The principle applies that a security vulnerability in itself does not trigger a data protection reporting obligation!

On the other hand, the mere existence of a security vulnerability in the case of the use of affected software constitutes a violation of the requirements for the security of processing pursuant to Art. 32 GDPR. If there are then indications that the vulnerability has been exploited and personal data is affected, there will be a notifiable data protection breach under Art. 33 GDPR, as such compromised IT systems are rarely “not likely to result in a risk” to the rights and freedoms of data subjects (also the clear assessment of the BayLDA on LOG4J).

This is accompanied by a comprehensive documentation obligation with regard to the determinations as to whether or not there is a risk to the data subjects (accountability pursuant to Art. 5 (2) GDPR).

IT security for smart devices

Smart devices, which are based on software at their core, were to be included in my consideration because they demonstrate the security issue in civil law since 2022: Through the law regulating the sale of things with digital elements, a first legal regulation is just around the corner, which defines a concrete material defect concept for partially digital devices in § 475b BGB (German Civil Code) as well as – brand new – extends the general material defect in sales law by aspects of security.

I emphasize in this respect that in the future the seller will be confronted with direct liability in the event of security problems in the law of sales in general.

Rules of conduct for employees

There are indeed direct consequences for employees – for example, not only employers may have a duty under labor law to offer further training measures; employees will have a mirror-image duty to take advantage of such further training, insofar as this is necessary for their own work. In the course of the obligations under employment law, employees must also refrain from any behavior that may lead to impairments of the employer’s IT security; in return, the employer will have to offer assistance so that the employee knows what is expected of him.

In addition, the endangerment of the legal interests of third parties is also a threat to the economic interests of the employer – which in turn plays into the company’s duty of care. Finally, selected examples will be used to illustrate how employees must deal with instructions from employers that raise concerns about their legal effectiveness – an employee does not have to follow instructions if they visibly lead to the violation of the legal interests of third parties.


Liability of the Management for IT Security Deficiencies

It should be noted that members of the Board of Management are not necessarily subject to the same duties of care as their company itself. Their liability will be legally limited in the external relationship by their respective area of responsibility; moreover, where the de facto possibility of influence ceases.

Responsibility of board members that goes beyond departmental responsibility can only be assumed in exceptional cases, such as in the case of significant quality deficiencies. In addition, there is a possibly massively underestimated risk of original civil liability for managing directors if there is actually a criminal relevance – here, which is to be worked out and demonstrated by means of a case example, the combination of § 823 Para. 2 BGB (German Civil Code) in conjunction with § 14 StGB (German Criminal Code) and the violated norm, such as negligent homicide, could have a direct effect on the managing director who failed to take safety measures.

As is to be explained, the only way to prevent such a case with the BGH case law would be to take suitable compliance measures. Otherwise, there are liability risks that threaten the existence of the company and cannot be eliminated.

Understanding of IT security

Anyone dealing with liability and IT security on the board and in management must demand that there be a fundamental understanding of IT security. This demand is rightly becoming louder and louder.

Management Board with IT understanding

An executive board cannot meaningfully assess risks and countermeasures if it has no understanding of the problem at all. However, it is not a matter of understanding in detail how an SQL injection works, for example, or even being able to implement it yourself. Rather, it is a matter of knowing the “vocabulary”, of having a rudimentary understanding of at least the usual attack scenarios, and of understanding the usual behavior in this regard.

Recommended measures of attack detection

Cyber attack detection refers to measures that help to detect malicious cyber activities in your network. Here, the “vocabulary” must sit in any case and the following basic portfolio named by ENISA must exist in the company – a managing director / board member should be able to at least basically comprehend such a list in terms of content (on this also with us: How to protect yourself from a hacker attack):

  • Implement a robust set of logs and regularly review alerts triggered by security components. You can refer to ENISA’s Guide to Proactive Detection, which covers telemetry sources comprehensively. It is especially recommended to collect event logs related to the unauthorized creation, modification, use, and change of privileged account credentials and to review network connections from IP ranges connected to non-corporate VPN gateways and similar services.
  • Monitor the activity of devices on your network with appropriate tools such as Endpoint Detection and Response (EDR) and User and Entity Behaviour Analytics (UEBA), as a significant portion of network traffic today is encrypted. This is true for both servers and endpoints. Be sure to ensure that your EDR enters alert mode when monitoring or reporting is disabled, or when communication with a host agent is interrupted for more than a reasonable time.
  • Nutzen Sie sorgfältig kuratierte Cyber-Bedrohungsdaten, um Ihre Protokolle proaktiv nach möglichen Anzeichen einer Bedrohung zu durchsuchen.
  • Detect traces of compromise on your network through a well-designed, regular threat hunting process
  • Use Intrusion Detection Signatures and NetFlow to detect suspicious traffic at network boundaries and identify conditions that could indicate software misuse or data exfiltration.
  • Prevent and detect PowerShell-based attacks to prevent attackers from gaining complete control of a Windows-based infrastructure or business-related user accounts.
  • Invest in lateral movement detection that exploits NTLM and Kerberos protocols in a Windows environment.
  • Instruct your users to immediately report suspicious activity to your local cybersecurity team.

Possible scenarios of a limitation of liability

The limitation of the liability shown is possible and will be demonstrated in the lecture in a few selected examples. First and foremost, contractual agreements must always be considered, but these are ultimately subject to rigid judicial control through the specifications of permissible general terms and conditions clauses in the BGB. It should be borne in mind that, in addition to the legal errors, the actual typical errors must also be prevented, for example through internal compliance measures, which bind employees hard and thus represent an effective control instrument. In particular, these mistakes are to be avoided:

  • No ignoring a safety event without investigating what triggered it and what impact it might have;
  • preventive blocking or scouting of infrastructure used by threat actors (pinging, DNS queries, browsing, etc.);
  • betroffene Systeme sollten im Regelfall nicht gesäubert werden, bevor IT-Forensiker Beweise sammeln und/oder sichern können;
  • no ignoring of telemetry sources such as network, system and access logs;
  • no simply eliminating the symptoms, ignoring the causes, and only partial containment and recovery;
  • no waiver of a detailed record of the actions taken and the timing of the event;

It is briefly shown why, in case of doubt, general terms and conditions must be assumed and not individually negotiated contractual clauses; it is then explained why it makes sense to close the resulting gap by taking out suitable cyber insurance. Likewise, why this is mandatory from the management’s point of view in order to avoid personal liability – even with a suitably chosen legal form – in the “worst case scenario”.

In the scenario of a limitation of liability, it must also be addressed whether it is not the task of the company performance to form the reserves – which must be formed in any case mandatory for corporations – partly in Bitcoin. The idea is that if bitcoin are purchased cheaply, they will ultimately be subject to an increase in value and will then be available in the event of ransomware, with the increase in value that has occurred in the meantime then having a partially compensatory effect.

With regard to the question of whether such a ransom payment constitutes its own criminal liability, I am of the opinion that there is a criminal liability here which can only be eliminated in the individual case, through targeted negotiation and damage management. According to my analysis, anyone who pays immediately on first demand is liable to prosecution (a separate article will follow). In this respect, a legally supported procedure prevents the board of directors or the management from being held liable, for example, for financing terrorism or money laundering.

German Lawyer Jens Ferner (Criminal Defense & IT-Law)