21 March 2022
The German Federal Office for Information Security (BSI) has been warning against the use of software from Kaspersky (market share probably around 10%) since March 15, 2022 - the software originating from the company should be replaced. The BSI is thus using the role recently assigned to it to warn and inform the public about the IT security of products. What is not regulated, however, is how responsible parties should handle the information.
Even without proof of a concrete threat from products of the manufacturer Kaspersky, the BSI advises against their use. Because of the far-reaching rights that the antivirus software distributed by the company has, the software could also be used for attacks, according to the BSI. Attacks by manipulating the software or the data stored at Kaspersky could also be carried out against the manufacturer's will due to pressure from Russian authorities, so there were doubts about Kaspersky's reliability. The warning, issued by the BSI on the basis of the recently amended Section 7 of the BSIG, is available on the BSI site (Warning, Press release). It is unclear exactly which authorization basis was used. According to the wording, only Section 7 (1) sentence 1 lit. c BSIG can be considered, i.e. a "warning in the event of a loss of or unauthorized access to data". One could also think of "information about security-relevant IT properties of products" according to Section 7 (1) Sentence 1 lit. d BSIG, but the notification is explicitly labelled as a "warning".
The fact that Kaspersky says it has already outsourced its servers to Switzerland in 2020 is not mentioned in the BSI's statement. Kaspersky also criticizes this in its response to the BSI's warning: since 2020, the data sent in by customers has been processed in data centers outside Russia.
One cannot help but notice that Kaspersky's statement only partially addresses the concerns expressed by the BSI: The BSI is not only concerned about the data stored at Kaspersky. The BSI is also concerned about the possibilities of compromising the end devices on which installed instances of Kaspersky software are located. Kaspersky is silent on the latter point. Regarding the cloud services that Kaspersky mentions, it would have to be checked whether the headquarters in Russia can access the data. If the principles developed in the Schrems II ruling are taken as a basis, then the very fact that the parent company is based in Moscow raises considerable concerns about its use (cf. on Russia not being a safe third country for data transfers, this publication). The question also arises as to whether a system secured by Kaspersky software - despite the ISO certification granted before the war - continues to comply with Art. 32 GDPR. However, data protection law is not to be considered further here.
Irrespective of this, the question arises as to whether, in view of a possible attack via this vector in the future, the - still permitted (cf. BSI Bund.de) - use of Kaspersky software after the warning can be reconciled with the due diligence that German law (cf. in particular Section 43 (1) GmbHG (German Limited Liability Companies Act), Section 93 (1) Sentence 1 AktG (German Stock Corporation Act)) requires of the responsible management bodies. As far as can be seen, there is no court decision that has considered the decision against implementing official warnings from IT security law other areas of law as a breach of the duty of care. However, a managing director of a GmbH (German limited partnership) must take into account whether the shareholders would be inclined to follow the BSI's warning and must obtain a decision from them.
Furthermore, the distribution of the burden of proof must be taken into account. Pursuant to Sec. 93 (2) Sentence 2 AktG, executive board members of an AG (German Public Limited Company) bear the burden of proof that their actions or omissions complied with the due care and diligence of a prudent and conscientious; the standard applies accordingly to managing directors of a GmbH. To this end, in the event of damage it will in particular be necessary to prove that an appropriate information basis has been created. It should be noted here that the BSI can be assumed to be neutral and qualified and that the warning appears plausible; therefore, compliance with it should not constitute a breach of due diligence. The consideration would also have to take into account that a change of antivirus software is likely to take some time, especially in larger companies. If the Kaspersky products are to remain in use, it is advisable at present to document the decision not to follow the BSI's warning.
In this context, it should also be mentioned and noted that providers of cyber insurance are apparently increasingly examining whether they are allowed to refuse benefits in the event of a Russian cyber attack. In addition, the adjustment of insurance terms and conditions is under consideration. It could therefore be that there is no insurance cover in the event of an attack. Incidentally, due to the sanctions in place, paying the ransom in the event of a ransomware attack could currently be prohibited even on penalty under the Foreign Trade and Payments Act. Data would then be lost. The topic of "insurance protection" is covered in depth here on our homepage.
If a cyber attack were to occur, Kaspersky would be liable for the damage in accordance with Section 280 (1) of the German Civil Code (BGB) and Section 823 (1) BGB, among other things, if the company cannot cite any justification. However, if the Russian government forces the "assistance" by threats, a justifying emergency situation (§ 228 sentence 1 BGB or § 904 sentence 1 BGB) could exist. However, the proceedings could be suspended pursuant to Section 247 of the Code of Civil Procedure due to travel restrictions in force during the proceedings. Even if a title were to be obtained, its enforcement could take a long time.
We have the legal expertise and experience in IT security law, data protection law and the other areas of law mentioned here. In this regard, we advise well-known companies.