The US have some of the most comprehensive cybersecurity laws worldwide.[1] However, with the rise of cyber-attacks and the increasing digitization of businesses, other important markets like Germany have caught up. US companies might struggle to identify their legal obligations in Germany, as IT security provisions differ from the US and are scattered across different areas of law. To avoid costly liability risks, we identified ten To Do’s for your legal team while doing business in Germany.
(1) Internal Monitoring Systems
The board must ensure compliance with cybersecurity law. In case of German subsidiaries, this legal obligation requires the establishment of an internal monitoring system that must allow for the timely identification of developments that could jeopardize the company’s existence, such as cybersecurity shortcomings. Managing directors may face personal liability claims by the advisory board if they do not fulfill this obligation. In the US such claims might fail for a lack of legally specific oversight duties for cybersecurity.[2] The German legal obligations on the other hand are more comprehensive which results in a far higher likelihood of successful claims.
(2) Legally-compliant IT security infrastructure
Depending on your business, your IT security infrastructure might be more or less comprehensive. In any case, you have to ensure business continuity. The bigger your business, the more effort will be involved. If your company has a certain size and your business is IT-based, you should follow recognized market standards, such as ISO/IEC 27001, as they are in compliance with your legal obligations. The German Federal Office for Information Security (BSI) has, based on ISO 27001, issued its own “BSI standard” that describes detailed measures for increasing the IT security of your internal processes. Both standards might be worth considering.
(3) The Works Council
Possibly, your German subsidiary has a works council (“Betriebsrat”). Various European jurisdictions provide for similar types of employee representative bodies. Under German law, a works council has far-reaching and non-negotiable rights, including when it comes to guidelines for the internal use of IT or the use of technical equipment within the workplace. Furthermore, the works council is entitled to access information on the internal IT infrastructure and to monitor the enforcement of employee rights, e.g. data protection.
(4) Contract Partner Protection
IT security will often also be part of your contractual obligations. When you are selling IT products or services, they have to fulfill a sufficient IT security standard based on market standards or your agreements with the contract partner. Thus, cybersecurity will be part of the contractual performance requirements. However, cybersecurity will also become relevant in other contracts that have no obvious IT connection. Because of the close relationship established with your contract partners, German law requires you to protect their legal and financial interests. This includes the use of secure IT systems when fulfilling your contractual obligations towards them, e.g. to protect your contract partner’s data from cyberattacks. A breach of contractual obligations exposes your business to claims for damages by your contract partners.
(5) Liability limitation
In the light of potential claims for contractual damages, it is advisable to limit your IT security obligations in contracts. Under German law, a full exclusion of these obligations is not possible. You will always be obliged to protect your contract partners’ legal and financial interests. However, the standard of due care for fulfilling contractual obligations or enforceable types & amount of damages can be limited. Note that German law greatly limits the possibility to include provisions into general terms and conditions in order to protect the contract partner.
(6) Burden of Proof
When facing a liability claim, your company will carry the burden of proof to show that your IT infrastructure provided for sufficient security levels. Consider getting an ISO/IEC 27001 certification. This will facilitate proving your IT security efforts in case of liability claims.
(7) Fines
German law allows to sanction a company for administrative offenses of their representatives with fines of up to €10 Mio (or, if personal data is involved, potentially even more, see (9) below. In case of an IT security related breach of the management’s obligation to monitor internal processes (see (1)), the management may face liability by way of an administrative offense under German law. Recently, the German authorities have become more active in investigating and sanctioning entrepreneurial misjudgment.
(8) Trade Secrets
Legal protection for your trade secrets is only granted under the condition that they have been subject to reasonable steps to keep them secret. Thus, IT security measurements are crucial to protect trade secrets. This is even more relevant as legal protection will generally only become relevant once your trade secrets have been disclosed. Available remedies against the infringing party include the right to prohibition of use or disclosure, the right to destruction of any documentation relating to the disclosed trade secret and the right to damages.
(9) GDPR Compliance
Data protection is an important part of cybersecurity. Under the GDPR, companies have extensive data protection obligations. In case of a non-fulfilment of these strict obligations, companies face administrative sanctions of up to €20 Mio or up to 4% of their annual turnover. Consider following our step plan to implement sufficient data protection measures under the GDPR.
(10) Digital Service Provider Provisions
Businesses providing “digital services” in Germany face increased IT security obligations. Providers of online marketplaces, online search engines and cloud computing services have to comply with the German “BSI Act”. Appropriate technical and organizational IT security measures have to be taken, following a risk-based approach. Authorities have to be notified of significant security breaches. All other providers of digital services in Germany have to take lower-level technical and organizational IT security measures for compliance with the German Telemedia Act – this basically applies to every commercial website provider.
[1] https://wp.nyu.edu/compliance_enforcement/2017/09/04/the-growing-risk-of-director-liability-for-cyberattacks/
[2] Vgl. https://blog.appknox.com/united-states-cyber-security-laws/; https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-review-edition-4/1151376/united-states
