Cybersecurity 2021 Comparisons

Last Updated March 16, 2021

Law and Practice

Authors



Heuking Kühn Lüer Wojtek is one of Germany’s major commercial law firms, with more than 400 lawyers in nine offices across Germany and in Zurich offering service at the highest level. The lawyers in the firms' data protection, privacy and cybersecurity group are leaders in their fields and help clients develop global privacy and data security strategies for today’s digital economy. They advise clients on, inter alia, data processing agreements, international data flows within groups of companies and binding corporate rules; development of compliance programmes (including GDPR compliance); technology-related data usages; the setting up and operation of customer relationship management, personnel or other databases involving personal identifiable information; as well as the setting up of whistle-blowing and other reporting schemes. Furthermore, they represent clients before administrative authorities and in legal disputes related to (alleged) data protection and data security breaches.

Issues related to the protection of personal data are regulated in the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and in sectoral laws (ie, the Banking Law, the Energy Law, etc).

Issues related to the protection of personal data and privacy in electronic communications are regulated primarily in the Telecommunications Act (Telekommunikationsgesetz, or TKG) as a result of the implementation of the E-Privacy Directive. These issues will be regulated by the E-Privacy Regulation, once it comes into force.

The implementation of Directive (EU) 2016/1148 (NIS Directive) resulted in the amendment of various German laws, including the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, or BSIG) and the Energy Industry Act (Energiewirtschaftsgesetz, or EnWG).

The EU Cybersecurity Act (Regulation (EU) 2019/881) provides a framework for EU-wide certification of information and communication technology (ICT) products, services and processes.

The German Criminal Act (Strafgesetzbuch, or StGB) lays down penalties for data espionage, phishing, acts preparatory to data espionage and phishing, data tampering, computer sabotage and computer fraud.

Penalties

Infringements of the provisions set out in the German Data Protection Act and the GDPR with respect to cybersecurity are subject to administrative fines of up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The TKG and EnWG provide for fines of up to EUR100,000, while the BSIG provides for fines of up to EUR50,000. (If operators of public telecommunications networks do not submit the mandatory security concept to the Federal Network Agency immediately after the start of network operation, they are threatened with a fine of up to EUR100,000 under the TKG. Violations of the notification obligation are punishable with fines of up to EUR50,000 under the TKG. For non-compliance and in the case of disregard of the reporting obligations, the EnWG provides for fines of up to EUR100,000 and the BSIG for fines of up to EUR50,000.)

The penalties provided for by the StGB range from a fine to a prison sentence of up to five years (for computer fraud).

Data Protection Authorities

In addition to the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI), each federal state has data protection authorities. Those supervisory authorities have powers of approval, advice, investigation and remedy. They conduct investigations into the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.

German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI)

In 1991 Germany established the BSI. The office provides security advice for users and standards for public and private bodies. The guiding principle of the BSI is: "As the federal cybersecurity authority, the BSI shares information security in digitisation through prevention, detection and reaction for the state, economy and society."

Central Office for Information Technology in the Security Sector (Zentrale Stelle für Informationstechnik im Sicherheitsbereich, or ZITiS)

The Central Office for Information Technology in the Security Sector is an unincorporated federal agency under the authority of the Federal Ministry of the Interior, Building and Homeland Affairs. ZITiS has the task of supporting and advising federal authorities with security tasks with regard to information technology capabilities. For this purpose, the central office develops and researches methods and tools.

Computer Emergency Response Team for Federal Authorities (CERT-Bund)

The CERT-Bund is the central contact point for preventative and reactive measures in the event of security-relevant incidents in computer systems. It serves as a warning and information service for authorities and private internet users. It provides information about security leaks in software, provides a weakness indication (green/yellow/red) for commonly used software and lists present and past security holes.

The supervisory data protection authorities have powers of investigation and remedy. They conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.

They may use the following methods for their investigation purposes:

  • on-the-spot checks on individual companies;
  • dispatch of questionnaires; and
  • automated online audits.

In general, data protection authorities tend to visit larger companies or those companies whose processing operations are likely to result in a high risk to the rights and freedoms of data subjects. Small and medium-sized enterprises are usually only marginally controlled by the authorities so as not to overburden them financially and in terms of personnel.

Companies that have received fines can file objections and take legal action.

Each federal state has its own data protection authorities and its own data protection laws, which do not contradict the federal or EU laws, but partly extend them. A federal state’s data protection law only applies to that state’s public bodies.

A good example of the manner in which EU laws have been implemented at the national level, is the German NIS Directive Implementation Act (Implementation Act) which came into effect on 30 June 2017; as a transposition of the EU Network and Information Systems Directive (EU 2016/1148 (Directive)). The Implementation Act amended the BSIG, the Atomic Energy Act (Atomgesetz), the EnWG, the Social Security Code V (Sozialgesetzbuch V), and the TKG. The key requirements laid out in the Directive, had, however, already been part of the German IT Security Act (ITSA) which amended the BSIG before the Implementation Act. Because of this, the ITSA assumed the role of “pace-setter” for the Directive. As a consequence of the ITSA, the changes required to be made to the German law resulting from the Directive were relatively small.

On 1 February 2021, the federal government passed the draft of a second law to increase the security of information technology systems (IT Security Act 2.0). This new Act is aimed at strengthening the position of the BSI, heightened consumer protection, stronger corporate precautionary obligations and reinforcing the state’s protective functions.

The tasks of the BSI include:

  • protection of federal networks, detection of and defence against attacks on government networks; and
  • warning of malware or security holes in IT products and services.

The CERT-Bund informs about security leaks in software and lists present and past security holes.

Alliance for Cybersecurity

An example in this context is the Alliance for Cybersecurity (ACS), which provides companies with up-to-date information on the threat situation in cyberspace as well as practical assistance for the design and implementation of suitable protective measures. Membership is open to all companies and institutions having their headquarters/branch office in Germany. Several thousand companies and institutions have already joined the initiative, which was launched in 2012 by the BSI and the digital association Bitkom, making the Alliance for Cybersecurity a successful model for building trust and profitable co-operation between government and industry in the field of cybersecurity.

Member companies benefit from the expertise of the BSI and their ACS partners, the exchange of knowledge and experience with other companies and institutions on granular topics of cybersecurity and partner services, which in turn increases cybersecurity proficiency within member companies. Furthermore, companies that possess pre-existing expertise in the field of cybersecurity have the opportunity of becoming partners in the ACS to contribute to the network.

The Alliance for Cybersecurity's extensive information offering includes BSI recommendations on topics such as the secure configuration of software products, securing systems for manufacturing and process automation, and monitoring and detecting network anomalies.

Cybersecurity Council Germany e.V.

In August 2012, the Cybersecurity Council Germany e.V. was founded by well-known personalities. The Berlin-based association is politically neutral and aims to advise companies, authorities and political decision-makers in the field of cybersecurity and to strengthen them in the fight against cybercrime.

The members of the association include large and medium-sized companies, operators of critical infrastructure, numerous federal states, local authorities as well as experts and political decision-makers with an interest in cybersecurity. Through its members, the association represents more than three million employees from the industry and almost two million members of other associations and societies.

The Cybersecurity Council Germany e.V. pursues the following goals:

  • intensification of the co-operation between politics, public administration, business and science to improve IT protection;
  • initiatives and projects to promote awareness of cybersecurity;
  • establishment of a Germany-wide cybersecurity network in a European and international context; and
  • establishment of a knowledge platform, forum and network for association members.

Member companies are integrated into the council-network which includes decision-makers in the field of politics, economics, science and society. Members are also integrated into an international network of leaders and heads of cybercommunities. Private member companies are afforded representation of their corporate interests in the political field of cybersecurity.

With the introduction of the GDPR, the EU was the first polity to introduce new regulations in the area of data protection and security of personal data. Furthermore, the regulations apply supranationally throughout the entire EU and it can be assumed that other countries will use the GDPR as the foundation of their own laws on data security.

The Second EU Data Protection Adaptation and Implementation Act (2.DSAnpUG – EU), was passed in 2019 in order to amend a total of 154 pre-existing laws in an "omnibus process" to further harmonise German data protection legislation with the GDPR. The vast majority of changes under the omnibus act involved aligning the terminology in German federal legislation with the terms used in the GDPR.

Germany also introduced the BSIG before the EU addressed similar topics with the NIS Directive. However, in certain areas, Germany’s federal structure can lead to delays and a patchwork of laws and authorities.

In March 2019, the German Federal Ministry of the Interior published the draft for an IT Security Act 2.0, which contains a holistic approach to IT security. Amongst other things, a consumer-friendly IT security label for commercial products is to be included, the competences of the BSI are to be strengthened and criminal offences in cybersecurity and the associated investigation activities are to be expanded. The draft law also extends the addressees of reporting obligations and implementation measures. Overall, the law is expected to result in a considerable additional economic burden for companies and authorities.

The broad spectrum of applicable law closes many of the security gaps in cyberspace. But the growing number of cyber-attacks make it clear that security standards must be continuously adapted to the changing risks. A further issue is that the rules on cybersecurity are not condensed into one cybersecurity act, but are spread among numerous different laws. This poses profound challenges for companies to determine which legal framework applies to them.

5G Network

5G networks are expected to become the backbone of transformational services that will positively change life for future generations. This holds true regardless of the area of application, be it automobile vehicles, remote surgery, intelligent care facilities or the multitude of other technological advances that will benefit from 5G. Innovators, investors and users need confidence in the network's cybersecurity to achieve the promising goals of 5G. Therefore, this will be one of the top priorities for 2020.

E-Privacy Regulation

The E-Privacy Regulation is designed to protect personal data in electronic communications and supplements the GDPR in this respect. It replaces the E-Privacy Directive, which the German legislature implemented largely in the Telemedia Act (Telemediengesetz, or TMG) and the TKG. Many entrepreneurs are already warning that the E-Privacy Directive will seriously damage digital business.

Impact of the SolarWind Hack in Germany

In December 2020, a US-based tech company was the victim of a sophisticated large-scale cyberattack. The attack had far-reaching implications on international users of the company’s software. This included multiple German ministries and federal offices that used or had used the software. The hack clearly revealed the prevalence of security gaps and insufficient attention to IT security.

Due to the complexity of modern IT systems and the comparatively low cost of carrying out attacks of this nature, the threat of vector attacks on software supply chains is expected to gain importance in the coming years. Furthermore, traditional security mechanisms will need to be supplemented with more refined policies for detection of malicious changes in code.

The key cybersecurity laws, as opposed to the cybersecurity-related provisions of general criminal law, are:

  • the BDSG provides cybersecurity requirements and sanctions when personal data is involved;
  • EU Directive 2016/1148 of 6 July 2016 provides specific requirements for networks and information systems for operators of essential services and digital service providers; Germany implemented the directive by amending the BSIG and the EnWG;
  • the Cybersecurity Act provides requirements for European cybersecurity certification schemes with respect to ICT products, ICT services and ICT processes in the EU;
  • EU Directive 2015/2366 of 25 November 2015 on Payment Services 2 (PSD2) sets out provisions for information systems of payment service providers (PSPs);
  • EU Regulation 2017/745 applies to medical devices that include software components;
  • the German IT Security Act provides certain security standards and reporting requirements for the operators of critical infrastructures; and
  • the TKG regulates the protection of personal data and privacy in electronic communications; however, it will be replaced by the E-Privacy Regulation.

German Criminal Act (StGB)

Any unlawful alteration, deletion, suppression or rendering unusable of external data fulfils the facts of the case according to Section 303a of the StGB (data alteration). In particularly serious cases, this is also punishable under Section 303b I No 1 of the StGB ("computer sabotage") and is punishable by imprisonment of up to five years or a fine. Since 2007, distributed denial-of-service (DDOS) attacks have also constituted computer sabotage; the same applies to any action that causes damage to an information system that is essential to another.

Spying on data (Section 202a, StGB) – ie, gaining access to external data that is specially protected against this – is punishable with a prison sentence of up to three years or a fine. Intercepting foreign data in networks or from electromagnetic radiation has also been a punishable offence since 2007. In contrast to Section 202a of the StGB, no special access protection is required here. Procuring, creating, distributing, making publicly accessible, etc, so-called hacker tools has also been a punishable offence since 2007, if a criminal offence is prepared with them (Section 202c, StGB).

According to Section 202a paragraph 2 in conjunction with paragraph 1 of the StGB, data is only protected from being spied on if it is "specially secured" in order to prevent the offence from escalating. This means that only in case users protect their data by technical means do they enjoy protection under criminal law. The earlier debate as to whether "hacking" without retrieving data is punishable under criminal law is no longer relevant since the wording of the Section 202a paragraph 1 of the StGB was changed in 2007 in such a way that criminal liability begins as soon as access to data is gained. It is also disputed whether encryption is part of special security. Although it is very effective, it is argued that the data is not secured, but is only available in an "incomprehensible" or simply "different" form.

Computer fraud is punishable under Section 263a of the StGB with a fine or imprisonment for up to five years if data processing operations are manipulated to obtain financial gain. Even the creation, procurement, offering, safekeeping or transfer of suitable computer programs is punishable.

Please see 1.2 Regulators.

ENISA

The European Network and Information Security Agency (ENISA) was created in 2004. The objective of ENISA is to serve as a contact point and centre of expertise for the member states and the institutions of the European Union on issues related to network and information security. Its activity consists of:

  • anticipating future network and information security challenges and assisting the European Union in responding to them, by collecting, compiling, analysing and publishing relevant information and expertise on crucial issues regarding network and information security, taking into account the developments in the digital environment;
  • supporting EU member states and EU institutions in developing and implementing the strategies necessary to meet the legal and regulatory requirements for national information security and thereby promoting the significance and need for network and information security;
  • supporting the EU in building and developing state-of-the-art network and information security capacities and in its continuous adaptation to the latest trends; and
  • strengthening the co-operation between EU member states and between national institutions to ensure network and information security.

ENISA also publishes reports and studies on cybersecurity; for example, on privacy, cloud security or the detection of cyber-attacks.

ENISA's main target groups are public sector organisations, in particular:

  • the governments of the EU member states; and
  • the institutions of the EU.

The Agency also provides support to:

  • the ICT industries (telecommunications, internet service providers and IT companies);
  • enterprises in general, especially small enterprises;
  • network and information security professionals (eg, IT emergency teams);
  • academic circles; and
  • the public at large.

The European ENISA Regulation 2019/881 (Cybersecurity Act), adopted on 17 April 2019, grants a permanent mandate to ENISA and broadens its powers. ENISA has been made responsible for drafting the European Certification Schemes for Cybersecurity. These are to serve as a basis for the certification of products, processes and services that support the provision of the digital single market.

The BSI

The BSI acts in an advisory capacity to the business community and supports companies of all sizes and from all industries in questions of IT and information security. The objective of the BSI is the preventative promotion of information and cybersecurity in order to enable and promote the secure use of information and communication technology in the state, economy and society.

At federal level, the BSI is also responsible for the protection of critical information infrastructures (KRITIS).

In addition to its advisory function, the BSI co-operates with the business community in a variety of ways. For example, co-operation in the area of certification has long been established. Through the independent testing of IT products and services, the BSI offers manufacturers an opportunity to ensure transparency and more trust in the IT security features of their products and services.

The tasks of the BSI also include:

  • protection of federal networks, detection and defence of attacks on government networks;
  • testing, certification and accreditation of IT products and services;
  • warning of malware or security gaps in IT products and services;
  • IT security consulting for the federal administration and other target groups;
  • information and awareness raising of citizens on IT and internet security;
  • development of uniform and binding IT security standards; and
  • development of cryptosystems for federal IT.

Please see 1.2 Regulators.

Aspects of cybersecurity are handled by the authorities listed under 1.2 Regulators. Additionally, the Federal Institute for Financial Institutions and Insurances (Bundesanstalt für Finanz- und Versicherungsaufsicht, or BaFin) publishes the MA-Risk, which contains procedural and security requirements to be taken into account by banks, payment service providers and insurers.

TeleTrusT

The Federal Association for IT Security (TeleTrusT) is a competence network comprising of domestic and foreign members from industry, administration, consulting and science as well as thematically related partner organisations. Due to the broadly diversified membership and the partner organisations, TeleTrusT embodies the largest competence network for IT security in Germany and Europe. TeleTrusT offers forums for experts, organises events or participations in events and gives its opinion on current issues of IT security.

For additional information, please see 1.2 Regulators.

In Germany, the operators of critical infrastructures are obliged by the IT Security Act to comply with certain security standards and reporting requirements. This law will have to be changed due to the NIS Directive.

However, many companies have chosen to voluntarily comply with the ISO 27001 standard as this is a good way to improve cybersecurity. The Federal Network Agency (Bundesnetzagentur, or BNetzA) even explicitly ordered ISO 27001 certification for electricity and gas network operators in its IT security catalogue by 2018. Furthermore, BaFin also refers to common IT standards such as ISO 27001 or the BSI basic protection catalogues in its minimum requirements for risk management.

Nevertheless, it is usually helpful to develop a framework specifically tailored to the company. For this purpose, sources such as COBIT, NIST and SANS20 should be consulted. These current frameworks for cybersecurity can therefore serve other companies as "idea generators" for the design of internal processes. As an "ISMS-light approach", small and medium-sized companies can be recommended to use, for example, the "VdS 3473", which usually represents a preliminary stage for a possible ISO/IEC 27001 and BSI IT-basic-protection certification.

Please see 3.1 De Jure or De Facto Standards.

The Control and Transparency Act

Pursuant to the Control and Transparency Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich, KonTraG), which came into force on 27 April 1998, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company.

The Stock Corporation Act

The German Stock Corporation Act (Gesetz betreffend die Gesellschaften mit beschränkter Haftung, GmbHG) stipulates that the management board shall be personally liable if it fails to monitor developments that could pose a risk to the company in the future by means of risk management and take appropriate measures to prevent them (Section 91 (2) and Section 93 (2) of the German Stock Corporation Act). Virtually the same requirements apply in the following cases.

  • For the managing director of a GmbH, who must exercise the diligence of a prudent businessman in the affairs of the company (Section 43 paragraph 1, GmbHG); this admittedly rather ambiguous stipulation contains in legal practice very similar consequences for risk management as for executive board members according to the German Stock Corporation Act.
  • For other types of corporate entities, such as the general partnership or the limited partnership; these are in fact on an equal footing with corporations with regard to the legal obligations for IT security if they do not have a natural person as a personally liable partner (the Corporations and Co-Directives Act, (Kapitalgesellschaften- und Co- Richtlinie- Gesetz, or KapCoRiLiG")).
  • If the management or the management board – as the person responsible – does not comply with the above-described risk provisioning obligation and if the company suffers financial damage as a result, this can lead to personal liability of the members of the management board and the management, and possibly also of the members of the Supervisory Board (Section 116, AktG).
  • If the management of a company does not undertake the technical and organisational measures necessary to implement and maintain an appropriate level of IT security (eg, information security plans or programmes and business continuity plans), then in view of the expected damages, which could potentially even trigger an insolvency of the company, there is a high risk that such behaviour will result in a personal liability of the management of the company.
  • Article 33 of the GDPR provides that in the event of a breach of the protection of personal data, the controller must notify the competent supervisory authority without delay and, if possible, within 72 hours; to facilitate notification, the supervisory authorities have set up extensive input masks that can be processed online.
  • Notification may only be dispensed with if the violation "is not likely to pose a risk to the rights and freedoms of natural persons". However, when processing data on behalf of a contractor, the contractor must immediately inform the responsible party ("controller") about the data breach and support the responsible party in reporting the data breach by providing the responsible party with the information available to him (Article 28 paragraph 3 litera f, GDPR).
  • Where the breach of the protection of personal data is likely to present a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without delay (Article 34 paragraph 1, GDPR).
  • In the event of a data breach, each party involved must know who to contact for rapid action and the controller must know exactly what needs to be done in which case; in this regard, it is advisable to compile a crisis document and keep it up to date. This should contain:
    1. examples of possible data breaches, sorted by severity;
    2. necessary next steps, short and concise procedure;
    3. tasks of the responsible employees;
    4. contact details of the competent supervisory authority and contact person; and
    5. text modules for information to the persons concerned or necessary places.

Data Protection Officers

The GDPR establishes the concept of the data protection officer (DPO) at European level. The obligation to appoint a data protection officer affects companies according to their core activities; ie, activities that are essential for achieving the company's objectives. If these include the processing of sensitive personal data on a large scale or a form of data processing that has particularly far-reaching consequences for the rights of the data subjects, a DPO must be appointed.

There are two ways for groups and companies to fulfil their obligation to appoint a DPO. Either they appoint an employee as internal DPO or an external DPO is appointed.

The tasks of the data protection officer include:

  • ensuring compliance with all relevant data protection regulations;
  • the monitoring of certain processes, such as a data protection impact assessment; and
  • raising awareness and training of staff and co-operation with the supervisory authority.

Nevertheless, the company itself remains responsible for compliance with data protection regulations. Failure to appoint a company DPO constitutes an administrative offence subject to a fine.

As stated above, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company; this includes measures such as internal risk assessments, vulnerability scanning and penetration tests.

Privacy Impact Assessments

Furthermore, Article 35 of the GDPR introduced the instrument of a privacy impact assessment (PIA) or data protection impact assessment (DPIA). A PIA or DPIA must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The Article 29 Working Party published a list of ten criteria that indicate that the processing bears a high risk to the rights and freedoms of a natural person.

In the course of a PIA or DPIA the effects of data processing on data subjects must be evaluated and effective IT security measures established. Operators of critical infrastructures even have to implement preventative protection measures according to the "state of the art" in order to protect the critical infrastructure from a cyber-attack.

ENISA provides practical advice and solutions to the public and private sector institutions of member states and to EU institutions. Please see 2.3 Over-Arching Cybersecurity Agency for additional information.

Article 32 of the GDPR provides security requirements for the processing of personal data. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In this process they shall take into account various aspects, such as the state of the art; the costs of implementation; the nature, scope, context and purposes of processing; as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The technical and organisational measures may include pseudonymisation and encryption or regular testing, assessments and evaluations of the effectiveness of the technical and organisational measures. What constitutes an appropriate level of protection arises, inter alia, from the risks represented by the processing, in particular by destruction, loss or alteration, whether accidental or unlawful, or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

For additional information, please see 3.3 Legal Requirements.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Pursuant to Section 8 of the BSIG, operators of critical infrastructures must implement IT security in accordance with the "state of the art" and regularly demonstrate compliance with it to the BSI. They are obliged to take appropriate organisational and technical precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are essential for the functionality of the critical infrastructures they operate.

If security deficiencies are discovered, the BSI may order their elimination in agreement with the supervisory authorities. In addition, according to Section 8b of the BSIG, the BSI becomes the central reporting office for IT security of critical infrastructures. Operators must report significant faults in their IT to the BSI if such faults could have an impact on the availability of critical services. If reportable faults occur at a critical information infrastructure (KRITIS) operator, the BSI may, if necessary, also require the manufacturers of the corresponding IT products and systems to co-operate. Furthermore, according to Section 7a of the BSIG, the BSI is granted the authority to examine IT products for their security in order to perform its tasks.

For additional information, please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

In relation to the manner in which data and IT security is regulated within an IoT platform, there is no IoT platform-specific regulatory framework that has been enacted in Germany. However, the prevalent data privacy and IT security regulations cover aspects of the IoT industry and supply chain landscape. There are also certain technical regulations that that govern the same.

Legal Regulations

With regard to the collection and use of personal data, which is often done by consumer IoT devices (eg, location data), the GDPR applies, along with federal data protection rules. Depending upon the industry sector, there may be additional sector-specific rules to be adhered to (eg, telecommunications sector). Article 32(1) of the GDPR lists certain technical and organisational measures (TOMs) to be taken by the controller to protect personal data. Furthermore, and technologically upstream of the TOMs, Article 25(1) of the GDPR stipulates the principle of data protection by design. According to this principle, the data controller is obliged to take into account the protection of personal data during the development of a product. However, it must be noted that the requirements posed by the GDPR are technologically neutral and Article 32(1) only lists a few possible measures as examples. Nevertheless, the required security level is high and could result in a significant improvement in IT security to the IoT if properly implemented.

Since the introduction of the GDPR, however, there has been no noticeable improvement in IT security in the area of the IoT in practice. The enforcement of the GDPR is even more complicated with regards to the supply chain of IoT devices, since measures under the GDPR may only be directed against the controller. This means that data protection authorities cannot take action against manufacturers, suppliers, importers or sellers, even if the controller evades access by the authorities.

The German IT Security Act 2015 focuses on telecommunications and media companies, as well as service providers operating in "critical infrastructure". Such infrastructure relates to telecommunications, technology, health and water. Any such market player is obliged to take effective measures in order to prevent IT security issues.

Art. 1(1) of the EU Cybersecurity Act (Act) defines a framework for the establishment of a European cybersecurity certification for ICT products, ICT services and ICT processes. The Act could be applicable to IoT devices if they represent ICT products. However, it must be noted that the Act does not impose any binding requirements on the IT security of IoT devices in general. Instead, Articles 46 et seq of the Act provides only a voluntary certification framework, which does not create any obligations for the manufacturers to carry out certification or even third-party scrutiny procedures.

Technical Regulation

Since 1994, the BSI, has published an annual catalogue detailing over 1,600 best practices and recommendations on how to secure IT infrastructure (the Grundschutz Catalogue). Upon demonstrating compliance with the Grundschutz Catalogue, organisations may obtain certification under BSI Standards 200-1 to 200-3. One of the chapters relates explicitly to IoT devices. Even though they are not legally binding, the Grundschutz Catalogue recommendations have gained considerable relevance since a number of statutory provisions refer to the Catalogue's content and thresholds.

In May 2019, the German Institute of Standardisation published a new standard called Information Technology – IoT capable devices – Minimum Requirements for Information Security (ie, the DIN SPEC 27072). It provides for the requirements to change the standard password after initial use, authentication requirements, establishment of dedicated update mechanisms, etc. However, the scope of DIN SPEC 27072 is limited to IT security in relation to consumer IoT devices.

The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The BSIG uses the word “malfunction” or “disruption” rather than data breach or incident. Relevant is a malfunction to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes that (can) lead to a malfunction or significant impairment of the functionality of the critical infrastructures.

Any data that is personal data according to Article 4 No 1 of the GDPR is covered.

All systems that are used to process personal data are covered.

Pursuant to EU Regulation 2017/745, medical devices are subject to cybersecurity requirements when they include software components. However, in the wake of the COVID-19 pandemic, the entry into force of the regulation has been postponed to 26 May 2021.

There are no special or additional legal requirements concerning industrial control systems. However, whenever there is processing of personal data, the GDPR is applicable.

There are no special or additional legal requirements concerning the internet of things. However, whenever there is processing of personal data, the GDPR is applicable.

ENISA has published a list of good practices with respect to security of the internet of things in the context of smart manufacturing and developed an interactive web-based online tool aimed at guiding IoT operators and smart infrastructure firms when conducting risk assessments.

Article 33 of the GDPR provides that in the event of a breach of the protection of personal data, the controller must notify the competent supervisory authority without delay and, if possible, within 72 hours. To facilitate notification, the supervisory authorities have set up extensive input masks that can be processed online.

Notification may only be dispensed with if the violation "is not likely to pose a risk to the rights and freedoms of natural persons". However, when processing data on behalf of a contractor, the contractor must immediately inform the responsible party ("controller") about the data breach and support the responsible party in reporting the data breach by providing the responsible party with the information available to them (Article 28 paragraph 3 litera f, GDPR).

Where the breach of the protection of personal data is likely to present a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without delay (Article 34 paragraph 1, GDPR).

Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the BSI any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.

The body of the independent federal and state data protection authorities (Datenschutzkonferenz, or DSK) has published a short paper that serves as a first orientation (especially for the private sector) to the manner in which to conduct a risk assessment. According to this, the risk assessment should be done in the following phases.

Risk Identification

In order to identify data protection risks, the following questions can be used as a starting point.

  • What damage can be caused to natural persons on the basis of the data being processed?
  • What causes the damage; ie, what events can cause it?
  • What actions and circumstances can cause these events to occur?

Estimation of the Probability of Occurrence and Severity of Possible Damage

The probability of occurrence and severity are estimated for each potential loss. In general, they cannot be mathematically summarised or calculated. One way of measuring a risk is to show a gradation of the severity and probability of occurrence of a possible loss on a scale, with four values: slight/low, manageable, substantial and big/high.

Allocation to Risk Grades

Once the probability of occurrence and the severity of possible losses have been determined, they must be assigned to the risk categories "low risk", "risk" and "high risk". If the potential damage is large and the probability of occurrence is high, there is a high risk. If, on the other hand, the possible damage is small and the probability of occurrence low, there is a low risk.

Sector-Specific Risk Management

Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the Federal Office for Information Security any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes. However, a notification is not required if the disturbance does not and/or cannot lead to a significant impairment of the operability of the operated critical system.

According to the minimum requirements for risk management in banks and financial service providers (MaRisk) issued by BaFin, the following risks are to be classified as material:

  • counterparty default risks (including country risks);
  • market price risks;
  • liquidity risks; and
  • operational risks.

The institution must set up appropriate risk management and risk controlling processes that ensure the identification, assessment, management, monitoring and communication of the main risks and associated risk concentrations.

GDPR Considerations

Furthermore, GDPR Recitals 75 and 76 require that when assessing risk, consideration should be given to both, the likelihood and severity of the risk to the rights and freedoms of data subjects. It further states that risk should be evaluated on the basis of objective assessment. Article 29 of the Working Party Guidelines recommend that controllers consider the following specific criteria when assessing the risk of harm:

  • type of breach;
  • nature, sensitivity, and volume of personal data;
  • ease of identification of individuals;
  • special characteristics of individual (ie, children, vulnerable individuals, etc); and
  • number of affected individuals.

Lastly, ENISA has produced recommendations for assessing the severity of a potential breach.

The BSI recommends the following basic measures for cybersecurity:

  • determination of the threat level of an institution's own infrastructure and the transparency of the institution towards attackers;
  • identification and protection of all network transitions;
  • effective prevention of infection with malicious programs;
  • inventory of the IT systems and testing for security controllability;
  • avoidance of open security gaps on IT systems;
  • interaction with the internet only via secure components;
  • central collection and evaluation of log data;
  • providing your own organisation with all necessary information;
  • the organisation is prepared for the management of security incidents;
  • authentication mechanisms to prevent misuse by third parties;
  • sufficient internal resources are available, external service providers are integrated;
  • qualify and sensitise own personnel in questions of cybersecurity;
  • enforcement of user-oriented segregation measures;
  • the organisation and its members move safely in social networks;
  • in the case of higher protection requirements, confidentiality, availability and integrity are ensured by effective measures and penetration tests are carried out; and
  • supporting protective measures are taken to defend against targeted attacks.

Any conflict or issue with cybersecurity will most likely involve personal data. In that case, the GDPR and the BDSG will be applicable.

This underlines the strong connection between cybersecurity, privacy and data protection.

Under Article 33 of the GDPR, in the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory data protection authority.

This includes information about:

  • the nature of the personal data breach, including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures taken or proposed to be taken by the controller to address the personal data breach.

Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the BIS any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.

The notification shall contain information on the failure, on possible cross-border effects and on the technical conditions, in particular the presumed or actual cause, the information technology affected, the type of facility or installation affected, the critical service provided and the impact of the failure on that service.

The BSI founded the Alliance for Cybersecurity in order to strengthen Germany's resistance to cyber-attacks.

Participants in the Alliance for Cybersecurity will have access to an extended range of services, in particular information on the cybersecurity situation, alerts and further background information. Due to the partially confidential nature of this information, the sharing of this content must be restricted and is subject to restrictions under the Traffic Light Protocol (TLP).

Currently, 4,178 companies and institutions are members of the initiative – and more are joining every day.

IT service and consulting companies and IT manufacturers are equally represented in the network as user companies of all sizes and from all sectors. This diversity is an important guarantee for a rich exchange of IT expertise and application experience, from which all participants benefit.

The web-based online service Knuddels, which essentially offers a chat service for people aged 14 and over, was fined EUR20,000 because the user passwords were stored without encryption. The website was hacked, which is why the infringement was discovered. Knuddels therefore co-operated with the supervisory authority, which is an important factor in the fine remaining modest.

The highest fine imposed by German data protection authorities is EUR14.6 million. The real estate company Deutsche Wohnen SE stored personal data of its tenants without checking whether this was lawful and necessary. Despite a previous request in 2017 to remedy the deficiencies in data protection, no improvement was achieved. Deutsche Wohnen SE has announced that it will take action against the fine.

The Berlin-based company Delivery Hero was fined almost EUR200,000 for not deleting customer data records and for sending illegal advertising emails.

These fines are all based upon violations of the GDPR. As yet, the BSI has not exercised the right to impose a fine for violations of the BSIG.

Please see 8.1 Regulatory Enforcement or Litigation.

The applicable legal standards are provided by the GDPR, the BDSG, the TKG, the BSIG, the EnWG and the EU Cybersecurity Act.

There are no known major private enforcement cases yet.

In Germany, class actions are generally not permitted, as German law does not allow for group actions. In general, each plaintiff must present and prove their individual affectedness, individual damage and the causal link between the two.

The Model Declaratory Action

However, in 2018, the model declaratory action was introduced. This enables claims of a large number of consumers who have suffered similar damage to be efficiently enforced. Registered consumer protection associations have the option to establish factual and legal prerequisites for the existence or non-existence of claims or legal relationships determined in favour of at least ten affected consumers. The model declaratory action is conducted exclusively between the plaintiff, the consumer protection association and the defendant. The affected consumers can register their claims in a register of actions and thus achieve the suspension of the limitation period of their possible claims. The ruling on the model declaratory action has a binding impact on the subsequent actions of the consumers. It is to be expected that this instrument will be used for damage claims according to Article 82 of the GDPR. So far this has not been the case, though.

A few model declaratory actions have been brought in Germany since 2018. It seems that German courts are carefully considering whether or not those bringing the claims fulfil the requirements of a "qualified institution". Where the courts are not satisfied that the claimant associations pursue the rights of consumers, but instead forward their own financial interests, the action is terminated.

The Volkswagen model declaratory action revealed that it took the courts almost one year to hold the first oral hearing. This was because claimants actively encouraged individuals to de-register and pursue their claims individually. The reason behind this is that consumers are often under the impression that stand-alone claims will arrive at a quicker solution. In cases of less complexity, judgments can be expected fairly quickly.

The GDPR provides for draconian penalties for violations. For this reason and because of the reputational and business risks involved, cybersecurity has become a crucial component of due diligence in the mergers and acquisitions sector. The due diligence process shall at least encompass an analysis of the applicable legal requirements regarding cybersecurity, an analysis of cybersecurity practices and, where appropriate, questions to the management department. Share purchase agreements may include guarantees or safeguards of cybersecurity policies and practices, where appropriate.

There is no regulation requiring disclosure for cybersecurity risk profile or experience.

All significant issues have already been addressed.

Heuking Kühn Lüer Wojtek

Prinzregentenstraße 48
80538 Munich

+49 89 540 31 160

+49 89 540 31 540

t.jansen@heuking.de www.heuking.de
Author Business Card

Law and Practice in Germany

Authors



Heuking Kühn Lüer Wojtek is one of Germany’s major commercial law firms, with more than 400 lawyers in nine offices across Germany and in Zurich offering service at the highest level. The lawyers in the firms' data protection, privacy and cybersecurity group are leaders in their fields and help clients develop global privacy and data security strategies for today’s digital economy. They advise clients on, inter alia, data processing agreements, international data flows within groups of companies and binding corporate rules; development of compliance programmes (including GDPR compliance); technology-related data usages; the setting up and operation of customer relationship management, personnel or other databases involving personal identifiable information; as well as the setting up of whistle-blowing and other reporting schemes. Furthermore, they represent clients before administrative authorities and in legal disputes related to (alleged) data protection and data security breaches.