This article was first published by ITK SECURITY.
Last updated 1 year ago by Patrick Ruppelt
IT Security Act?
The IT Security Act does not exist
Why many companies do not deal with the topic of data protection is not as difficult to understand as it might seem at first glance. One has to laboriously dig through various legal texts and instructions before - with luck - coming to a conclusion.
This brief white paper does not claim to be exhaustive, nor does it aim to provide the reader with profound technical insights or even analyse new legal precedents. Rather, it is intended to present in a readable form which guidelines can be authoritative and what conclusions you as an entrepreneur may draw from them. And you should.
We will be happy to send you the complete white paper free of charge on request.
If you take a rough look at the legal framework, you will quickly realise that the IT Security Act does not in fact exist. Therefore, we derive corresponding regulations from other areas of jurisprudence or refer to individual regulations that appear in the context of broader topics. First of all, we would like to mention the Law on Control and Transparency in Business (KonTraG), the Federal Data Protection Act (BDSG) as well as the Stock Corporation and Limited Liability Company Acts (AktG and GmbHG). There is no need to discuss the legal consequences of violating one's own duties at this point: Fines and imprisonment are not unusual.
It is worth mentioning at this point that the Civil Code (BGB) can also gain relevance, for example, when it comes to contributory negligence within the meaning of Section 254 GBG.
IT security
...and who is liable?
In accordance with the BSI Basic Protection
IT security deals with the question of what must be guaranteed in order to maintain business processes and avert damage. This includes in particular questions about
- of constant availability,
- confidentiality and
- the integrity
of data. The reasons for this are manifold. The primary protection of corporate data can have legal, economic or financial backgrounds.
There are clear regulations for special types of companies such as public limited companies. Now, however, the managing director of a GmbH also has to "exercise the care of a prudent businessman" (ยง43 para. 1 GmbHG). And current case law does the rest. The bottom line: the entrepreneur is liable for all damages that could have been prevented by introducing a data security concept.
Caution also on the supplier side: IT service providers are similarly liable if they offer "backup" as a service and fail to carry out maintenance and control.
And that means that securing is voluntary?
And whoever doesn't: is acting illegally?
From business deal, fallacy and the end of fun.
In the end, it is a question of liability, a question of proof, of evidence. The merchant, as well as the entrepreneur in general, must ensure that they can fulfil all their obligations at all times.
The crux of the matter is precisely this: there is no law that would say that data must be kept in the form of a "legally authorised data backup". However, there is an obligation - or in some cases simply a necessity - to keep data on hand. There are a number of cases in which this is not easily possible, in short we call it technical, human or organisational failure. According to the prevailing case law, it must be assumed that the entrepreneur himself is responsible for the legally required - but not prescribed - backup of his data, so to speak.
Some examples to illustrate this: As is well known, the tax office sets deadlines that must be met. If it is not possible to provide prepared figures due to a technical failure, the office may quite legitimately make an estimate. The entrepreneur is liable. A similar threat arises if no counter-evidence can be presented to consumer protection agencies or other plaintiffs.
Basel II is becoming increasingly important in times of financially tense conditions. For the assessment of a company's creditworthiness, Basel II implicitly establishes responsible information technology as a criterion. This is intended to increase investment security for lenders and investors and in turn places responsibility in the hands of the company. Corporate auditors take the same approach. A KPMG, for example, will hardly give a positive rating to a company that does not use backup and archiving solutions.
Last but not least, even the Higher Regional Court of Hamm stated as early as 2003: "Data backup is a matter of course in companies".
Backup is not archiving
WORM, magneto-optics & Co.
What revision security is really all about.
Where a data backup has to prevent data loss and the fast recovery in the sense of the continuity of the business is in the foreground, a commonly neglected demarcation from the archiving of data has to be made.
Archiving has a more long-term character. The motivation is basically the same as for data backup: be it tax authorities, other economic partners or legal bodies. All long-term documents and data must be stored for many years in a way that is complete, investigable and tamper-proof. This can go as far as the company's entire e-mail traffic, depending on the type of business activity.
Whereas there are hardly any legally binding, genuine regulations on how data backups are to be carried out, there are some guidelines for archiving. In particular, the BSI specifies at least insufficient order criteria for archives in G 2.74 of the IT-Grundschutz. The focus is on uniqueness and auditability. In terms of archiving data, it can therefore be stated that the requirements for the electronic archive can directly influence the choice of storage media and that, for example - in contrast to data backup - a cloud solution in terms of archiving on network storage does not meet the requirements of the legislator. Framework contracts and special agreements are no longer of any help here. Hard disks are not audit-proof, because it cannot be guaranteed that the archived data will not be changed afterwards.
Among other things, so-called WORM storage, which is used for example in current tape drives with LTO5 media, is considered to be audit-proof. Magneto-optical systems can also be audit-proof. Hard disks are not.
Back up and archive
in practice - simple and safe
How the status quo is maintained.
The highest management level must therefore specify the management of information security, this includes data protection and archiving in equal measure. The central questions here are: How can risks be reduced, which risks can be transferred and which risks can be accepted?
According to BSI Principle B 1.4, a data backup concept must be adopted in the first place. A minimum data backup concept first describes which software, which system and application data and which log data must be backed up. Nevertheless, using special backup software and appropriate backup media, a holistic backup can only take place if appropriate control, care and maintenance is carried out. This can be done either by the in-house IT department or by an external service provider. In any case, the company's data protection officer must be involved; even when backing up files, it must not be forgotten that this can also involve sensitive data whose confidentiality is just as worthy of protection as that of the original data.
The backup medium is selected according to the criteria mentioned above. To put it clearly: a decentralised hard disk storage can be sufficient as well as a cloud solution, if the corresponding framework conditions are (can be) fixed in writing.
If company data must also be archived - which is likely to be the case for most companies - one must go a step further. Here, it is basically up for debate whether to implement appropriate technical devices or to resort to a service provider who offers this as a pure service and is able, via decentralised management systems, to provide the company with revision-proof copies, preferably on a common readable system such as LTO tapes, in accordance with the archiving plan that is to be defined anyway.
In any case, care should be taken to ensure that the company has the possibility to access its data inventory immediately at any time. In the case of a backup, the recovery time must be kept short; in the case of archiving, the focus is on the authenticity, integrity and auditability of the copies made.
Outsourcing and cloud offer new possibilities, but in the end it remains a question of trust.