The (new) draft IT Security Act

At the beginning of November, the German Federal Ministry of the Interior published a new draft IT Security Act. Even though the legislation is not expected to be enacted until mid 2015, it is worthwhile to take a look at the draft due to its multifarious effects. The changes affect, inter alia, the Act Governing the Federal Office for Security in Information Technology (BSIG), the Telemedia Act (TMG) and the Telecommunications Act (TKG).

A relatively rough draft of an IT Security Act dated 5 March 2013 proposed by the Federal Ministry of the Interior was followed by the Bundestag elections, a coalition agreement (which uses the term “IT security” nine times and devotes a whole section to cyber-criminality) and another draft IT Security Act dated 18 August 2014, which was again updated on 4 November 2014, and adjusted to reflect European developments. The latter is almost twice as long as its predecessor, but just as vague in important places, so that there is a significant amount of leeway for interpretation left to companies – which should be utilized.

The TMG now also contains an obligation to utilize the “state of the art”

TKG service providers are already required to maintain telecommunications secrecy and provide appropriate state-of-the-art protection for their users’ data (Sec. 109 (1) TKG). It is not a big jump to also apply the “state of the art” requirement to the additional security obligations incumbent upon an operator of a public telecommunications network. However, the fact that providers of fee-based telemedia are now required to provide security measures that “take account of the state of the art” may surprise some providers of apps and websites. In any case, it is now clear that any company that does too little in terms of providing cybersecurity for its telemedia services is more likely to face a charge of negligence in the event of a data breach. In any case, every commercial app operator, no matter how small, is instructed to take the state of the art into account. However, the legislators have provided no guidance to telemedia providers on the crucial question of precisely what the “state of the art” for apps and websites is. But before smaller TMG providers rush to make excessively large investments in security technology, it is worthwhile to take a look at the rationale for the draft Act. The draft Act states that questions of proportionality can also be taken into account. Therefore, the security technology and organizational measures that must be employed should be carefully weighed on a case-by-case basis.

Reporting requirements for operators of critical infrastructure

A key point of the IT Security Act is a requirement for operators of critical infrastructure to report IT security incidents that occur. Companies should be aware that legislators do not limit “critical infrastructure” just to nuclear power plants and the German railway network. The scope of “critical infrastructure” is to be defined in greater detail in a separate regulation. However, the draft Act already identifies the following industries: energy, information technology and telecommunications, traffic and transportation, healthcare, water, and food as well as the finance and insurance industries. Based on this list, one can assume that the term “critical infrastructure” will have a tendency to be broadly interpreted.

The flood of reports

Under the new Sec. 8b (4) Federal Office for Information Security Act (BSIG), the operators of critical infrastructure must report to the Federal Office for Information Security (BSI) any “significant disruptions” of their systems that “could” result in a “failure” or “impairment” of the critical infrastructure they operate. The reporting requirement is triggered when an impairment of IT could lead to a potential impairment of infrastructure. Consequently, the mere potential for impairment is sufficient. This goes very far, particularly if you consider how many cyber-attacks take place daily. Deutsche Telekom recently referred to up to 450,000 cyber-attacks per day occurring at the present time. It is true that the most recent draft replaces the term “impairments” of IT systems with the definitional element “significant disruption”, but the explanatory memorandum waters down this seemingly high threshold by indicating that known gaps in security (which are commonly found in standard software) and attacks that are only attempted must be reported. Therefore, it is still unclear whether, for example, it will be necessary in the future to examine the firewall log files for “thwarted” attempted attacks and send the results to the BSI. When one considers that the report to the BSI must contain information about technical circumstances, including the information technology used and affected, one wonders how the BSI will process all these reports.

Current “to do’s”

To calm themselves down, companies should at this point realize the following facts: First, the definition of the reporting requirement contains a series of ambiguous terms, which companies can interpret in their own favour. Second, the draft IT Security Act does not contain any sanctions for failure to report impairments. Moreover, reports can be made anonymously or under a pseudonym. On the other hand, government authorities are authorized to order the elimination of security defects. Therefore, large companies should begin preparing appropriate compliance guidelines for dealing with and documenting “impairments” to avoid being surprised by the implementation of the IT Security Act at a later date.

Several bodies must be notified of any theft of sensitive data

Things get particularly interesting when an infrastructure operator, such as a bank or energy utility, loses sensitive customer data in a cyber-attack. Then, in addition to a report to the BSI, under Sec. 42a BDSG, reports must also be made to the data protection supervisory authorities and the data subjects. Companies listed on the stock exchange must also consider whether there is an obligation to make an ad-hoc disclosure under capital market laws. We can only hope that the issuance of the so-called NIS Directive will not add another reporting office at the European level.

NIS Directive

As a background to the debate on the draft IT Security Act, it should be remembered that the draft Directive to Ensure a High Common Level of Network and Information Security in the EU, the so-called NIS Directive, is progressing at the European level. The Commission’s draft of 7 February 2013 was accepted by the EU Parliament in amended form on 13 March 2014. In parts, this Directive is identical in subject matter with the IT Security Act. The Directive also codifies reporting requirements for operators of critical infrastructure. The first draft also identified operators of e-commerce platforms, social networks, cloud-computing services and application stores as operators of critical infrastructure. This alone shows how little national and European regulatory efforts are being coordinated with each other. Appendix II to the draft directive, which listed the last named examples of critical infrastructure, was deleted in the version accepted by the Parliament. However, it would be naive to assume that Europe will follow the German IT Security Act. Rather, it is to be feared that the NIS Directive will rapidly make the IT Security Act, which is likely to be passed some time in 2015, obsolescent in many small divergent instances.

Conclusion

The current version of the IT Security Act leaves a great deal of leeway for interpretation. What the state of the art is, when a security measure for a telemedia service provider is proportional and when a significant disruption of IT can interfere with critical infrastructure will not be clear even when the Act is passed. Companies must now carefully consider numerous questions. Appropriate processes and compliance guidelines should be implemented before the legislation takes effect.