T 0.29 Violation of Laws or Regulations

If information, business processes and IT systems of an institution are insufficiently safeguarded (for example, by inadequate security management), this can lead to violations of laws relating to information processing or of existing contracts with business partners. Which laws must be observed there, depends on the type of institution and of its business processes and services. Depending on where the sites of an institution are located, a number of national regulations may also have to be observed. The following examples illustrate this:

• The handling of personal data in Germany is governed by a variety of regulations. These include the Federal Data Protection Act, state data protection laws and a variety of sector-specific regulations also. If during communication between two business divisions, personal data (e.g. medical records) is transmitted unprotected over public networks, this can lead to legal consequences under certain circumstances.
• The management of a company is obliged to take all reasonable care in their business processes. This includes compliance with recognised security measures. In Germany, various laws are applicable, such as the Act for Corporate Control and Transparency (KonTraG - Gesetz zur Kontrolle und Transparenz im Unternehmensbereich), the Law on Limited Liability Companies (GmbHG - Gesetz betreffend die Gesellschaften mit beschränkter Haftung) or the Stock Corporation Act (AktG - Aktiengesetz), from which corresponding obligations and liabilities for the management or the board of a company can be derived in relation to risk management and information security.
• Proper processing of payment-relevant information is governed by different laws and regulations. In Germany they include among others, the Commercial Code (Handelsgesetzbuch HGB e.g. §§ 238 et seq.) and the Tax Code (AO Abgabenordnung). Proper processing of information implies their secure processing, of course. Both must be proven regularly in many countries, for example by auditors as part of the audit of annual accounts. If serious security deficiencies are identified, a positive audit report will not be issued.
• In many industries (e.g. the automotive industry), it is common that manufacturers commit their suppliers to meet certain quality and safety standards. Analogically, more and more requirements are placed on information security. If a contractor violates contractually regulated security requirements, this can result in penalties and even termination of contracts up to and including loss of business relations.

Few security requirements arise directly from laws. The legislation generally orientates itself however, on the standards in technology as a common basis for assessment of an achievable security level. If there is no healthy balance between the existing security measures in an institution and the sensitive information in the current state of technology, this can have serious consequences.