T 2.105 Violation of statutory regulations and contractual agreements

If information, business processes, and IT systems of an institution are inadequately protected (for example, as a result of inadequate security management), this can result in violation of regulations relating to information processing or of existing contracts with business partners. The relevant laws to be followed depend on the type of institution and/or its business processes and services. Depending on the locations of the institution, various national regulations may need to be followed. This is illustrated by the following examples:

• In Germany, the handling of personal data is regulated by a large number of regulations. These include the Federal Data Protection Act and the State data protection laws, but also a large number of industry-specific regulations.
  
  If personal data (e.g. confidential patient data) are transmitted over public networks without any protection during communication between two business units, this can lead to legal consequences under certain circumstances.
• The management of a company is obliged to exercise due care for all business processes. This includes the consideration of recognised security safeguards. In Germany, various legal regulations such as KonTraG (Control and Transparency in Business Act), GmbHG (Law on Private Limited (Liability) Companies) or AktG (Public Companies Act) are in force, from which obligations to act and liabilities of the management and/or the board of directors of a company regarding risk management and information security can be derived.
• The proper processing of booking-relevant data is regulated by various laws and regulations. In Germany, these include, among others, the Commercial Code (e.g. §§ 238 ff.) and the General Tax Code (AO). The proper processing of information naturally comprises their secure processing. In many countries, both must be proven on a regular basis, for example, through external auditors within the scope of the audit of the financial statements. If this reveals major security deficiencies, a positive audit report cannot be issued.
• In many industries (e.g. the automotive industry) it is common practice that manufacturers require their suppliers to comply with certain quality and safety standards. In this context, requirements regarding the information security are increasingly specified. If a contract partner fails to meet contractually regulated security requirements, this can result in contractual penalties, but also contract terminations or even the loss of business relationships.

Only few security requirements arise directly from laws. However, in general, the law is based on the general state of the art as a general basis for assessment of the degree of security that can be achieved. If, in an institution, the existing security safeguards bear no relation to the values to be protected and the state of the art, this may have serious consequences.