1. Obligation to inform pursuant to Section 42 lit. a of the BDSG

1.1 Subject of the provision

The new Section 42 lit. a of the BDSG has come into effect on September 1, 2009, obliging companies who suffer a data security leakage ("security leakage") in relation to certain types of data to inform both the competent data protection authority and the individual persons whose data are affected.

(a) Requirements for the obligation to inform

Pursuant to the legal wording, the obligation to inform arises where specific categories of personal data have been unlawfully disclosed or otherwise made available to any third party and there is a risk that the protected rights and interests of the affected individuals ("affected individuals") are seriously impaired by such disclosure. The obligation to inform applies where personal data of at least one of the following categories is affected by a security leakage:

• (i) so-called "special categories of personal data", i.e. data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health or sex life (cf. Section 3 para. 9 of the BDSG);
• (ii) personal data relating to bank account or credit card information;
• (iii) personal data subject to professional secrecy, such as an individual's data which is collected and stored by an insurance company, an auditing or tax consulting firm, a medical practice, a pharmacy or a law firm in the course of exercising their professional activities;
• (iv) personal data which refers to criminal offences or misdemeanours or to the suspicion of criminal offences or misdemeanours.

It remains to be seen which level of relevance the undefined statutory requirement of an imminent "severe impairment of the affected individuals' rights and/or interests" will obtain in the legal practice. According to the Federal Government's preamble to the new law, the obligation to inform shall ultimately depend on the category of the affected data and the potential effects of an unlawful disclosure to third parties (e.g. material damages in connection with credit card information or social disadvantages including identity fraud). Yet from the Federal Council's (Bundesrat) point of view, which was not followed by the Federal Government, any kind of security leakage affecting personal data of one of the aforementioned categories generally and per se constitutes a risk of misuse to the disadvantage of the affected individual. For that reason, the Federal Council held that no additional, positive identification of an imminent impairment should be required.

Given the undefined legal term of an "imminent severe impairment of rights and/or interest", a certain degree of legal uncertainty seems inevitable – at least in the initial stages of the new law's application. Therefore, all companies storing personal data of at least one of the aforementioned categories should, in case of a security leakage affecting (also) these data, from now on assess – taking all objective circumstances known into account – whether the affected individuals' rights and/or interests are severely impaired by the security leakage. Until there are first precedents available regarding the application of Section 42 lit. a of the BDSG by the data protection authorities, companies should, in case of doubt, assume that the requirements of an imminent severe impairment of rights and/or interests are rather low.

Envisage that, where in doubt, any event leading to the transmission and/or disclosure of such types of personal data will entail an obligation to inform pursuant to Section 42 lit. a of the BDSG.

(b) Scope and content of the obligation to inform

The obligation to inform applies towards both the competent data protection authority and each individual person whose data is affected by the security leakage. The notification has to be effected without undue delay, i.e. as soon as the company obtains knowledge of the security leakage.

In contrast to the notification of the competent data protection authority, however, the notification of the affected individuals may be deferred until "reasonable measures to secure the data" have been taken (or could have been taken), and a notification of the affected individuals no longer jeopardizes criminal proceedings against the alleged delinquent. In this regard, Section 42 lit. a of the BDSG reflects the principle of "responsible disclosure", according to which the detection of a software security leakage shall only be publicised after the manufacturer has had the opportunity to repair the leakage as well as to inform other customers.

The required content of the notification depends upon its recipient. The notification of the affected individuals has to state the type of unlawful disclosure as well as to recommend measures in order to avoid or mitigate the possible negative effects in a comprehensive manner. In relation to the data protection authority, the company responsible for the leakage must also describe the possible negative effects of the unlawful disclosure as well as the mitigating measures it has taken.

If a personal notification of all affected individuals would require unreasonable efforts, in particular due to the large number of affected individuals, the company responsible is not required to communicate the data leakage by individual notifications. Rather, the company responsible may fulfil its obligation to inform by way of a public notice covering at least half a page in at least two national daily newspapers. Alternatively, the company may publicise the security leakage by any other measure equally suitable to inform the affected individuals. It is to be determined in each individual case which type of measure is "equally suitable".

(c) Legal consequences of a violation of the obligation to inform

If a company violates Section 42 lit. a of the BDSG either by failing to make the required notification or by making it incorrectly, incompletely or with delay, administrative fines of up to EUR 300,000 may be imposed (cf. Section 43 para. 2 number 7 as well as para. 3 of the BDSG). As a rule, the amount of the imposed administrative fine shall exceed the financial advantage the company gained from violating its obligation to inform. Where an administrative fine of EUR 300,000 would not serve this purpose, even higher fines may be imposed (cf. Section 43 para. 3 sentence 3 of the BDSG). In addition to regulatory measures, a company violating Section 42 lit. a of the BDSG may also face claims for damages by the affected individuals.

1.2 Practical relevance

The amendments to the BDSG described above are of the highest practical relevance as they affect almost every company. There are few if any companies which neither in their operative business (e.g. bank or credit card information of customers) nor in their HR department (e.g. data relating to health or religious beliefs of employees) collect, store and/or process personal data of at least one of the aforementioned categories. Each time a security leakage arises, the company concerned should therefore check if and when it is obliged to notify the competent data protection authority and the affected individuals, as well as ensure compliance with the legal requirements in relation to the content and form of the notification. Given the increasing public attention in relation to data leakages, the data protection authorities are expected to thoroughly apply and enforce these new provisions.

Furthermore, the issue of security leakages should also be addressed when drafting data processing agreements. Despite the unclear wording of Section 42 lit. a of the BDSG, there is most likely no direct obligation to inform on the part of the data processor. In any event, the data processor should be contractually obliged to inform the data controller without undue delay of any security leakages possibly affecting the data controller's data and to provide all required assistance to the data controller in complying with his obligations to inform the affected individuals.

2. Technical and organizational security measures pursuant to Section 9 of the BDSG

2.1 Subject of the provision

Pursuant to Section 9 of the BDSG, companies and other entities which collect, process or use personal data are obliged to take all technical and organizational measures required in order to ensure compliance with the provisions of the BDSG. The data security requirements of the BDSG are set out in an Annex to Section 9 sentence 1 of the BDSG, according to which the different aspects of data security comprise a suitable entry control, admission control, access control, transfer control, input control, job control and availability control, depending on the circumstances. Pursuant to Section 9 sentence 2 of the BDSG, specific measures are only required if the effort involved is reasonable in relation to the desired protection purpose. In this context, the effort which can reasonably be expected from a company increases proportionately to the level of sensitivity of the personal data to be secured. This applies in particular to the protection of personal data against any kind of disclosure to third parties and thus for the aspects of entry, admission, access and transfer control.

2.2 Interaction with codetermination rights

When implementing technical security measures, companies may need to consider codetermination rights of the works council pursuant to Section 87 para. 1 number 6 of the German Works Constitution Act (Betriebsverfassungsgesetz, "BetrVG"). Under this provision, the works council has a codetermination right with regard to the implementation and use of technical devices designated for monitoring the conduct or performance of employees. According to legal practice, a technical device is already "designated" for monitoring if its use for such a purpose is technically possible. This is the case if a technical device processes data relating to the performance and/or conduct of employees in such a manner that the performance and/or conduct can be evaluated. In this context, it is irrelevant whether the employer actually wishes to facilitate such an evaluation and whether he subsequently uses this function or not.

Whether a technical measure to protect personal data meets this legal prerequisite must ultimately be determined on a case-by-case basis. For example, codetermination rights might apply where a camera or a system using biometric fingerprints is installed in order to monitor the access to a server room in which personal data is stored, or where software programmes suitable to monitor the conduct of individual employees are implemented for the purpose of transfer control. This is especially valid where such a transfer control is connected to the e-mail outboxes of employees and the employer at least tolerates the private use of business email accounts.

2.3 Legal consequences of a violation

A violation of Section 9 of the BDSG does not per se trigger an administrative fine under Section 43 of the BDSG. However, the competent data protection authority may audit, order and ultimately enforce, subject to penalty payments, the implementation of the measures required under Section 9 of the BDSG.

In addition, a failure to implement appropriate technical and organisational security measures may ultimately trigger notification requirements under Section 42 lit. a of the BDSG if it leads to a security leakage resulting in unauthorized access to or disclosure of the personal data of any of the categories stated in paragraph 1.1(a) above.

3. Directors' and officers' liability

The German Corporate Sector Supervision and Transparency Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich, "KonTraG") of 1998 obliges the boards of directors of public limited companies and the executive boards of large and medium-sized incorporated companies to introduce a functioning IT security system. The design and implementation of such an IT security system is part of the management's general obligation to introduce a surveillance system which enables the early identification of developments endangering the company's existence. This so-called "Business Continuity Management" (BCM) requires the introduction of an IT risk management system which will be structured so that it is also able to identify and address less obvious security risks (e.g. remote access to IT systems during remote maintenance, etc.).

For the board of directors of a stock corporation, this results directly from Section 91 para. 2 of the German Companies Act (Aktiengesetz, "AktG"). Analogous obligations apply to the executive board of a limited liability company as well as to the management of other incorporated companies. Furthermore, the supervisory board of a stock corporation is obliged to supervise the board of directors in fulfilling its obligation to introduce an IT security structure (cf. Section 111 para. 1 AktG).

Executive officers and boards of directors who violate their obligation to introduce an IT security system are personally liable towards their company. As a matter of principle, they are obliged to act with the "due care of a prudent business manager". The same obligation applies for the supervisory board, insofar as it violates its relevant surveillance obligations.

In the event of a security leakage, the management should be able to show that it acted with the "due care of a prudent business manager", in adequate consideration of the complexity of the company concerned, and that it introduced a comprehensive IT security system and provided for its regular update and implementation (e.g. companywide compliance with security rules).

4. Loss of legal protection of business know-how (Section 17 of the German Act Against Unfair Competition)

Security leakages may lead to business know-how being unintentionally disclosed to the public. A legal consequence of such a disclosure might be that the know-how loses the character of a "trade or business secret" and as a result its know-how protection pursuant to Section 17 of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, "UWG").

5. Violation of Non-disclosure Agreements (NDA)

Furthermore, an unintentional disclosure of confidential information due to a security leakage may lead to contractual claims by third parties under non-disclosure agreements (NDA), provided, of course, that the data and/or information affected by the security leakage falls within the scope of the NDA. The affected company will only be able to successfully ward off such contractual claims based on negligence, if and when a security leakage occurs despite the existence of a comprehensive and intact IT security systems.

Further risks may result from such NDAs, which, not uncommonly under German law, provide for liquidated damages or contractual penalties in cases of confidentiality breaches. Depending on the individual circumstances (including contractual provisions on the burden of proof), there is an even stronger need and benefit in being able to document such security measures.

With effect as of December 19, 2009, the EU has enacted a directive according to which all EU Member States must oblige providers of publicly accessible electronic under certain circumstances – the affected individuals without delay of any security leakages (Directive 2009/136/EC).

Notably, the aforementioned requirement does not apply in relation to the affected individuals in case the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. It remains to be seen to which extent the German legislator will include providers of in-house telecommunication networks (so-called corporate networks) or other telecommunication offers for closed user groups into its national implementation of the directive and impose notification requirements upon them. In the past, the required characteristics of "publicly" accessible telecommunication services gave rise to discussions since a general regulation exemption for offers directed at "closed user groups" was removed from the Telecommunication Act in 2004. Nevertheless, with only a few exemptions, the specific data protection provisions of the Telecommunication Act apply for non-public, in-house telecommunication networks as well as for publicly available telecommunication services. In light of this rather broad scope of the existing data protection provisions for telecommunication services, the German legislator may chose a corresponding scope of application for the implementation of the new directive in order to fit it into the existing national system. In this case, new security leakage notification requirements under telecommunication laws could also affect companies of non-telecommunication sectors.

In addition to the described possible legal consequences under German and European law, a security leakage within an IT system that is located in Germany may also induce notification requirements pursuant to US law.

1. "Data Breach" – notification requirements under US law

So far, 45 US States as well as Washington D.C., Puerto Rico and the Virgin Islands have enacted security breach notification laws. Although the statutes of each individual State differ considerably in relation to the applicable prerequisites and their exact requirements, they do contain a common obligation that companies experiencing a security leakage inform all affected individuals without delay.¹ Pursuant to the statutes of the majority of the States, the notification requirements apply to all individuals and companies doing business in the relevant State. Some States even stipulate notification requirements without making explicit reference to business activities within that particular State.

The scope of application of the statutes of the individual States is not limited to companies having their registered office or a branch in that particular State. Rather, all US States have enacted so-called "long arm" laws according to which their statutes – under specific circumstances – also apply to individuals and companies from other US States or other countries. In this regard, the statutory requirements vary in the individual States, even though at least "minimum contacts" to the particular State are typically required. Such "minimum contacts" are presumed if a connection is continuously and systematically maintained (at least also) to the respective State. In the case of an internet presence, such "minimum contacts" are not held to require that transactions are concluded with residents of the respective State via the website. Rather, "minimum contacts" are deemed to already exist where a website enables interactive contact, regardless of whether any transactions are actually concluded via the website.

In order to determine whether these requirements are given, the precise situation and circumstances in each individual case must be taken into account. In any event, European companies which consider the United States as a target market should be aware that in the event of a security leakage they might be subject to US security breach notification laws even if they do not have a branch or other production site in the US.

2. Practical experiences

Cases have occurred where US residents (or their respective lawyers) have contacted European based companies, claiming that their data was affected by a security leakage within the systems of the respective company and requesting the company to comply with the applicable security breach notification laws, obviously reserving all further rights such as damage claims and the notification of the competent authorities. In such cases, the multitude of the individual security breach notification laws of the US States as well as their varying requirements make an efficient management of the situation as well as its immediately required legal analysis a real challenge. At the same time, a thorough review of the applicability and legal consequences of the statutes of each individual State may be difficult and disproportional. This applies even more considering that the security breach notification laws typically require immediate action, and that the applicable deadlines are extremely short and often less than two weeks.

For companies which maintain business relations with the US or even operate a US branch, it can therefore be advisable to duly inform all individuals affected by the security leakage without delay. Ideally this should be done in a manner which requires little time and effort whilst at the same time is least damaging to the company's reputation, rather than entering into an in-depth legal analysis of all possibly applicable State statutes. Needless to say that the logistic challenges of even such a "minimalist" approach must not be underestimated. Nevertheless, a one-off notification measure is typically more cost-effective than a comprehensive perusal of all relevant State laws or a potential legal dispute regarding their applicability. Furthermore, a global mailing to all affected individuals demonstrates the company's awareness of data protection laws as well as its efforts to comply with the relevant US regulations. This may prove useful in potential in- or extra-court disputes with the competent federal authorities. In addition, companies should be aware that a violation of applicable security breach notification laws may entail administrative fines of up to USD 250,000 in each US State.

If the business activities of a company suggest that notification requirements under one or more laws of individual US States apply, it is typically advisable to preemptively inform all affected individuals in order to avoid comprehensive legal analysis as well as the cost and public attention arising from potential disputes regarding the applicability of individual State laws. This also holds true because precedents assessing the applicability of notification requirements under State laws to non-US residents are rare and a dispute over this topic would be certain to attract US-wide attention by data protection authorities, the Federal Trade Commission and the media. In comparison, the potential reputational damage caused by a one-off notification of the affected individuals seems acceptable, especially as the companies responsible may determine the wording, tone and the "look and feel" of such a notification themselves and therefore have a bearing on its perception by the affected individuals.

¹ Most statutes require a notification only in cases of unauthorized access to a person's first and last name (or the first letter of the first and last name) in connection to their driver's license, the social security number or credit/debit card number. In some States, these statutes are further applied to additional types of data such as ATM cards, passports and birth certificates or for data regarding a person's health. For the practical implementation of the notification requirements see in general www.privacyrights.org/ar/ChronDataBreaches.htm.