Liability falsified emails | IT-Medienrecht

Learn about liability for falsified emails & invoices. The Schleswig-Holstein Higher Regional Court ruled on GDPR & BGB claims. Protect your business…

Schleswig-Holstein Higher Regional Court: Liability for Falsified Emails with Invoices

In my recent practice, I have been dealing with a significant number of cases involving hacked email servers and considerable financial implications. These incidents often involve the manipulation of invoices, leading to payments being directed to fraudulent accounts. Such cases are particularly sensitive due to the frequent lack of clear legal precedents. They demand both profound technical expertise and meticulous legal analysis.

I have previously addressed the issue of fake invoices and false IBAN transfers in earlier articles. For more detailed information, please refer to our articles on Fake Invoices and False IBAN Transfers and Fake Invoices with a False IBAN – What to Do if You Have Fallen for Fraudsters?

Background to the Recent Case

A recent ruling by the Higher Regional Court of Schleswig-Holstein clarified that a payment made to an incorrect account does not fulfill the payment obligation if the invoice was unauthorizedly altered. However, the customer might assert a claim for damages under Article 82 GDPR if the company breached its obligations under the GDPR. Furthermore, a claim for damages under Section 280 of the German Civil Code (BGB) can often be considered, as this may involve a breach of contractual duties.

The Higher Regional Court overturned the judgment of the Regional Court, stating that payment to the wrong account had no fulfillment effect. This was because the creditor did not receive the amount for free disposal. Performance by payment to a third party, as per Section 362 (2) BGB, only occurs if the creditor legally authorizes the third party to receive the payment in their own name. Since this was not the case, the original payment obligation remained.

A central aspect of the decision concerned whether the company had implemented sufficient security measures to protect personal data from unauthorized access. The court highlighted that mere transport encryption is inadequate when sending emails containing personal data, especially where significant financial risk is involved. Instead, end-to-end encryption is recommended as an appropriate measure. Companies must demonstrate that they have taken adequate security measures to protect personal data, aligning with the security level required by the GDPR.

The Higher Regional Court found that a breach of GDPR provisions cannot be assumed solely because unauthorized access to personal data occurred. Instead, the data controller must demonstrate and prove that the security measures implemented were suitable for protecting personal data from unauthorized access. The specific requirements for these security measures depend on the risks associated with the processing and must be assessed individually.

In this particular case, the Higher Regional Court ruled that the plaintiff had substantiated sufficient minimum protection measures, such as SMTP via TLS, for email traffic with contractual partners. However, the defendant disputed this submission. The court found insufficient evidence of a breach of duty by the plaintiff that would have been causal for the defendant's damage. Nevertheless, contributory negligence on the customer's part could be relevant if the manipulated invoice differed significantly from previous invoices.

This decision by the Higher Regional Court underscores the critical importance of appropriate security measures in digital business transactions. Companies must ensure they take adequate steps to protect personal data, especially sensitive information like bank details. Failure to do so may lead to claims for damages under the GDPR or the German Civil Code. For broader security considerations, consider how NIS2 compliance can help mitigate risks.

Legal Framework: Liability Under GDPR and BGB

A claim for damages under Article 82 GDPR requires that the processing of personal data culpably violated GDPR provisions, the data subject suffered damage, and there is a causal link between the unlawful processing and the damage. Furthermore, Section 280 BGB may be relevant if the company breached its contractual obligations by failing to provide sufficient protection against manipulation. Detailed information on GDPR reporting and damage limitation can be crucial in such scenarios.

The Higher Regional Court's decision illustrates that GDPR liability is not automatic simply because unauthorized access to personal data has occurred. Instead, the data controller must prove that all reasonable measures to protect the data were taken. End-to-end encryption is widely regarded as the standard for protecting personal data in email communications.

A claim for damages under Section 280 BGB requires a company to have breached a contractual obligation, and this breach must have caused the damage. In cases of invoice manipulation, this might imply that the company did not provide adequate protection against unauthorized access to emails. The burden of proof for a breach of duty generally rests with the injured party, unless there are indications that the company was at fault.

The Higher Regional Court's decision also highlights that contributory negligence on the customer's part can be considered under Section 254 BGB. This applies if the customer did not sufficiently check the manipulated invoice, which can significantly reduce the claim for damages.

Practical Security Measures and Recommendations

The Higher Regional Court explicitly states that pure transport encryption is insufficient for emails containing personal data, particularly where there is a high financial risk. End-to-end encryption is recommended as an appropriate security measure. Companies must be able to demonstrate that they have implemented suitable security measures to protect personal data from unauthorized access.

This decision emphasizes the importance of robust security measures in digital business and sets an important precedent for corporate liability in such cases. Companies should regularly review and adapt their security protocols to ensure compliance with GDPR requirements.

In practice, this means that companies should not solely rely on transport encryption. They must also ensure that the entire communication chain is secure. This can be achieved by implementing end-to-end encryption solutions, guaranteeing that only the authorized recipient can read the message. Adopting practices for legally compliant archiving of emails is another essential step.

Furthermore, companies should provide regular training for their employees. This ensures that staff are familiar with security measures and know how to react to suspicious emails. A well-designed security concept can significantly minimize liability risks in the event of manipulation.

Conclusion and Actionable Advice

The ruling by the Schleswig-Holstein Higher Regional Court underlines the critical need for appropriate security measures in digital business transactions. Companies are obligated to implement suitable safeguards to protect their customers from manipulation. Failure to do so may result in claims for damages under the GDPR or the German Civil Code (BGB). This decision serves as an important precedent for corporate liability in these situations.

It's important to note that many affected parties often refer to the judgment of the Karlsruhe Higher Regional Court of July 27, 2023 (19 U 83/22), which is not always directly applicable. Such cases frequently reveal a lack of technical understanding among judges, who may struggle to fully grasp the complexity of digital security measures. Therefore, it is crucial that those affected consult a lawyer possessing both legal and technical expertise.

If you have paid a counterfeit invoice and are now being asked to pay again because the initial payment did not have a fulfillment effect, I encourage you to contact me. With my experience and access to technical experts, I can ensure that all relevant aspects are considered to effectively represent your rights. Together, we can assert your claims and work towards securing the compensation you are entitled to. Do not hesitate to reach out to protect your interests effectively.