Security Precautions in Email Traffic: The Karlsruhe Higher Regional Court's Decision on Manipulated Invoices
In a ruling published on July 27, 2023 (19 U 83/22), the Karlsruhe Higher Regional Court addressed the question of which security precautions must be observed when sending emails in business dealings. This decision, however, raises more questions than it answers, highlighting the complexities surrounding email security in legal contexts.
The Initial Case
A contract of sale was concluded between the plaintiff, acting as seller, and the defendant, acting as buyer, for a used car at a price of 13,500 euros. The plaintiff initially sent the buyer an invoice for the purchase price via email. Shortly thereafter, the buyer received another email containing a manipulated invoice.
The buyer then transferred the purchase price to the account specified in this fraudulent email. Consequently, the seller sued the buyer for payment of the original purchase price.
The Lower Court's Decision
At first instance, the Mosbach Regional Court dismissed the action. It considered the claim for payment of the purchase price fulfilled by the transfer to the wrong account, citing § 362 para. 1 BGB. The court referred to an "orientation guide" from the data protection commissioner regarding the protection of personal data.
This guide, according to the lower court, obligated the vendor to use end-to-end encryption. The court concluded that the vendor's breach of this obligation had enabled the third party's unauthorized access.
The Appellate Court's Decision
In the second instance, the Karlsruhe Higher Regional Court overturned the previous verdict. It ordered the buyer to pay the purchase price of 13,500 euros to the seller. The court clarified that there was no legal obligation for end-to-end encryption in this context, as it concerned corporate data rather than personal data governed by specific data protection guidelines.
Furthermore, the court emphasized that payment to a wrong account does not satisfy the original claim for payment. Therefore, the buyer remained liable for the purchase price.
Unresolved Questions from the Ruling
Despite the verdict, the decision leaves several critical questions unanswered, making it difficult to draw comprehensive conclusions about specific security obligations:
- It remains unclear how the fake email could have originated in the first place.
- The precise circumstances surrounding the email dispatch were not clarified during the proceedings.
- It was not thoroughly discussed whether the core issue was a legal problem with security standards or a procedural failure by the parties involved.
- The key question of who ultimately orchestrated and benefited from the fake invoices and false IBAN transfers remains unaddressed.
The Problem of Fulfillment in Bank Transfers
As a general rule, when a sum of money is transferred, performance is not deemed to have occurred until the owed amount is actually received in the creditor's account. A transfer to an incorrect recipient account therefore does not fulfill the payment obligation.
Thus, the core issue in this case was not primarily about the specific email security standards, but rather the failure to properly fulfill the payment obligation by transferring funds to the designated creditor.
Challenges in Email Security
Nevertheless, the case highlights critical questions regarding email security in business transactions:
- Absolute security is not an obligation, but adequate protective measures are generally required.
- There are currently no universally binding standards for securing business emails, leading to legal ambiguities.
- Technical solutions like encryption, while crucial, also have their limitations and are not foolproof.
- Responsibility for secure communication often lies with both the sender and the receiver, making it a shared challenge.
- Social engineering, phishing, and fake sender identities continue to pose significant and evolving threats.
- Considering these ongoing challenges, a continuous focus on cybersecurity tightening and awareness is essential for businesses. Moreover, the legally compliant archiving of emails is vital for maintaining an audit trail and ensuring data integrity.
Conclusion and Outlook
The Karlsruhe Higher Regional Court's ruling certainly highlights the challenges of security standards in email traffic but ultimately does not clarify the underlying core issues. Neither the exact cause nor the comprehensive circumstances of the mail dispatch were fully elucidated.
The decision underscores that email security remains a complex and ongoing challenge in the digital business world. While absolute security is unattainable, implementing adequate precautions is mandatory. Increased vigilance and robust technical protection are especially crucial for handling sensitive business information.
The full ruling is available here.