Liability under Art. 82 GDPR for sending forged invoices!

Recently, I have been able to successfully represent my clients in several similar cases that were affected by security breaches in email traffic. A recent judgment clearly shows how important it is to ensure the security of email servers and, in particular, the encryption of invoices. This issue is of great importance as it not only affects the confidentiality of business data, but also poses significant financial risks. I have already reported on the dangers of fake invoices and false IBAN transfers in several articles here on itmedialaw.com, for example here, here and here. These cases show that companies and private individuals alike can be affected by the consequences of inadequate security measures.

Email server security is a key issue in today’s business world. Without adequate security measures, sensitive data can easily fall into the wrong hands, which can lead to considerable financial losses. A recent ruling by the Braunschweig Regional Court (case number 7 O 47/24), in which I successfully represented the interests of the plaintiff as a lawyer, makes it clear that the use of unencrypted emails when transmitting invoices and personal data can have considerable legal consequences.

In this case, a purchase contract was sent by email in which the defendant’s bank details were manipulated. The plaintiff then transferred the purchase price to a false account, which led to considerable financial damage. The court found that the defendant had breached the GDPR by failing to take sufficient security measures. The defendant did not use transport or end-to-end encryption when sending the emails, which was deemed insufficient. The measures, such as the use of antivirus software and firewall, were not sufficient to ensure the protection of the data. The court emphasized that the encryption of emails is a basic protection that is considered a minimum measure to meet the legal requirements. The full judgment can be viewed here.

As a lawyer, I successfully represented the plaintiff in this case and was able to prove that the defendant had breached its obligations under the GDPR. The court’s decision underlines the importance of accountability and the need for appropriate security measures in email traffic. Companies should be aware of these challenges and take appropriate measures to protect their data and that of their customers. If you have any questions on this topic or need assistance, please do not hesitate to contact me. I will be happy to help you protect your interests and optimize your security measures.

Legal consequences

The court ruled that the defendant had breached the GDPR by processing the plaintiff’s personal data in culpable violation of the provisions of the GDPR. The plaintiff’s claim for damages was derived from Art. 82 para. 1 GDPR. This article provides that any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation. The plaintiff had presented all the necessary requirements for this claim and the court found that the defendant had acted culpably by not taking sufficient security measures.

The court agrees with the plaintiff that the defendant violated the principles of Art. 5, 24 and 32 GDPR by not taking appropriate technical and organizational measures to ensure the level of protection of personal data. Sending the invoice with the data contained therein by email without encryption constitutes processing within the meaning of Art. 4 No. 2 GDPR. The defendant did not even implement the lower level of protection of transport encryption, but sent its emails without any encryption. This was considered completely unsuitable within the meaning of the GDPR. The measures of implementing a firewall, an anti-virus program and password encryption of the Outlook account have no protective effect whatsoever on the sending of business emails and can be ruled out from the outset as suitable measures for the protection of personal data in email traffic.

The court emphasizes that the defendant acted culpably. Following the case law of the European Court of Justice, Art. 82 GDPR provides for a liability regime for culpability in which the burden of proof does not lie with the injured party, but with the controller. This means that the controller must prove that it has fulfilled all duties of care and cannot be accused of the slightest negligence. The defendant did not provide this proof, as it did not take the necessary encryption or other sufficient security measures.

The court ruled that the defendant had breached the accountability obligation under Art. 5 para. 2 GDPR by failing to demonstrate and prove that its security measures were suitable to protect the personal data in accordance with the level of security required by the GDPR. The use of antivirus software and firewalls is not sufficient to ensure the protection of emails, especially if no encryption is used. The ECJ has interpreted the requirements of Art. 32 GDPR to the effect that the suitability of the measures taken by the controller must be assessed by the national courts, taking into account the risks associated with the processing in question. In this case, the court found that the measures taken by the defendant were not sufficient to protect the plaintiff’s personal data.

The court agrees with the plaintiff that the damage of EUR 22,600 is a causal consequence of the breach of the GDPR. Since the defendant did not comply with a sufficient level of protection to secure the plaintiff’s personal data when sending its email with the attached contractual document, it is incumbent on the defendant to prove that the damage suffered by the plaintiff was not caused by its misconduct. The defendant has not provided this proof.

Originally, the action was brought on the basis of Section 280 BGB, although the underlying legal issues are largely comparable. However, it should be noted that the standard of care in the application of Art. 82 GDPR is much stricter – even minor negligence is sufficient to trigger a claim for damages. Due to these higher requirements, the claim ultimately boils down to Art. 82 GDPR, although a comparable liability assessment could also be derived from Section 280 BGB.

The problem with e-invoices

A particular problem arises when using e-invoices, especially in XML format. Here it can be difficult to detect manipulated documents, as XML files cannot be checked for changes as easily as PDFs. This significantly increases the risk of fraud and misuse. Companies should therefore be particularly careful when using e-invoices and ensure that all transmitted data is adequately protected. While the use of XML formats can be efficient, it also carries risks as these files can be easily manipulated. In cases where large amounts are transferred, it is particularly important that additional security measures are taken to prevent misuse.

The GDPR stipulates that personal data must be adequately protected, which also includes the sending of invoices. The use of encryption technologies can help to minimize these risks and ensure the security of data. I have highlighted the importance of security in the transmission of invoices in my previous articles and emphasize that companies must act proactively to protect their customers and their own interests.

Challenges with XML files

Although XML files offer many advantages, such as the automation of processes and easy integration into existing systems, they are also more susceptible to manipulation. As XML files are usually machine-readable, they can easily be changed by hackers without this being immediately apparent. This can lead to considerable financial losses if, for example, the bank details in an invoice are manipulated. Companies should therefore ensure that all XML files containing sensitive information are adequately protected.

Solutions to minimize risk

Companies can take various measures to minimize the risks associated with the use of e-invoices in XML format:

1. encryption: The use of encryption technologies, such as transport or end-to-end encryption, can help to protect data during transmission. This is particularly important when personal data or sensitive financial information is transmitted.

2. digital signatures: Digital signatures can be used to ensure the authenticity and integrity of e-invoices. This can help to detect and prevent manipulation.

3. two-step authentication: Implementing two-step authentication for access to systems that process e-invoices can increase protection against unauthorized access.

4. regular security audits: Regular security audits and penetration tests can help identify and fix vulnerabilities in systems before they can be exploited by attackers.

5. staff training: staff should receive regular training to make them aware of potential risks and ensure that all employees comply with the necessary safety measures.

By implementing these measures, companies can increase the security of their e-invoices and minimize the risk of fraud and misuse. If you have any questions on this topic or need support, please do not hesitate to contact me. I will be happy to help you protect your interests and optimize your security measures.

Conclusion

The security of email servers and the encryption of invoices are crucial aspects of digital business transactions. Companies should be aware of these challenges and take appropriate measures to protect their data and that of their customers. The GDPR stipulates that personal data must be adequately protected, which also includes the sending of invoices. The use of encryption technologies can help to minimize these risks and ensure the security of data. I am at your disposal to support you in these matters and to ensure that your data and that of your customers is protected in the best possible way. Should you be affected by similar problems or have any questions on this topic, please do not hesitate to contact me. I have successfully acted for my clients in numerous cases and can help you to protect your interests.

The ruling by the Braunschweig Regional Court (case reference 7 O 47/24) is an important precedent that underlines the importance of security in email traffic. The decision shows that companies that violate the GDPR must expect considerable legal consequences. The plaintiff received a purchase contract by email in which the defendant’s bank details had been manipulated. The plaintiff then transferred the purchase price to a false account, which led to considerable financial damage. The court found that the defendant culpably violated the GDPR by not taking sufficient security measures. The defendant did not use transport or end-to-end encryption when sending the emails, which was deemed insufficient. The measures, such as the use of antivirus software and firewall, were not sufficient to ensure the protection of the data. The court emphasized that the encryption of emails is a basic protection that is considered a minimum measure to meet the legal requirements.

P.S. Thanks, by the way, to my professional IT partner Velevo/Sebastian Genter, who were also able to help here with a convincing IT report.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.