Once again: Manipulated invoices, third-party IBANs and claims for damages under Art. 82 GDPR

Over the past few days, I have repeatedly reported on the topic of fake or manipulated invoices here on the blog. The reason: there are more and more cases on my desk where clients have got into payment difficulties due to professional-looking fake invoices. The criminals simply change the IBAN and pass it off as the supposed account of the invoice issuer. The result: amounts are not paid to the real recipient, but to unknown parties. Having already examined the possible liability issues from a civil law perspective (Sections 280 et seq. of the German Civil Code), I would now like to focus more on the emerging developments surrounding Art. 82 GDPR.

Background: Fake invoices and compromised systems

Most of the cases I have seen follow a typical pattern: Criminals get hold of internal email communications or original invoices. Once this data has been captured, the documents are copied or “replicated” so that they look deceptively similar to genuine invoices. Only the bank details are exchanged in the documents. Anyone who then makes a transfer often only notices the fraud when the payment amount has already ended up irretrievably with the fraudsters.

In principle, it is conceivable to assert civil law claims under Section 280 BGB if the invoicing party or a party involved has breached contractual duties to protect. However, injured parties are often confronted with considerable difficulties in providing evidence: Who is to prove whether and when there was a failure in the IT security of the alleged sender?

This is precisely where Art. 82 GDPR comes in. Based on increasing evidence from literature and case law, a trend is emerging whereby injured parties can assert a claim for damages in the event of breaches of data protection law – such as compromised email systems.

Art. 82 GDPR as an additional basis for claims

Art. 82 GDPR grants any person who suffers damage as a result of a breach of the General Data Protection Regulation a right to compensation for material and non-material damage. The charm of this provision lies in particular in the shifting of the burden of proof, which is expressed in paragraph 3 of this provision.

Standard of liability and reversal of the burden of proof

Art. 82 par. 1 GDPR reads:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor.

”
Art. 82 para. 3 GDPR explains the decisive reversal of the burden of proof:

“The controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not responsible in any respect for the event giving rise to the damage.

”
While in the case of contractual claims under Section 280 of the German Civil Code (BGB), the injured party usually has to prove that the other contracting party has breached its obligations, this burden of proof is practically reversed under the GDPR: Now, the company potentially subject to a claim must demonstrate and prove that it is not responsible for the data protection breach.

Comparison with claims under § 280 BGB

In the classic civil law liability structure, Section 280 BGB forms the basis for claims for damages in the event of breaches of duty. However, the burden of presentation and proof for all conditions justifying liability (breach of duty, fault, damage) lies with the claimant.

Anyone who can invoke Art. 82 GDPR must generally assert the existence of a GDPR breach. However, as soon as there are indications that personal data – in particular email addresses, account details or communication content – has been misused, the controller must prove that all necessary technical and organizational measures have been taken (Art. 32 GDPR).

Practical example: If it is proven that a forged invoice was created using data from specific email traffic, there is a strong presumption that the sender’s system was compromised. It is now up to the sender to provide complete proof that their IT system was not compromised. Otherwise, a claim under Art. 82 GDPR may be successful.

Practical relevance for recipients of counterfeit invoices

In my practice, I notice that clients are often surprised by the possibilities offered by Art. 82 GDPR. The recurring question is: “Is there even a breach of data protection law if only the IBAN has been falsified?”

My experience shows that fake invoices usually involve more than just an IBAN. Personal data such as name, address, invoice content, possibly details of other employees or internal company information are misused. As soon as this data falls into unauthorized hands, a violation of the GDPR is obvious.

Advantage for those affected: The resulting damages can be of a financial and non-material nature – the latter, for example, due to the annoyance, excitement and time-consuming communication required to clarify the damage. German courts are increasingly open to awarding non-material damages if there is a noticeable impairment (see, for example, LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18, which awarded damages for a comparatively minor data protection breach).

It is true that most of the published rulings do not yet explicitly deal with the issue of forged invoices. However, it can be deduced from the principles established in decisions on general data protection breaches (e.g. inadequate data security, unauthorized disclosure of data) that compromised email communication may fall under Art. 82 GDPR.

In this context, reference should also be made to the case law of the European Court of Justice (ECJ). In particular, “Schrems II” (C-311/18) shows that the protection of personal data must be given high priority. Although this case primarily dealt with the transfer of data to third countries, it fundamentally shows how strictly courts now deal with data protection violations.

Shipper responsibility and recommended measures

I see time and again that companies – whether out of ignorance or for cost reasons – cut corners when it comes to IT security. However, Art. 5 para. 1 lit. f GDPR and Art. 32 GDPR to protect personal data with appropriate technical and organizational measures (TOM). These include, among others:

1. Secure e-mail communication: encryption (e.g. S/MIME), unique signatures, spam filters.
2. Up-to-date systems: Firewalls, virus protection and regular updates so that known security gaps are closed.
3. Strict access rights: Clear assignment of authorizations within the company, logging of access.
4. Training courses: Raising employee awareness, particularly with regard to phishing, social engineering and fake attachments.
5. Monitoring: Proactive monitoring for anomalies, e.g. unusual changes to bank details or atypical login attempts.

Companies that neglect these points run the risk of being held liable under civil law pursuant to Art. 82 GDPR in addition to possible fines from the supervisory authorities (Art. 83 GDPR).

Significance for companies and possible defense strategies

I consider the reversal of the burden of proof to be the key reason why Art. 82 GDPR is becoming increasingly important. Anyone who is held liable as the controller must provide detailed and comprehensible evidence that they are not at fault for the data breach.

Possible defense strategies are:

• Seamless documentation of all data security measures and corresponding controls.
• Presentation of a clear organizational structure for the protection of personal data.
• If necessary, use of external certifications (ISO 27001 or similar) to underpin a high level of security.
• In the event of third-party negligence, provide evidence that the compromise was exclusively outside your own sphere (e.g. error in the recipient system, inadequate protection on the recipient side).

However, such a defense regularly requires extensive IT forensic investigations and good documentation. In many of the cases I work on, the clients only approach me after the damage has actually occurred, so that a complete review of the events is often complicated.

Conclusion and outlook

In my opinion, the development of applying claims for damages under Art. 82 GDPR to cases of manipulated invoices is a great benefit for those affected. The reversal of the burden of proof ensures that the injured party no longer has to prove in detail when and how the IT systems were compromised. Instead, the sender of a possibly falsified invoice must actively prove that there was no breach of the GDPR.

Recent case law, both at national level (e.g. LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18) and by the European Court of Justice (ECJ, for example in its landmark decisions such as “Schrems II”), shows that the level of protection provided by the GDPR should not be underestimated. To date, there are no supreme court decisions in Germany that explicitly deal with fake invoices and Art. 82 GDPR. However, it is clear that the general principles of data protection law can also apply here.

I advise all companies to thoroughly secure the sending of invoices and the associated communication channels. Particular care should be taken when changing payment information. As a customer, you should remain vigilant, always consult with your bank in the event of unusual IBAN requests and double-check whether the bank details are actually correct.

Anyone who has already suffered financial losses as an injured party is well advised to examine the possibility of GDPR compensation in addition to contractual and tort claims. In many cases, this results in a significantly improved negotiating environment – and therefore more realistic prospects of obtaining compensation for part of the damage from the controller.