Security precautions for e-mail traffic – Karlsruhe Higher Regional Court specifies requirements

Key Facts

Karlsruhe Higher Regional Court ruled on 27.7.2023 which security precautions must be observed when sending emails in business transactions.
The case concerned a purchase contract for a used car and a manipulated invoice that led to an incorrect bank transfer.
The Mosbach Regional Court dismissed the claim as it found a breach of data protection regulations that did not require end-to-end encryption.
The OLG overturned the ruling, but confirmed that there is no legal obligation for end-to-end encryption for company data.
Numerous questions about mail security, the circumstances of sending and the fulfillment of the claim remain unanswered.
The decision makes it clear that appropriate protective measures are required, while absolute safety cannot be guaranteed.
Problems such as social engineering and phishing pose significant challenges for e-mail communication in a business context.

In a ruling published on July 27, 2023 (19 U 83/22), the Karlsruhe Higher Regional Court addressed the question of which security precautions must be observed when sending e-mails in business dealings. However, the decision raises more questions than it answers.

Content Hide

1. The initial case

2. The decision of the lower court

3. The decision of the appellate court

4. Problem in the decision

5. Problem of fulfillment in case of transfer

6. Security issues with e-mail communication

7. Conclusion

7.1. Author: Marian Härtel

The initial case

Between the plaintiff, acting as seller, and the defendant, acting as buyer, a contract of sale was concluded for a used car at a price of 13,500 euros. The plaintiff sent the buyer an invoice for the purchase price by e-mail. Shortly after, the buyer received another email with a manipulated invoice. He transferred the purchase price to the account specified in this. The seller then sued the buyer for payment of the purchase price.

The decision of the lower court

At first instance, the Mosbach Regional Court dismissed the action. It considered the claim for payment of the purchase price by the transfer to the wrong account under § 362 para. 1 BGB as fulfilled. The “orientation guide” of the data protection commissioner for the protection of personal data referred to by the district court obliges the vendor to use end-to-end encryption. Your breach of this had enabled the third party’s access.

The decision of the appellate court

In the second instance, the Karlsruhe Higher Regional Court overturned the verdict and ordered the buyer to pay the purchase price of 13,500 euros. It clarified that there was no legal obligation for end-to-end encryption, as it concerned corporate data. The payment to a wrong account did not satisfy the claim.

Problem in the decision

However, the decision raises more questions than it answers:

It remains unclear how the fake e-mail could have come about in the first place.
The circumstances of the mail dispatch are not clarified.
Whether there is a legal problem or the parties have failed procedurally is not discussed.
The key question of who paid the fake bill remains unanswered.

Problem of fulfillment in case of transfer

As a general rule, when a sum of money is transferred, performance has not occurred until the amount owed is received in the creditor’s account. The transfer to a wrong recipient account does not fulfill the requirement. So the problem here is not the safety standards, but the lack of compliance.

Security issues with e-mail communication

Still, the case raises questions about email security:

Absolute safety is not owed, but adequate protective measures are.
There are no binding standards for securing e-mails in business transactions.
Technical solutions such as encryption are reaching their limits.
Responsibility lies with both the sender and the receiver.
Social engineering, phishing and fake senders are major problems.

Conclusion

The ruling problematizes security standards for e-mail traffic, but does not clarify the core issues. Neither the cause nor the circumstances of the mail dispatch are clarified. The decision makes it clear that email security remains an unresolved issue. Absolute security is impossible, but adequate precautions are mandatory. Increased caution and technical protection are required, especially for sensitive business information.

The full ruling is available here.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: E‑mail IT Security