In a ruling published on July 27, 2023 (19 U 83/22), the Karlsruhe Higher Regional Court addressed the question of which security precautions must be observed when sending e-mails in business dealings. However, the decision raises more questions than it answers.

The initial case

Between the plaintiff, acting as seller, and the defendant, acting as buyer, a contract of sale was concluded for a used car at a price of 13,500 euros. The plaintiff sent the buyer an invoice for the purchase price by e-mail. Shortly after, the buyer received another email with a manipulated invoice. He transferred the purchase price to the account specified in this. The seller then sued the buyer for payment of the purchase price.

The decision of the lower court

At first instance, the Mosbach Regional Court dismissed the action. It considered the claim for payment of the purchase price by the transfer to the wrong account under § 362 para. 1 BGB as fulfilled. The “orientation guide” of the data protection commissioner for the protection of personal data referred to by the district court obliges the vendor to use end-to-end encryption. Your breach of this had enabled the third party’s access.

The decision of the appellate court

In the second instance, the Karlsruhe Higher Regional Court overturned the verdict and ordered the buyer to pay the purchase price of 13,500 euros. It clarified that there was no legal obligation for end-to-end encryption, as it concerned corporate data. The payment to a wrong account did not satisfy the claim.

Problem in the decision

However, the decision raises more questions than it answers:

• It remains unclear how the fake e-mail could have come about in the first place.
• The circumstances of the mail dispatch are not clarified.
• Whether there is a legal problem or the parties have failed procedurally is not discussed.
• The key question of who paid the fake bill remains unanswered.

Problem of fulfillment in case of transfer

As a general rule, when a sum of money is transferred, performance has not occurred until the amount owed is received in the creditor’s account. The transfer to a wrong recipient account does not fulfill the requirement. So the problem here is not the safety standards, but the lack of compliance.

Security issues with e-mail communication

Still, the case raises questions about email security:

• Absolute safety is not owed, but adequate protective measures are.
• There are no binding standards for securing e-mails in business transactions.
• Technical solutions such as encryption are reaching their limits.
• Responsibility lies with both the sender and the receiver.
• Social engineering, phishing and fake senders are major problems.

Conclusion

The ruling problematizes security standards for e-mail traffic, but does not clarify the core issues. Neither the cause nor the circumstances of the mail dispatch are clarified. The decision makes it clear that email security remains an unresolved issue. Absolute security is impossible, but adequate precautions are mandatory. Increased caution and technical protection are required, especially for sensitive business information.

The full ruling is available here.