Draft Bill on IT Security Law 2.0
July, 2019 - Lutz Martin Keppeler
There has been intense work on the IT security law 2.0 since the “German doxing case" of late 2018/early 2019 when large volumes of data of German celebrities and politicians were published. This bill will significantly extend the importance and the competences of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”) in information technology. The fact that the BSI's staff should be almost doubled is indicative of this.
Although it cannot yet be foreseen when the law will be enacted and what its final content will be, it is advisable for all media companies and all companies that produce or sell smart devices in Germany to familiarize themselves with the following important regulations.
1) Introduction of a voluntary IT security label
One of the most interesting innovations is the introduction of a standardized voluntary IT security label. The aim of introducing it is to provide consumers with comprehensible, transparent and uniform information about the IT security of various consumer products and services. This will enable consumers to make an informed well-grounded choice when purchasing their devices.
The new Sec. 9a of the Act on the Federal Office for Security in Information Technology (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (“BSIG”) aims to regulate the conditions for a new IT security label. It should contain a manufacturer declaration of certain IT security properties (manufacturers' "security promises”) and furthermore dynamic BSI information on any potential security gaps.
This means that products will have an "electronic package leaflet" with additional security information that the buyer can download spontaneously while purchasing via a reference (e.g. QR code or link on the packaging) and view current security information on a product information page. It must be possible for the BSI to dynamically (i.e. regularly) check this security information in order to guarantee the credibility of the IT security label.
2) Extension of critical infrastructure to "media companies"
The current obligations of operators of critical infrastructure under the Information Security Law will be broadened to cover further sections of the economy. These include reporting obligations and minimum standard obligations pursuant to Sections 8a and 8b BSIG.
The intended extension will cover the media sector. Although the sector does not fall under critical infrastructure in the narrower meaning of Sec. 2 (10) BSIG, it will be subject to the law if the infrastructure in question is of special public interest in the meaning of Sec. 2 (14)(1) of the amended BSIG. The draft bill gives the following justification: Press freedom, freedom of reporting and media pluralism are interests which are protected by the constitution and cornerstones of the fundamental system of freedom and democracy in Germany. Any influence over or restriction of those interests may have a negative impact on society and the fundamental system of freedom and democracy
The nature of the individual thresholds, and whether every blogger or only a few high-circulation press media will be affected, is as yet intentionally unclear. This will likely be more closely defined in a subsequent regulation. Depending on the configuration of applicability, many companies could be affected, including forum providers, social networks, communication apps operators or the press.
3) Increased fines
To bring the new act in line with the GDPR, Sec. 14 (2) BSIG allows for penalties of up to EUR 20,000,000 or up to 4 % of the company's entire global turnover during the previous business year. In this way, the sanctions will reflect the economic clout of the company in question. Previously, the maximum sanction was EUR 100,000, which was considerably too low in proportion to the economic might of critical infrastructure operators.
Basing the fines on the regulations of the GDPR aims to make them effective and appropriate and to act as a deterrent. The aim is to make sanctions for breaches of measurements to secure facilities as severe as breaches of data protection law. This will bring parity to the two regulatory fields.
Section 14 (1) of the amended BSIG includes a revised list of offences that can be sanctioned. This was necessary because the previous sanctions only covered a fraction of the obligations subject to Section 8a BSIG. The list of infringements was fine-tuned in respect of the obligation to make disclosures and to provide evidence. In addition, the use of an IT security label which has been revoked or which has not yet been approved will also result in a fine.
Conclusion
Media operators should be prepared to meet additional and more stringent IT security requirements, even though the mandatory measures will presumably be only laid down in detail at a later stage. Companies that sell software or smart devices to consumers should give timely consideration to whether they wish to use the voluntary IT security label, and what "security promises" they can actually make in this context.