§ Section 13(7) of the TMG
The law passed in 2015 to increase the security of information technology systems, which is formulated in § 13 paragraph 7 of the German Telemedia Act, caused quite a stir among website operators. On the other hand, some of the requirements are very general and apply to practically all providers of commercial telemedia. You can find out what you as a provider should pay particular attention to here.
Part of the new law only concerns infrastructure classified as critical. These include, for example, hospitals, financial institutions or electricity suppliers. But also owners of Onlineshops, commercial Apps or Internet portals are considered by the legislator with the paragraph with strongly intensified editions for the offered contents, and/or the technical security of their offers, which brings a not insignificant additional expenditure with the care of the Web project with itself, stepped into force on 01.08.2015. Whoever reacts too carelessly in this regard can therefore quickly be faced with legal problems that endanger the existence of the project. Literally it says in § 13 paragraph 7 TMG:
(7) Service providers shall, insofar as this is technically possible and economically reasonable, within the scope of their respective responsibility for telemedia offered on a commercial basis, ensure through technical and organisational measures that
1. no unauthorised access to the technical equipment used for their telemedia offers is possible and
2. this
(a) against violations of the protection of personal data; and
(b) against disturbances, including those caused by external attacks
are secured. Precautions according to sentence 1 must take the state of the art into account. A measure in accordance with the first sentence is in particular the use of an encryption procedure recognised as secure.
This explicitly affects "service providers of commercially offered telemedia". The private websitewhere you publish your holiday photos or latest recipes, therefore remains unaffected. The same applies to small clubs and associations. However, if advertising is placed on a page, this is a so-called business-like action and thus a commercially oriented offer.
your duties
No. 1 of the new law requires e-commerce providers to protect their systems against unauthorized access. The legislator explains that this is intended in particular to prevent the unintentional and unnoticed downloading of malicious code by the user. In order to prevent these so-called drive-by downloads from being fed into the user's own website or at least make it more difficult, operators should therefore always use up-to-date patches to close any security gaps that may exist. But that's not all: In the B2B sector, the paragraph stipulates that the provider of a service must also oblige its advertising service providers to take appropriate security measures by means of contractual safeguards.
In order to ensure the protection of personal data as described in No. 2, it is sufficient to use an up-to-date procedure for the encryption of the transmitted data, which is recognised as "secure". The current specifications of the BSI (Federal Office for Information Security) can be consulted here for orientation. However, other precautions are also conceivable as an alternative to encryption. Depending on the area of application, an authentication procedure that offers sufficient protection can also be considered.
The legislator does not define exactly what the measures in No. 3, i.e. to protect against interference from external attacks, should look like, but it can be assumed that they are primarily intended to prevent DDoS attacks.
Restrictions
All specifications are formulated with one important, albeit vague, reservation, namely that they must be "technically possible and economically reasonable". Since the legislator does not provide clear definitions here, a certain uncertainty remains. Ultimately, it remains a matter of interpretation by the respective court.
Legal consequences and liability
If a provider fails to comply with its obligations pursuant to No. 1, it is liable to fines of up to EUR 50,000 as defined in Section 16 (2) No. 3 TMG. However, the new law can also be interpreted as a market conduct regulation. This would, for example, allow associations or consumer protection organisations to take action under competition law in the event of a violation of Section 13 (7) German Telemedia Act.