If the information, business processes and IT systems of an institution are inadequately
protected (for example, as a result of inadequate security management), this can result in
violations of regulations relating to information processing or of existing contracts with
business partners. The relevant laws to be followed depend on the type of organisation and/or
its business processes and services. Depending on the locations of the organisation, various
national regulations may need to be followed. This is illustrated by the following examples:
• In Germany, the handling of personal data is regulated by a large number of
regulations. These include the Federal Data Protection Act and the State data protection
laws, but also a large number of industry-specific regulations.
• The management of a company is obliged to exercise due care for all business
processes. This includes the consideration of recognised security safeguards. In
Germany, various legal regulations such as KonTraG (Control and Transparency in
Business Act), GmbHG (Law on Private Limited (Liability) Companies) or AktG (Public
Companies Act) are in force, from which corresponding obligations to act and liabilities
of the management and/or the board of directors of a company regarding risk
management and information security can be derived.
• The proper processing of accounting-relevant data is regulated by various laws and
regulations. In Germany, these include, among others, the Commercial Code (e.g.
Sections 238 ff. of the HGB) and the General Tax Code (AO). The proper processing of
information naturally comprises its secure processing. In many countries, both must be
proven on a regular basis, for example, through external auditors within the scope of
the audit of the financial statements. If this reveals major security deficiencies, a
positive audit report cannot be issued.
• In many industries (e.g. the automotive industry) it is common practice that
manufacturers require their suppliers to comply with certain quality and safety
standards. In this context, requirements regarding information security are also being
specified to an increasing extent. If a contract partner fails to meet contractually
regulated security requirements, this can result in contractual penalties, but also
contract terminations or even the loss of business relationships.
Only a few security requirements arise directly from laws. However, as a rule, the law is based
on the state of the art as a general basis for assessment of the degree of security that can be
achieved. If, in an organisation, the existing security safeguards are not proportionate to the
values to be protected and the state of the art, this may have serious consequences.