G 0.29 Violation of Laws or Regulations

If information, business processes, and IT systems of an organization are inadequately protected (for example, through inadequate security management), this can lead to violations of legal provisions relating to information processing or of existing contracts with business partners. Which laws apply depends on the type of organization and its business processes and services. Depending on where the locations of an organization are situated, various national regulations may also apply. The following examples illustrate this:

• The handling of personal data in Germany is regulated by a variety of provisions. These include the Federal Data Protection Act and state data protection laws, but also many sector-specific regulations.
• The management of a company is obliged to exercise appropriate due diligence in all business processes. This also includes compliance with recognized security measures. In Germany, various legal provisions such as KonTraG (Law on Corporate Control and Transparency), GmbHG (Law on Limited Liability Companies), or AktG (Stock Corporation Act) apply, from which corresponding action and liability obligations of the management or board of a company regarding risk management and information security can be derived.
• The proper processing of accounting-relevant data is regulated in various laws and regulations. In Germany, these include, among others, the German Commercial Code (e.g., HGB §§ 238 ff.) and the Tax Code (AO). The proper processing of information of course includes its secure processing. Both must be regularly demonstrated in many countries, for example by auditors as part of the audit of the annual financial statements. If serious security deficiencies are identified in the course of this, no positive audit report can be prepared.
• In many industries (e.g., the automotive industry), it is common for manufacturing companies to require their suppliers to comply with certain quality and security standards. In this context, requirements for information security are increasingly being imposed. If a contracting party violates security requirements defined in a contract, this can result in penalties, but also contract terminations up to loss of business relationships.

Only a few security requirements directly result from laws. However, legislation is generally oriented toward the state of the art as a general assessment basis for the degree of achievable security. If the existing security measures in an organization are not in a healthy proportion to the values to be protected and the state of the art, this can have serious consequences.