One of the basic topics in IT security refers to well-conceived and consequent contingency planning. In many a case, even the future of a company may depend on it. It is often forgotten that contingency planning also involves legal aspects. As a general rule, a corporate organization should be structured in a way to comply with the standards of IT security and contingency planning. For this area, management is responsible, not the IT department. Corporate management is thus obliged to apply the due care and diligence of a prudent merchant. The German Stock Corporation Act and the Commercial Code are very clear about this: Management of every company must comprehensively and in due time catch up on the related risks and, if necessary, provide for corresponding measures in the context of contingency planning. If management boards or CEOs do not comply with their due diligence, they may be held liable personally to pay compensation.
IT contingency planning as stipulated by the Federal Data Protection Act
The German Federal Data Protection Act Bundesdatenschutzgesetz is a good reference for defining an “adequately secure” IT environment. It clearly states how personal data should be protected by technical and organizational means. For example, a catalog describes measures for controlling access to data centers, measures related to admission, access, distribution, entry, order, and availability control as well as the imperative of separate processing of personal data. Especially, availability control is a crucial topic in the context of IT contingency planning: It must be ensured that personal data is protected against accidental destruction or loss. According to the law, an unexpected event may not entail a definite loss of the data. As a consequence, regular backups are required.
Compulsory archiving according to fiscal law
The German Commercial Code stipulates that every merchant (and consequently every company) has to keep records about his/her business and assets. To furnish proof, particular documents have to be kept for a certain period of time. According to the German Federal Ministry of Finance, this is today possible using data carriers “provided that this form of accountancy including the chosen method complies with the principles of proper book-keeping.” The data protection measures are aimed at “avoiding the risks (…) with respect to non-traceability, destruction, and theft.” This can only be ensured by means of an internal control system, which is only possible within the scope of a data backup plan.
Special IT contingency planning in the banking sector
For banks, the German Banking Act Kreditwesengesetz and the supplementary Minimum Requirements for Risk Management (MaRisk) stipulate rules which go even further. The latter are, above all, targeted at establishing adequate management, control, and supervision processes in banks. For emergencies, they request an explicit contingency concept whose efficiency must be checked regularly using emergency drills. This concept must comprise business continuity plans and recovery plans. Alternative solutions should be available in due time if an emergency occurs and it should be possible to return to normal operation within an acceptable period. The Wertpapierhandelsgesetz (German Securities Trade Act) states a series of other organizational requirements applicable to stock service providers. In the loan granting process, it is obligatory for the bank to proceed with a risk assessment of the applicant company, including the achieved degree of IT security. At least in theory, a bank could, before granting the loan, review the IT contingency concept of a company and adjust the interest rate according to the result. In practice, however, this is hardly ever done.
Practical implementation of IT contingency planning
In the meantime, there are a number of standards and guidelines governing the practical implementation of IT contingency planning. The most prominent example is the BSI Standard 100-4. It describes an autonomous management scheme for business continuity and emergency recovery. Detailed procedures and concrete measures can also be found in standards such as ISO 27001, ISO 20000, or PAS77. From a legal perspective, compliance with such standards strongly implies that the legal requirements have been met. However, some measures stipulated in the standards are much too far-ranging for smaller companies. In recognition of this fact, the government only stipulates measures which are in reasonable proportion to the intended protective purpose. This means in practice that the measures are adjusted on a case-by-case basis to reflect the sensitivity of the data, the hazard degree, and the available technology. In the end, the numerous standards only provide a non-binding guideline. While weekly backups may be sufficient in one company, others require immediate real-time mirroring. Anyway, it has become clear that a working data backup procedure is a must for any company, independently of the legal provisions.
Source: “Auf der sicheren Seite”, article in German language by Mark Münch, specialist solicitor for IT law, published in the April 2013 issue of the IT Administrator magazine.