Cybersecurity and labor law – The role of HR in IT security and the protection of confidential information.

 Employees as firewalls or gateways for hackers: What provisions do employment contracts need to include?

Dr. Klaus Neumann, Rechtsanwalt der Kanzlei Buse Heberer Fromm
Dr. Klaus Neumann
Rechtsanwalt, Fachanwalt für Arbeitsrecht

Cybersecurity und Arbeitsrecht – Die Rolle von HR bei IT-Sicherheit und Geheimnisschutz.

Blog: Labor Law - Article from 14.12.2021
According to the German Federal Office for Information Security (BSI), IT security is only as good as the people using the systems. Ensuring that employees are part of the solution rather than part of the problem, and serve as a security factor, requires clear agreements regarding data protection and the protection of confidential information – especially when they work from home.

According to the Bitkom digital association, the German economy suffers an overall loss of 223 billion euros every year due to theft, sabotage and espionage via cyber attacks. The damage has doubled since 2018 and 2019. The majority of attacks involve criminals exploiting the “human factor”, given that this is regarded as weakest link in the security chain when it comes to obtaining sensitive data such as passwords. Increased remote work from home as a consequence of the Corona pandemic is also seen as an additional gateway.

To counteract these trends, companies need to invest in technology to ensure greater IT security and information protection. They also need to provide training to make the employees aware of hackers’ constantly new and increasingly sophisticated tricks. Employment contracts are another issue in this regard. According to the Business Secrets Act (GeschGehG), which entered into force in 2019, companies can only claim protection of their expertise and information if they can provide proof of suitable legal, technical and organizational security measures.

IT security needs to be included in employment contracts

For example, employment contracts and company agreements need to include provisions governing confidentiality and non-disclosure of business secrets, such as customer lists, margins, business strategies, recipes or manufacturing processes, known as non-disclosure agreements. Yet at the same time, general catch-all provisions do not provide the necessary protection. Companies have to define exactly what needs to be kept secret.

Employees are not legally obliged to comply with a specific level of security with regard to company data on technical devices. Therefore, implementing guidelines on data protection and the protection of business secrets via a company agreement or as an ancillary agreement to the employment contract is advisable. These guidelines can stipulate that the screen saver has to be password-protected, anti-virus software has to be running and regular updates are mandatory. What about password criteria? How often do passwords need to be changed?

Remote work simplifies hacker attacks

Working remotely offers cybercriminals numerous attack opportunities. Even when employees work remotely, employers remain responsible for ensuring that they comply with the legal requirements governing data protection and IT security. Employees who access the company network via personal laptops or PCs without reliable virus protection pose a major risk. Consequently, safeguarding the data transfer via virtual private network (VPN) connections is recommended. As we have already reported, a company agreement on remote work or a corresponding ancillary agreement to the employment contract also needs to regulate the IT security requirements when working at home. The use of personal devices or USB sticks, saving data on personal storage or allowing access by other residents or visitors all need to be explicitly prohibited.

Warning or termination if IT security provisions are violated

If companies provide their employees with regular training regarding cybersecurity issues, and distribute appropriate guides, supervisors are entitled to issue warnings if employees violate the regulations. Case law states that in the worst case, employees may even face termination if they fail to comply with the IT security regulations. Under some circumstances, employers may even be entitled to claim compensation for damages. Although it is often difficult to put a number to the financial loss incurred by the damage to a company’s reputation among customers and business partners, this is far easier when it comes to ransom demands from hackers in order to regain access to company data.

Protection against cybercriminals requires close cooperation within the company. This cooperation has to encompass the management, IT security, data protection officers, compliance officers, the legal department and HR. IT security issues need to be addressed in employment contracts, company agreements and regulations governing remote and hybrid work. In addition, HR managers need to review existing employment contracts and company agreements on a regular basis to ensure that they continue to fulfill the current requirements for IT security and the protection of confidential information.

Newsletter

Stay up-to-date with the latest news!
Would you like to be informed whenever a new post is published in our labor law blog #LaborLaw by Buse? You wish to know which topic we are going to report on next? Then sign up for our newsletter here:

Works Council Issued Warning for Violation of Works Constitution Act Obligations.

Blog: Labor Law
Works Council Issued Warning for Violation of Works Constitution Act Obligations. Higher Labor Court Baden-Wuerttemberg Confirms possibility of warnings under Works Constitution Act (Ref.: 8 TaBV 3/19).
02.02.2021
Tobias Grambow

Works Council has no Right of Co-Determination in Union Actions.

Blog: Labor Law
Works Council has no Right of Co-Determination in Union Actions. Both employers and works councils are excluded from trade union actions. This is according to a recent decision of the Federal Labor Court (Case No.: 1 ABR 41/18).
29.12.2020
Jan Tibor Lelley

Blog: Labor Law
Works council elections 2022: Determining the elected candidates. Every candidate has to have equal access opportunities.
24.05.2022
Tobias Grambow

Betriebsratswahlen 2022 - Ende der Amtszeit.

Blog: Labor Law
Works council elections 2022 – End of term.
A works council’s term of office generally comes to an end after four years – What exceptions are there?
01.02.2022
Tobias Grambow

Works council elections 2022 – digital, hybrid or analog?

Blog: Labor Law
Works council elections 2022 – digital, hybrid or analog? Is it permitted to hold a works council election using voting software?
01.03.2022
Tobias Grambow

Works council elections 2022 – Appointing the election committee.

Blog: Labor Law
Works council elections 2022 – Appointing the election committee. The works council is generally responsible – Are there exceptions?
25.01.2022
Tobias Grambow
Let’s connect

Do you wish to receive information on recent developments of law, invitations to events or seminars from us? We hereby request your explicit consent.

…Declaration of Consent

BUSE

About us
List of partners
Contact
Imprint
Privacy Policy

 

Arrange a meeting

We can discuss your request directly in a personal meeting. We ensure absolute discretion and professional and honest advice.

…to our offices

© BUSE · Rechtsanwälte Steuerberater Partnerschaftsgesellschaft mbB