Destruction of Data Processing Systems

Destruction of data processing systems

Die Destruction of data processing systems in the legal context refers to the intentional or negligent rendering unusable, damaging, or destroying of technical equipment used for automated data processing. The term plays a significant role particularly in criminal, civil, and IT law, as the protection of electronic infrastructure is of central importance for the information society. In addition to physical damage, the legal development also includes electronic and software-related attacks on data processing systems.

Conceptual distinction and definition

The term data processing systems is understood to include all devices, systems, and components used for the electronic collection, storage, processing, or transmission of data. This includes in particular computers, servers, network infrastructures, storage drives, routers, modems, as well as peripheral devices and embedded systems in specialized machines.Destruction in the legal sense means any action that significantly impairs the affected system to such an extent that its intended use is permanently or at least for a significant period no longer possible. This includes, in addition to complete physical destruction, among others:

• mechanical damage (e.g., smashing hard drives)
• electrical overload (e.g., causing a short circuit)
• irreversible software-based attacks (e.g., deleting firmware or operating systems)
• transmission of malware resulting in irreparable loss of functionality

The terms “rendering unusable” and “damaging” are often used additionally and already cover the partial impairment of functionality.

Legal classification

Criminal law provisions

Der Protection of data processing systems is in particular the subject of specific criminal offenses under German law. The central regulation is § 303b of the Criminal Code (StGB) – “computer sabotage.” In addition, further offenses may apply, particularly:

• § 303 StGB (criminal damage)
• § 202a StGB (data espionage)
• § 202b StGB (data interception)
• § 303a StGB (data alteration)

§ 303b StGB – Computer sabotage

§ 303b StGB protects data processing procedures as well as the technical equipment used against attacks that are capable of impairing proper data processing and functionality. Devices for electronic data processing are expressly also protected. The provision covers not only physical destruction but also electronic manipulation if it leads to significant disruption.

The scope of application ranges from attacks on individual computers to server farms and critical infrastructures (e.g., energy supply, telecommunications). The penalty begins with imprisonment of up to three years or a fine, in severe cases (e.g., attacks on vital facilities) up to ten years.

§ 303 StGB – Criminal damage

If the special provision of § 303b StGB does not apply, criminal liability under § 303 StGB is also possible depending on the circumstances, provided that the data processing system is considered a “thing” within the meaning of the law and unlawful destruction or damage occurs.

Claims for damages and liability law

Die Destruction of data processing systems may entail significant claims for damages under civil law. According to §§ 823 para. 1, 826 of the German Civil Code (BGB), the injurer is liable for compensation of the material damage caused by intentional or negligent action. In addition to the value of the damaged system, consequential losses such as business interruptions or data loss can also be claimed.

For employees, special liability relief may apply under labor law (liability privilege for slight negligence). Manufacturers can be liable under product liability if unwanted destruction of systems occurs due to faulty systems.

Public law regulations and compliance requirements

In sensitive sectors (energy supply, healthcare, financial sector), there are additional legal and regulatory requirements for protecting data processing systems:

• IT Security Act (IT-SiG) requires operators of so-called critical infrastructures to take special measures to ensure the integrity and availability of systems.
• Data protection regulations (in particular the GDPR) require technical and organizational measures to protect personal data on IT systems.
• Industry-specific guidelines and technical standards (e.g., BSI IT-Grundschutz) specify protection goals and preventive measures against destruction incidents.

Types of offenses and attack methods

Physical destruction

This involves direct attacks on hardware, such as smashing, burning, cutting, or otherwise rendering systems and components unusable.

Digital sabotage

Virtual attacks include introducing malware, ransomware, targeted deletion or manipulation of system data, and distributed denial-of-service attacks that provoke overloads and failures of servers.

Combined attacks

In some cases, destruction occurs through a combination of physical and digital means, for example when malware causes overheating of hardware components, which are then physically destroyed.

Criminal complaints, prosecution and procedural issues

Investigations are generally initiated ex officio and, in minor cases, a criminal complaint from the injured party may be required (§ 303c StGB). IT forensic reports and securing electronic traces are of considerable importance in the evidentiary process.

International legal situation and harmonization

There are also regulations at the European and international level for the protection of IT infrastructures:

• Die Budapest Convention (Convention on Cybercrime, Cybercrime Convention) defines minimum standards for the prosecution of relevant offenses.
• Die EU Directive 2013/40/EU on attacks against information systems harmonizes criminal liability within the European Union.

Preventive protection measures

Legislators and companies rely on extensive prevention, such as access controls, network segmentation, use of firewalls and intrusion detection systems, and backups for recovery after destruction incidents. Insurance against IT risks offers additional financial protection.

Literature

• Fischer, Thomas: Strafgesetzbuch und Nebengesetze, commentary, current edition
• Bock, Stefan: Computer criminal law, C.H. Beck, 2019
• U. Sieber (Ed.): Cybercrime and computer criminal law, 2012

Weblinks

• § 303b StGB – Criminal Code (dejure.org)
• BSI IT-Grundschutz – Federal Office for Information Security

Frequently asked questions

What are the legal consequences of intentionally destroying data processing systems?

The intentional destruction of data processing systems is criminally relevant in Germany and can be prosecuted in particular under § 303b of the Criminal Code (StGB) – computer sabotage. Anyone who intentionally destroys, damages, renders unusable, alters, or removes a data processing system belonging to another or serving the public interest can be punished with up to five years’ imprisonment or with a fine. If the destruction concerns systems of significant importance for another business, a company, an authority, or public supply, this constitutes a qualified offense and the penalty is accordingly increased. Additionally, depending on the severity of the act, the injured party may assert civil claims for damages, e.g., under §§ 823 ff. BGB. Furthermore, in the employment law context, employment law sanctions, up to and including summary dismissal, may be threatened if the act was committed by an employee in the context of their employment.

Is the attempt to destroy data processing systems also punishable?

Yes, according to § 303b paragraph 3 StGB, the mere attempt at computer sabotage is punishable. This means that criminal consequences may arise even if someone undertakes actions to destroy or damage a data processing system but does not achieve the intended result—the act is halted at the attempt stage. In such cases, the penalty may be reduced, but criminal liability still exists. The prerequisites for the attempt are met if the perpetrator begins to commit the act in accordance with their intention, regardless of whether the harm actually occurs.

How does the law define a “data processing system” in the legal context?

The term data processing system is not conclusively defined in the law; however, it is understood to mean all technical systems used for the automated processing of data. These include individual computers, servers, networks, storage systems, and other hardware components. Relevant cloud infrastructures and mobile devices can also be included, provided they are capable of automated data processing. The determining factor is that the system is intended and suitable for processing data independently according to certain programs. The case law applies strict requirements to the technical context and functionality.

What special considerations apply to data processing systems owned by public entities?

For data processing systems owned by authorities or institutions of significant public interest, stricter standards and a higher public interest in criminal protection usually apply. The increased penalty provision in § 303b para. 4 StGB (particularly serious case of computer sabotage) requires, among other things, that the offender endangers the supply of the population with essential goods or services or causes a significant disturbance to public safety and order. In the case of attacks on critical infrastructure systems, as listed for example in the KRITIS Regulation, additional criminal provisions such as § 317 StGB (disruption of public enterprises) may also apply. In such cases, the public interest is protected by priority prosecution and, in some cases, higher penalties.

What civil law claims may injured parties have in the event of destruction of data processing systems?

If a person or company suffers damage due to the destruction of their data processing system, the injured party generally has civil claims, especially under §§ 823 para. 1 (tort) or para. 2 BGB in conjunction with a protective law (e.g., § 303b StGB). The injured party may claim compensation for their material damage: this includes the costs for repair, replacement of hardware and software, data recovery, possible loss-of-use compensation, as well as consequential damages due to business interruptions. Depending on the individual case, there may also be claims for pain and suffering (in the case of affected natural persons) or compensation for lost profits. The prerequisite is always a demonstrable causal connection between the action, the damage, and the unlawfulness.

What role does the motive or intent play in criminal law assessment?

The level of criminal liability is essentially determined by the degree of intent. For criminal liability under § 303b StGB, intent is required, i.e., the perpetrator must deliberately and knowingly cause the destruction of the data processing system or at least accept it. Negligent actions are generally not covered and not prosecuted, unless the law explicitly penalizes them. However, negligent destruction may be relevant under special legal provisions or in civil law (damages for negligence according to § 823 para. 1 BGB). If the destruction occurs in the course of other offenses (e.g., sabotage with political, economic, or ideological motivation), the motive may aggravate or mitigate the sanction.

Are there any special rules on statutes of limitation in connection with the destruction of data processing systems?

For criminal prosecution of the intentional destruction of a data processing system, the general limitation periods under §§ 78 ff. StGB generally apply. For the offenses of § 303b StGB, the limitation period is usually five years (see § 78 para. 3 no. 4 StGB); in particularly serious cases pursuant to § 303b para. 4 StGB, it may be up to ten years. In civil law, the standard limitation period for claims for damages under § 195 BGB is three years from the end of the year in which the claim arose and the injured party became aware of the person and circumstances of the damage or should have become aware without gross negligence. In special cases (e.g., intentional immoral conduct), the period can be extended to ten years.