Security

Term and Legal Framework: Security

The Term Security encompasses a wide range of meanings in the legal context. Originally derived from English, “Security” denotes safety and protection, but is used in different areas of law, particularly in relation to security services, securities, and data protection. The following article provides a comprehensive legal perspective on the term and explains the relevant statutes, obligations, and possible meanings.

1. Security as a Security Service

1.1. Legal Definition and Authorization Requirements

In the field of security services, Security primarily refers to the security industry and the field of private security and guarding companies. According to § 34a of the German Trade Regulation Act (GewO), operating a security company requires a license. To obtain the license, authorities must verify reliability, proof of orderly financial circumstances, and a qualified competence examination pursuant to the Security Regulation (BewachV).

1.2. Contractual Basis and Liability

Security services are generally based on service contracts according to §§ 611 et seq. of the German Civil Code (BGB) or on contracts for work and services (§§ 631 et seq. BGB), depending on the performance owed. Security companies are subject to specific duties of care; in cases of breaches of duty, both contractual and tortious claims for liability may be asserted against them. Liability is often limited by individual contractual clauses, but remains subject to legal limits, especially regarding gross negligence or intent.

1.3. Data Protection in the Security Industry

The processing of personal data by security services is governed by the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Especially in the case of video surveillance of publicly accessible areas, a balance must be struck between legitimate security interests and the personal rights of affected individuals.

2. Security in Financial and Capital Markets Law

2.1. Definition: Security as a Security (Financial Instrument)

In Anglo-American jurisdictions, the term “Security” mainly refers to securities subject to financial and capital markets law. Under § 2 of the German Securities Trading Act (WpHG) and the definition of the EU Directive MiFID II (Markets in Financial Instruments Directive), this includes shares, bonds, options, derivatives, and other exchange-traded or over-the-counter financial instruments.

2.2. Issuance, Trading and Investor Protection

The issuance and distribution of securities are strictly regulated in Germany and Europe. The German Securities Prospectus Act (WpPG) stipulates disclosure obligations for issuers; the Financial Supervisory Authority (BaFin) monitors compliance. To protect investors, providers are subject to extensive information, disclosure, and documentation obligations, regulated by the WpHG and other supervisory legal provisions (e.g., the Money Laundering Act – GwG to prevent financial crime).

2.3. Criminal and Civil Consequences of Violations

Breaches of capital market law obligations can result in both criminal consequences (e.g., insider trading, market manipulation under § 119 WpHG) and civil claims (such as damages under § 826 BGB – intentional injury against public policy).

3. Security in IT and Data Protection Law

3.1. IT Security as Part of Corporate Compliance

In the sense of information security, Security refers to all measures aimed at protecting the integrity, availability, and confidentiality of information technology systems. The legal requirements are derived in particular from the IT Security Act (IT-SiG), the GDPR, and sector-specific special laws, such as the Telecommunications Act (TKG).

3.2. Notification Obligations and Liability in Case of Security Incidents

Operators of critical infrastructures are required to promptly report significant IT security incidents to the Federal Office for Information Security (BSI). Companies in other sectors are likewise subject to notification obligations in the event of data protection breaches to supervisory authorities and affected individuals (Art. 33, 34 GDPR). Failure to fulfill these obligations can lead to fines, claims for damages, and withdrawal of business licenses.

4. Legal Aspects of the Use of the Term in International Contexts

4.1. Different Understandings in Law

While the term Security in German law primarily relates to security services and data protection, in Anglo-American law “Security” predominantly refers to a security (financial instrument). This is of great importance in international legal disputes and contracts, in order to avoid misunderstandings in contract interpretation.

4.2. International Agreements and Harmonization

Numerous international regulations (e.g., European Union directives on capital market law or IT and information security) aim to harmonize the legal situation and ensure cross-border investor protection as well as IT security standards.

Summary of the Legal Significance of Security

The term Security plays a multifaceted role in German and international law. It refers to security services in the private security industry, encompasses the regulation of securities, as well as IT security and data protection. All areas are characterized by specific legal regulations and strict supervisory authorities. A differentiated legal consideration is essential in order to minimize liability risks, comply with legal requirements, and safeguard the rights of all involved parties.

Sources

• German Civil Code (BGB)
• Trade Regulation Act (GewO)
• Security Regulation (BewachV)
• German Securities Trading Act (WpHG)
• EU Directive MiFID II
• General Data Protection Regulation (GDPR)
• IT Security Act (IT-SiG)
• Federal Data Protection Act (BDSG)

Frequently Asked Questions

What legal requirements must companies consider in the field of IT security?

Companies in the field of IT security are bound by a variety of legal regulations at both national and European levels. The primary relevant regulation is the General Data Protection Regulation (GDPR), which, among other things, sets out specific requirements for the security of processing in Art. 32. Companies are required to implement technical and organizational measures (TOMs) that ensure a level of protection appropriate to the risk. In addition to the GDPR, other national laws apply, such as the Federal Data Protection Act (BDSG), the Telemedia Act (TMG), the Telecommunications-Telemedia Data Protection Act (TTDSG), and the IT Security Act 2.0 (IT-SiG 2.0). These govern the protection of personal data, requirements for IT security of critical infrastructures (KRITIS), notification obligations in the event of security incidents, and specific industry standards. For companies, this means they must continually adapt their IT systems to the current state of the art, assess risks, and, if necessary, involve external service providers in fulfilling security duties. Non-compliance may result in severe fines and civil liability risks.

What notification obligations exist in the event of security incidents?

Companies are required by various laws to report security incidents. According to Art. 33 GDPR, there is an obligation to report breaches of personal data protection (“data breaches”) to the competent data protection supervisory authority within 72 hours, provided there is a risk to the rights and freedoms of affected persons. In addition, the IT Security Act regulates notification obligations for operators of critical infrastructures (KRITIS), even without reference to personal data, for example in the event of attacks on IT systems. In such cases, the designated contact points, particularly the Federal Office for Information Security (BSI), must be informed. Omissions or late notifications can result in significant fines and further legal consequences. In some cases, stakeholders, such as affected persons or business partners, may also need to be informed. Companies should therefore establish an internal reporting and incident response plan that complies with legal requirements.

What liability risks exist in the event of violations of security requirements?

The liability risks in the area of IT security are complex: companies can be held liable both under civil and public law. Under the GDPR, fines of up to 20 million euros or 4% of worldwide annual turnover can be imposed. In addition, if security obligations are negligently or intentionally disregarded and damage occurs (e.g., due to data loss, data leakage, or system failures), there is an obligation to compensate affected individuals. Competitors or contractual partners may also assert claims if they suffer economic loss due to insufficient security. Employees are liable in a restricted manner within the scope of their duties. Managing directors or board members may be personally liable if they fail to fulfill their organizational and supervisory duties.

What role do contracts with service providers play in the field of security?

Contracts with external service providers, especially processors (in accordance with Art. 28 GDPR), are a central element of legally compliant IT security. Companies must contractually ensure that service providers implement and document appropriate technical and organizational measures. This includes confidentiality obligations, audit, control, and information rights, as well as obligations to immediately report security incidents. The contract must regulate the return or deletion of data after processing and should provide for sanctions in the event of violations. In case of subcontractors, special approval and control mechanisms are required. Compliance with obligations must be continuously monitored and documented.

How is the state of the art to be legally assessed and fulfilled?

The “state of the art” is a dynamic legal concept used in both the GDPR and the IT Security Act. Legally, it means that companies must implement security measures according to the latest developments, balancing economic effort with the level of protection required. Relevant factors include published standards (e.g., ISO 27001, BSI Baseline Protection), industry recommendations, technical guidelines, and recognized industry practices. Companies must regularly assess whether their measures still meet the state of the art and whether updates or additional measures are needed. This requires ongoing risk analysis and documentation. Breaches of the state of the art may be deemed gross negligence and lead to liability.

Are employees required to comply with certain IT security measures?

Yes, from a legal perspective, employees have both labor and data protection obligations to participate in IT security measures. Employers must issue binding instructions to their employees through IT policies, work instructions, and training to ensure compliance with specific requirements (such as password protection, handling of sensitive data, notification of irregularities). Compliance must be monitored, sanctioned if necessary, and regularly reviewed. Legally, however, the company is responsible for issuing explicit and understandable instructions and ensuring employees are adequately trained. Breaches of duty can result in warnings or, in the case of repeated infringement, employment law consequences.

What special requirements apply to international data transfers in the context of security?

International data transfers, especially to third countries outside the EU/EEA, are subject to strict legal requirements. In addition to appropriate security measures and compliance with the state of the art, it must be ensured that the level of data protection in the recipient country meets European standards. This is usually achieved through adequacy decisions of the EU Commission, standard contractual clauses, or binding corporate rules. The GDPR also requires an evaluation of potential government access to the data in the recipient country and, if necessary, the implementation of additional safeguards. Documentation of technical and organizational security measures is mandatory and must be demonstrable to authorities. Violations can result in high fines and civil liability.