Ruling: TLS encryption for email invoices to private customers not enough?

Contents

A recent ruling by the Higher Regional Court (OLG) of Schleswig-Holstein has caused quite a stir: In future, companies that send invoices by email will have to check carefully whether simple TLS transport encryption is still sufficient. The court sees the need for end-to-end encryption – with potential consequences for the entire B2C sector, particularly in the case of high financial risks.

Falsified invoice, money lost

The subject of the recently published Urteils of December 18, 2024 (Ref. 12 U 9/24) deals with a case of invoice fraud in digital business transactions. A building contractor had sent a final invoice of over 15,000 euros by email to a private client for the proper installation of a heating system. However, the invoice was manipulated by criminals on its way to the recipient. They not only changed the bank details, but also the color scheme and other details of the document. According to the court, it was not possible to conclusively clarify how exactly it was possible for a manipulated invoice to reach the client.

However, the client did not notice the manipulation and transferred the money to the account of an online bank – instead of to the construction company. The contractor then demanded payment again. However, the client refused on the grounds that the invoice had been sent unprotected by email and that he had suffered a loss as a result. He asserted a claim for damages in the same amount.

Payment ineffective – but claim for damages

The Higher Regional Court of Schleswig-Holstein ruled that the contractor's original claim was still valid. The incorrect transfer to the manipulated account details does not release the client from his obligation to pay.

However, the court also awarded the client a claim for damages in the same amount against the construction company. The reason: In the court's opinion, the unprotected sending of the invoice by email is a violation of the General Data Protection Regulation (GDPR), specifically Article 82, which grants data subjects a claim for damages in the event of data protection violations.

Transport encryptionis not sufficient

The ruling shows that invoices sent by email contain personal data, including the name, address and billing information of the client. The communication therefore falls within the scope of the GDPR. The construction company was therefore obliged under Art. 32 GDPR to take appropriate technical and organizational measures to ensure the security of the data. In the opinion of the court, this had not been done sufficiently in this case.

According to the court, the transport encryption used did not provide adequate protection, as the invoice could be manipulated by third parties. The GDPR does not contain any clear specifications as to when and to what extent encryption is required. However, the risk-based approach is decisive: the higher the potential risk for data subjects, the stricter the protective measures must be.

The court assessed the financial risk for the client in this case as high, as a falsified invoice can have considerable economic consequences. Therefore, end-to-end encryption should have been used as an additional security measure to protect the confidentiality of the transmitted data.

Comparison with OLG Karlsruhe

The decision is reminiscent of a ruling by the Higher Regional Court of Karlsruhe from July 27, 2023 (case no. 19 U 83/22). In the legal dispute, which involved two companies, the court ruled that there are no legal requirements for security measures. Rather, the decisive factor was the legitimate security expectations of the respective business transactions and the reasonableness of corresponding measures. It is therefore also clear that the ruling of the Higher Regional Court of Schleswig-Holstein cannot be applied to the sending of invoices between companies by email.

Companies are obliged to prove that their security measures meet the requirements of the GDPR. According to Art. 5 para. 2 and Art. 24 GDPR, the so-called burden of presentation and proof lies with the data controller –, i.e. the company that sends the emails. This means that companies must not only take measures, but also document them and provide evidence in the event of a dispute. However, the construction company had not provided enough information on the protective measures taken.

The ruling therefore leaves one crucial question unanswered: whether the inadequate encryption was actually the cause of the fraud. The judges were able to assume causality without having to examine it in detail. Whether end-to-end encryption alone could have prevented prior manipulation of the invoice can hardly be said given the unclear attack vector.

No general obligation for end-to-end encryption

There is no general obligation for end-to-end encryption in communications between companies or between companies and consumers. However, companies must carry out a risk analysis and be able to prove that their chosen protective measures are appropriate for the risk in question.

In practice, this will usually lead to a graduated solution – depending on the sensitivity of the transmitted data and the potential risk of misuse. It should also be noted in this context that it has not yet been conclusively clarified whether the consent of the recipient is sufficient to dispense with stronger encryption and instead only use transport encryption. However, there are good legal arguments in favor of this possibility.

And otherwise, as the court notes, there is still a way for companies in the B2C sector that can be taken without major technical and financial expense: Sending invoices by post.

(kbe)