Pro­duct war­nings due to secu­ri­ty vul­nerabi­li­ties on the rise

Among the more infor­mal but none­thel­ess one­r­ous forms of sta­te inter­ven­ti­on are offi­ci­al war­nings. For com­pa­nies, war­nings about their pro­ducts issued with the aut­ho­ri­ty of govern­ment agen­ci­es can have signi­fi­cant con­se­quen­ces. The loss of image and reve­nue can be con­sidera­ble. After the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) war­ned against virus pro­tec­tion soft­ware, the aut­ho­ri­ty has now issued its first pro­duct war­ning against a wire­less door lock and thus against a hard­ware pro­duct. Manu­fac­tu­r­ers should take this deve­lo­p­ment as an oppor­tu­ni­ty to prepa­re for cor­re­spon­ding scenarios.

The num­ber of war­nings con­ti­nues to increase, espe­ci­al­ly for digi­tal pro­ducts. A BSI war­ning about the Rus­si­an anti­vi­rus soft­ware Kas­pers­ky­cau­sed a stir at the start of the year. In addi­ti­on, data pro­tec­tion super­vi­so­ry aut­ho­ri­ties also feel cal­led upon time and again to issue abs­tract war­nings about pro­ducts that can actual­ly or mere­ly sup­po­sedly not be used in a way that com­pli­es with data pro­tec­tion requi­re­ments. Sin­ce the­se war­nings are encroach­ments on fun­da­men­tal rights, a suf­fi­ci­ent­ly spe­ci­fic basis for aut­ho­ri­sa­ti­on is requi­red in each case. Unli­ke the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, the BSI has a cor­re­spon­ding basis of aut­ho­ri­sa­ti­on in § 7 of the BSI Act . Among other things, this sec­tion sti­pu­la­tes that the BSI must inform the manu­fac­tu­r­ers of affec­ted pro­ducts befo­re issuing a war­ning. Nevert­hel­ess, the power to issue war­nings is not limit­less. If the fac­tu­al pre­re­qui­si­tes are met, the war­ning is at the dis­cre­ti­on of the aut­ho­ri­ty. Such dis­cre­ti­on is only pro­per­ly exer­cis­ed if the war­ning is fac­tual­ly cor­rect and pro­por­tio­na­te. Fur­ther­mo­re, the war­ning must not run coun­ter to equa­li­ty. It fol­lows from the gene­ral prin­ci­ple of equa­li­ty in the Basic Law that the sel­ec­tion may not be made arbi­tra­ri­ly. The ques­ti­on of why cer­tain pro­ducts are to recei­ve public war­nings while others are not must be ans­we­red in a com­pre­hen­si­ble manner.

Sum­ma­ry

For com­pa­nies, this means three things. First­ly, the gro­wing war­nings make it clear that com­pa­nies must take cyber­se­cu­ri­ty serious­ly and should include a pro­tec­ted chan­nel for secu­ri­ty updates in the pro­duct design of digi­tal pro­ducts. War­nings can still be aver­ted through a time­ly update. Second­ly, com­pa­nies should defi­ne an inter­nal pro­cess for deal­ing with pro­duct war­nings and cla­ri­fy the spe­cia­list depart­ments that are to be invol­ved in the event of an emer­gen­cy. In addi­ti­on to the pro­duct deve­lo­p­ment and legal depart­ments, public rela­ti­ons in par­ti­cu­lar should be con­side­red here. Third­ly, com­pa­nies should check the lega­li­ty of the war­nings in serious cases; the legal basis of § 7 of the BSI Act is not limit­less. If legal powers are excee­ded, com­pa­nies are entit­led to injunc­ti­ve reli­ef and dama­ge com­pen­sa­ti­on claims.