Pro­duct war­nings due to secu­ri­ty vul­nerabi­li­ties on the rise

Among the more infor­mal but none­thel­ess one­r­ous forms of sta­te inter­ven­ti­on are offi­ci­al war­nings. For com­pa­nies, war­nings about their pro­ducts issued with the aut­ho­ri­ty of govern­ment agen­ci­es can have signi­fi­cant con­se­quen­ces. The loss of image and reve­nue can be con­sidera­ble. After the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) war­ned against virus pro­tec­tion soft­ware, the aut­ho­ri­ty has now issued its first pro­duct war­ning against a wire­less door lock and thus against a hard­ware pro­duct. Manu­fac­tu­r­ers should take this deve­lo­p­ment as an oppor­tu­ni­ty to prepa­re for cor­re­spon­ding scenarios.

The num­ber of war­nings con­ti­nues to increase, espe­ci­al­ly for digi­tal pro­ducts. A BSI war­ning about the Rus­si­an anti­vi­rus soft­ware Kas­pers­ky­cau­sed a stir at the start of the year. In addi­ti­on, data pro­tec­tion super­vi­so­ry aut­ho­ri­ties also feel cal­led upon time and again to issue abs­tract war­nings about pro­ducts that can actual­ly or mere­ly sup­po­sedly not be used in a way that com­pli­es with data pro­tec­tion requi­re­ments. Sin­ce the­se war­nings are encroach­ments on fun­da­men­tal rights, a suf­fi­ci­ent­ly spe­ci­fic basis for aut­ho­ri­sa­ti­on is requi­red in each case. Unli­ke the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, the BSI has a cor­re­spon­ding basis of aut­ho­ri­sa­ti­on in § 7 of the BSI Act . Among other things, this sec­tion sti­pu­la­tes that the BSI must inform the manu­fac­tu­r­ers of affec­ted pro­ducts befo­re issuing a war­ning. Nevert­hel­ess, the power to issue war­nings is not limit­less. If the fac­tu­al pre­re­qui­si­tes are met, the war­ning is at the dis­cre­ti­on of the aut­ho­ri­ty. Such dis­cre­ti­on is only pro­per­ly exer­cis­ed if the war­ning is fac­tual­ly cor­rect and pro­por­tio­na­te. Fur­ther­mo­re, the war­ning must not run coun­ter to equa­li­ty. It fol­lows from the gene­ral prin­ci­ple of equa­li­ty in the Basic Law that the sel­ec­tion may not be made arbi­tra­ri­ly. The ques­ti­on of why cer­tain pro­ducts are to recei­ve public war­nings while others are not must be ans­we­red in a com­pre­hen­si­ble manner.


For com­pa­nies, this means three things. First­ly, the gro­wing war­nings make it clear that com­pa­nies must take cyber­se­cu­ri­ty serious­ly and should include a pro­tec­ted chan­nel for secu­ri­ty updates in the pro­duct design of digi­tal pro­ducts. War­nings can still be aver­ted through a time­ly update. Second­ly, com­pa­nies should defi­ne an inter­nal pro­cess for deal­ing with pro­duct war­nings and cla­ri­fy the spe­cia­list depart­ments that are to be invol­ved in the event of an emer­gen­cy. In addi­ti­on to the pro­duct deve­lo­p­ment and legal depart­ments, public rela­ti­ons in par­ti­cu­lar should be con­side­red here. Third­ly, com­pa­nies should check the lega­li­ty of the war­nings in serious cases; the legal basis of § 7 of the BSI Act is not limit­less. If legal powers are excee­ded, com­pa­nies are entit­led to injunc­ti­ve reli­ef and dama­ge com­pen­sa­ti­on claims.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.