Among the more informal but nonetheless onerous forms of state intervention are official warnings. For companies, warnings about their products issued with the authority of government agencies can have significant consequences. The loss of image and revenue can be considerable. After the German Federal Office for Information Security (BSI) warned against virus protection software, the authority has now issued its first product warning against a wireless door lock and thus against a hardware product. Manufacturers should take this development as an opportunity to prepare for corresponding scenarios.
The number of warnings continues to increase, especially for digital products. A BSI warning about the Russian antivirus software Kasperskycaused a stir at the start of the year. In addition, data protection supervisory authorities also feel called upon time and again to issue abstract warnings about products that can actually or merely supposedly not be used in a way that complies with data protection requirements. Since these warnings are encroachments on fundamental rights, a sufficiently specific basis for authorisation is required in each case. Unlike the data protection supervisory authorities, the BSI has a corresponding basis of authorisation in § 7 of the BSI Act . Among other things, this section stipulates that the BSI must inform the manufacturers of affected products before issuing a warning. Nevertheless, the power to issue warnings is not limitless. If the factual prerequisites are met, the warning is at the discretion of the authority. Such discretion is only properly exercised if the warning is factually correct and proportionate. Furthermore, the warning must not run counter to equality. It follows from the general principle of equality in the Basic Law that the selection may not be made arbitrarily. The question of why certain products are to receive public warnings while others are not must be answered in a comprehensible manner.
For companies, this means three things. Firstly, the growing warnings make it clear that companies must take cybersecurity seriously and should include a protected channel for security updates in the product design of digital products. Warnings can still be averted through a timely update. Secondly, companies should define an internal process for dealing with product warnings and clarify the specialist departments that are to be involved in the event of an emergency. In addition to the product development and legal departments, public relations in particular should be considered here. Thirdly, companies should check the legality of the warnings in serious cases; the legal basis of § 7 of the BSI Act is not limitless. If legal powers are exceeded, companies are entitled to injunctive relief and damage compensation claims.back