Cybersecurity and labor law – The role of HR in IT security and the protection of confidential information.

 Employees as firewalls or gateways for hackers: What provisions do employment contracts need to include?

Cybersecurity und Arbeitsrecht – Die Rolle von HR bei IT-Sicherheit und Geheimnisschutz.

According to the German Federal Office for Information Security (BSI), IT security is only as good as the people using the systems. Ensuring that employees are part of the solution rather than part of the problem, and serve as a security factor, requires clear agreements regarding data protection and the protection of confidential information – especially when they work from home.

According to the Bitkom digital association, the German economy suffers an overall loss of 223 billion euros every year due to theft, sabotage and espionage via cyber attacks. The damage has doubled since 2018 and 2019. The majority of attacks involve criminals exploiting the “human factor”, given that this is regarded as weakest link in the security chain when it comes to obtaining sensitive data such as passwords. Increased remote work from home as a consequence of the Corona pandemic is also seen as an additional gateway.

To counteract these trends, companies need to invest in technology to ensure greater IT security and information protection. They also need to provide training to make the employees aware of hackers’ constantly new and increasingly sophisticated tricks. Employment contracts are another issue in this regard. According to the Business Secrets Act (GeschGehG), which entered into force in 2019, companies can only claim protection of their expertise and information if they can provide proof of suitable legal, technical and organizational security measures.

IT security needs to be included in employment contracts

For example, employment contracts and company agreements need to include provisions governing confidentiality and non-disclosure of business secrets, such as customer lists, margins, business strategies, recipes or manufacturing processes, known as non-disclosure agreements. Yet at the same time, general catch-all provisions do not provide the necessary protection. Companies have to define exactly what needs to be kept secret.

Employees are not legally obliged to comply with a specific level of security with regard to company data on technical devices. Therefore, implementing guidelines on data protection and the protection of business secrets via a company agreement or as an ancillary agreement to the employment contract is advisable. These guidelines can stipulate that the screen saver has to be password-protected, anti-virus software has to be running and regular updates are mandatory. What about password criteria? How often do passwords need to be changed?

Remote work simplifies hacker attacks

Working remotely offers cybercriminals numerous attack opportunities. Even when employees work remotely, employers remain responsible for ensuring that they comply with the legal requirements governing data protection and IT security. Employees who access the company network via personal laptops or PCs without reliable virus protection pose a major risk. Consequently, safeguarding the data transfer via virtual private network (VPN) connections is recommended. As we have already reported, a company agreement on remote work or a corresponding ancillary agreement to the employment contract also needs to regulate the IT security requirements when working at home. The use of personal devices or USB sticks, saving data on personal storage or allowing access by other residents or visitors all need to be explicitly prohibited.

Warning or termination if IT security provisions are violated

If companies provide their employees with regular training regarding cybersecurity issues, and distribute appropriate guides, supervisors are entitled to issue warnings if employees violate the regulations. Case law states that in the worst case, employees may even face termination if they fail to comply with the IT security regulations. Under some circumstances, employers may even be entitled to claim compensation for damages. Although it is often difficult to put a number to the financial loss incurred by the damage to a company’s reputation among customers and business partners, this is far easier when it comes to ransom demands from hackers in order to regain access to company data.

Protection against cybercriminals requires close cooperation within the company. This cooperation has to encompass the management, IT security, data protection officers, compliance officers, the legal department and HR. IT security issues need to be addressed in employment contracts, company agreements and regulations governing remote and hybrid work. In addition, HR managers need to review existing employment contracts and company agreements on a regular basis to ensure that they continue to fulfill the current requirements for IT security and the protection of confidential information.