IT Security Act: What do website operators need to be aware of?

The IT Security Act is a so-called article law; a law that amends and expands several laws at the same time.

The aim of the law is to keep IT infrastructures in Germany at the highest possible level and to avoid dramatic consequences in the event of supply bottlenecks, especially in critical infrastructures (CRITIS).

However, not only CRITIS operators are affected by the IT Security Act; the legislator also imposes new information security requirements on website service providers. Any operator of a business website is to be regarded as a service provider within the meaning of the law.

Among other things, the IT Security Act has resulted in changes to the Telemedia Act (TMG). Telemedia includes, among other things, websites. The goal to be achieved by the amendments to the TMG is to curb the spread of malware via telemedia.

In Section 13 (7) of the German Telemedia Act (TMG), the legislator requires service providers to take technical and organizational measures ("insofar as this is technically possible and economically reasonable") to prevent unauthorized access to affected IT systems, to protect affected IT systems against interference from external attacks, and to prevent personal data breaches.

The report of regularly performed penetration tests, for example, can serve as proof of the implementation of such measures. The legislator requires implementation in accordance with the "state of the art".

This term is often used in legislative texts, as the development of technologies is much faster than legislation. National or international auditing standards can be consulted here as a concrete guideline, such as the technical guidelines of the BSI (German Federal Office for Information Security).

Section 13 (7) of the German Telemedia Act (TMG) specifically requires the use of encryption methods that are "recognized as secure". These are intended to protect the users of the website from unauthorized third parties being able to read the transmitted data.

Many protocols used for data transmission on the Internet transmit data in plain text. If an attacker is on the same network (or between the sender and receiver) and manages to redirect the data traffic to his device, he can read the transmitted data (for example, login data) with a simple network sniffer.

However, the use of an encryption method alone does not provide absolute security. The protocols used for encryption (for example, TLS), like software, are constantly being developed further and security gaps are being closed.

Older versions are already considered broken in some cases. Website operators must therefore pay attention to which protocols and which versions are supported by the system overall, and not just which are offered preferentially.

Otherwise, an attacker can negotiate a weak protocol version, break the encryption, and read the transmitted traffic, despite encryption.

Conclusion

Ensuring the confidentiality and integrity of user data should be a top priority for website operators even without the IT Security Act. If systems are compromised and customer data leaks out, this always results in reputational damage that can have serious consequences.

In addition, there are now the legal restrictions imposed by the new IT Security Act. A wave of warnings from competing companies or overzealous law firms is conceivable. A security check of the systems accessible from the Internet should therefore be carried out at regular intervals.