Court Ruling Questions Adequacy of TLS Encryption for Email Invoices to Private Customers

Fri 7th Feb, 2025

A recent ruling from the Schleswig-Holstein Higher Regional Court has raised significant concerns regarding the adequacy of Transport Layer Security (TLS) encryption for invoices sent via email to private customers. This decision stems from a case involving a fraudulent manipulation of an invoice sent by a construction contractor to a private client.

The case, which has garnered attention for its implications for businesses using email for financial transactions, centers on a construction company that sent an invoice exceeding EUR15,000 for the installation of a heating system. Unfortunately, cybercriminals intercepted and altered the invoice, changing not only the bank details but also other critical information, leaving the contractor unable to determine how the manipulation occurred.

The client, unaware of the alterations, transferred the funds to the fraudulently modified account. When the contractor sought payment again, the client refused, citing the unprotected nature of the emailed invoice and asserting a claim for damages equivalent to the invoice amount.

In its ruling, the Higher Regional Court upheld the contractor's claim for payment, indicating that the erroneous transfer did not absolve the client of their obligation to pay. However, the court also granted the client a right to damages against the contractor, stating that the unprotected email transmission violated the General Data Protection Regulation (GDPR), specifically Article 82, which allows affected parties to seek compensation for data protection breaches.

The court emphasized that invoices sent via email typically contain personal data, including names, addresses, and financial details, thereby falling under the GDPR's jurisdiction. It found that the contractor failed to implement adequate technical and organizational measures to ensure data security, as mandated by Article 32 of the GDPR.

According to the court, the TLS encryption utilized was insufficient, as it did not prevent third parties from altering the invoice. While the GDPR does not explicitly outline the necessary level of encryption, the court adopted a risk-based approach, indicating that higher potential risks necessitate stricter security measures. Given the significant financial implications of a fraudulent invoice, the court deemed that an end-to-end encryption solution should have been employed to safeguard the client's data confidentiality.

This decision echoes an earlier ruling from the Karlsruhe Higher Regional Court, which clarified that there are no specific legal requirements for security measures in business communications. Instead, the appropriate level of security is determined by the legitimate expectations of the parties involved and the feasibility of implementing such measures.

Companies are now faced with the obligation to demonstrate that their security practices comply with GDPR standards. This means that businesses must not only implement protective measures but also document and prove their effectiveness in case of disputes. In this instance, the contractor did not provide sufficient details regarding the security measures taken to protect the invoice transmission.

The ruling leaves open the crucial question of whether inadequate encryption directly contributed to the fraud. The judges could only suggest a potential link without definitive evidence. It remains unclear if end-to-end encryption alone could have prevented the alteration of the invoice, particularly given unresolved issues regarding how the breach occurred.

Importantly, the court did not impose a blanket requirement for end-to-end encryption in communications between businesses and consumers. However, companies are expected to conduct risk assessments and verify that their security measures are proportionate to the potential risks at hand.

In practice, this often results in a tiered approach to security, which varies according to the sensitivity of the data being transmitted and the risk of misuse. Notably, it remains undecided whether obtaining consent from recipients is sufficient to justify the use of only TLS encryption instead of more robust security measures. Nevertheless, there are strong legal arguments supporting this possibility.

For companies in the business-to-consumer sector, the court suggested that mailing invoices via postal services remains a viable alternative that incurs minimal technical and financial burdens.


More Quick Read Articles »