Skip to main content

Relevance of Data Security and Data Protection in Companies from the Perspective of Criminal Law

  • Chapter
  • First Online:
Handbook Industry 4.0
  • 2586 Accesses

Abstract

Companies can be affected by a variety of classic so-called “IT crimes.” They can become victims of hacking attacks, just as employees can use the company’s resources to commit their own crimes. The same applies to the digital distribution of incriminated content, such as child pornography, racist statements, or statements containing incitement to hatred. In the capital market criminal law, the infrastructure of companies can also be used to commit crimes. The same applies to the spying out of company secrets; here companies can be on the side of the perpetrator (employees) or the victim too. However, these and other manifestations are not exclusively restricted to a corporate context and specific to that extent.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 249.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Free shipping worldwide - see info
Hardcover Book
USD 329.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    This obligation of secrecy is (newly) flanked by § 29 para. 3 BDSG. Within the scope of application of § 203 StGB, the supervisory authorities may not demand or arrange for the release of data. If they nevertheless gain access to appropriately protected data, the scope of application of § 203 StGB is automatically extended to the supervisory authority.

  2. 2.

    A complete emergency management system is described on the website of the German Federal Office for Information Security (BSI) in the BSI Standard 100-4, available at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/ITGrundschutzstandards/BSI-Standard_1004.html.

  3. 3.

    See, for example, the research project “European Cloud Service Data Protection Certification (Auditor)” available at: http://auditor-cert.de und European Union Agency for Network and Information Security (ENISA), or the Recommendations on European Data Protection Certification, Version 1.0 November 2017, available at: https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification/at_download/fullReport.

  4. 4.

    See, for example, the proposal for an EU Regulation “on ENISA, the ‘EU Cybersecurity Agency’, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘Cybersecurity Act’), COM(2017) 477 final/2 and also ENISA, Overview of the practices of ICT Certification Laboratories in Europe,” Version 1.1, January 2018, available at: https://www.enisa.europa.eu/publications/overview-of-the-practices-of-ict-certification-laboratories-in-europe/at_download/fullReport. See also the “Draft Opinion” of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (Rapporteur Jan Philipp Albrecht), 2017/0225(COD), available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-615.394+02+DOC+PDF+V0//EN.

  5. 5.

    S. Bundesamt für Verfassungsschutz/Bundesamt für Sicherheit in der Informationstechnik/Bundesverband Allianz für Sicherheit in der Wirtschaft e.V., Wirtschaftsgrundschutz, module MA2 Bewerberprüfung, status July 2017, available at: https://www.wirtschaftsschutz.info/DE/Aktuelles/Wirtschaftsgrundschutz/Bausteine/Bewerberpruefung.pdf.

  6. 6.

    Before using remote maintenance, check whether the remote maintenance software allows encrypted transmission, which encryption is used, etc. When using cloud platforms such as Dropbox, Google Drive, Microsoft OneDrive, etc., i.e., storing secrets on foreign servers, in addition to transport encryption, user- or group-based encryption at file level must also take place in the company of the secret carrier, because then the service can be provided without knowledge of secrets. The same obviously applies to Infrastructure as a Service (IaaS), where entire computers (servers) are rented, or Platform as a Service (PaaS), where the provider only provides a runtime environment within which users can run their own software. In the case of “Software as a Service” (SaaS), the service provider offers special software that runs on the provider’s resources and is made available to the user online, whereby the service provider also takes care of maintenance through updates and upgrades, such as with Microsoft Office 365 and with Google Docs, Sheets, Slides and Forms.

  7. 7.

    Federal Statutory Order concerning the Legal Profession.

  8. 8.

    Federal Statutory Order concerning the Notaryship.

  9. 9.

    Federal Statutory Order concerning the Practice of Patent Attorneys.

  10. 10.

    Federal Law concerning the Practice of Tax Accountants.

  11. 11.

    Federal Statutory Order concerning the Practice of Public Auditors.

  12. 12.

    S. Statement of the Hamburg Commissioner for Data Protection and Freedom of Information on the business number D42/2017/1114 of 8.1. 2018, available at https://www.datenschutzbeauftragter-info.de/wp-content/uploads/2018/02/schreiben-der-aufsichtsbehoerde.pdf and 8th Activity Report of the Saxon Commissioner for Data Protection, submitted as of 31.3.2017, p. 138.

  13. 13.

    Page 4 of the BMJV’s draft bill for a law on the new regulation of the protection of secrets in the case of the participation of third parties in the professional practice of persons subject to professional secrecy, available at: https://www.bmjv.de/SharedDocs/Gesetzgebungsverfahren/Dokumente/RefE_Neuregelung_Schutzes_von_Geheimnissen_bei_Mitwirkung_Dritter_an_der_Berufsausuebung_schweigepflichtiger_Personen.pdf.

  14. 14.

    Rowlingson (2014), p. 1: “A forensic investigation of digital evidence is commonly employed as a post event response to a serious information security incident. In fact, there are many circumstances where an organization may benefit from an ability to gather and preserve digital evidence before an incident occurs” (a.a.O.). Tan (Fn.1), S. 1 definiert wie folgt: “Forensic Readiness” has two objectives: “Maximalizing an environments ability to collect credible digital evidence; and 2. Minimalizing the costs of forensics in an incident response.”

  15. 15.

    National Research Council (2009), p. 93 (m.w.n.)—“... that an expert’s testimony is reliable where the discipline itself lacks reliability (...).” In view of the rapidly developing fields of “digital forensics,” this is of importance not to be underestimated in terms of the admission of experts. If necessary, this may be a reason for an additional expert within the meaning of § 244 (4) StPO.

  16. 16.

    Monroy (2017)—“Examples are the rapid use of radio cell queries or the sending of silent SMS as a standard measure in investigations.”

  17. 17.

    Momsen and Bruckmann (2019), S. 20 ff.

  18. 18.

    German Federal Constitutional Court (BVerfG), judgment of the First Senate, 15 December 1983, 1 BvR 209/83 and others—Census—BVerfGE 65, 1.

  19. 19.

    BVerfG: Judgment of the First Senate of 15 December 1983 (1 BvR 209/83, marginal no. 146). Federal Constitutional Court. 14 December 1983.

  20. 20.

    Article 8—Right to respect for private and family life.

    1. Everyone has the right to respect for his private and family life, his home and his correspondence.

    2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

  21. 21.

    BVerfG, Order of the First Senate of 4 April 2006, 1 BvR 518/02—dragnet investigation—BVerfGE 115, 320. BVerfG, Judgment of the First Senate of 27 February 2008, 1 BvR 370/07 and others—Online search/computer fundamental right—BVerfGE 120, 274.

  22. 22.

    Elliott (1995); Barabas (2019), pp. 2–3.

  23. 23.

    Kleinberg et al. (2016).

  24. 24.

    Angwin and Larson (2016).

  25. 25.

    Momsen and Weichert (2018).

References

  • Angwin J, Larson J (2016) Bias in criminal risk scores is mathematically inevitable. Researchers Say, ProPublica, 30 December 2016. https://www.propublica.org/article/bias-in-criminal-risk-scores-is-mathematically-inevitable-researchers-say

  • Barabas C (2019) Beyond bias: re-imagining the terms of ethical AI in criminal law, pp 2–3. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3377921

  • Berk R (2019) Machine learning risk assessments in criminal justice settings, pp 116 ff.

    Google Scholar 

  • Bock D (2011) Criminal compliance, 1st edn. Baden-Baden

    Google Scholar 

  • Casey E (2002) Error, uncertainty, and loss in digital evidence. Int J Digital Evid 1(2):2 ff.

    Google Scholar 

  • Chaski C (2005) Who’s at the keyboard? - Authorship attribution in digital evidence investigations. Int J Digital Evid 4(1):1 ff.

    Google Scholar 

  • Degen A (2016) § 66. In: Heussen/Hamm (eds) Beck’sches Rechtsanwalts-Handbuch, 11th edn. Munich

    Google Scholar 

  • Dix A (2014) § 1. In: Simitis (ed) Federal Data Protection Act, 8th edn. Munich

    Google Scholar 

  • Eisele J (2013) Computer and media criminal law. Munich

    Google Scholar 

  • Eisele J, Lenckner T (2014) § 203. In: Schönke/Schröder (eds) StGB, 29th edn. Munich

    Google Scholar 

  • Elliott DS (1995) Lies, damn lies, and arrest statistics. Center for the Study and Prevention of Violence, Boulder

    Google Scholar 

  • Endicott-Popovsky B, Frincke D (2007) In: Schmorrow/Reeves (hrsg.) Augmented cognition, HCII 2007, S. 364 ff., Berlin

    Google Scholar 

  • Eschelbach G (2017) § 100a. In: Satzger/Schluckebier/Widmaier (eds) Code of Criminal Procedure: StPO with GVG and EMRK, Commentary, 3rd edn. Cologne

    Google Scholar 

  • Gercke M (2012) The omitted step from computer to internet criminal law. AnwBl, 709 ff.

    Google Scholar 

  • Germann M, Voigt P (2017) IT security - not an issue only for operators of critical infrastructures. CR, 93 ff.

    Google Scholar 

  • Geschonneck A (2004) Computer forensics, 1st edn, Heidelberg

    Google Scholar 

  • Graf J-P (2018) § 100b. In: Count (ed) BeckOK-StPO, 31st edn

    Google Scholar 

  • Großkopf L, Momsen C (2018) Outsourcing of professional secrets - criminal obligation to comply? CCZ, 98 ff.

    Google Scholar 

  • Haft F (1987) The Second Act to Combat Economic Crime (2. WiKG) - Part 2: Computer Crimes, NStZ 6 ff.

    Google Scholar 

  • Härting N (2005) IT-Security in the Law Firm - The Attorney’s Secrecy in the Age of Information Technology. NJW, 1248 ff.

    Google Scholar 

  • Haß G (1993) In: Lehmann (ed) Legal protection and exploitation of computer programs, 2nd edn. Cologne

    Google Scholar 

  • Heger M (2018) § 202a. In: Lackner/Kühl (eds) StGB, 29th edn. Munich

    Google Scholar 

  • Hilgendorf E (2015) In: Doctor/Weber/Heinrich/Hilgendorf (eds) Criminal law special part, 3rd edn. Bielefeld

    Google Scholar 

  • Jahn M, Palm J (2011) Outsourcing in the law firm: breach of private secrets? The criminal and professional law assessment of a “lawyer’s secretariat” outside the law firm. AnwBl, 613 ff.

    Google Scholar 

  • Jessen E (2014) Access authorization and special security as defined by § 202 a StGB. Frankfurt

    Google Scholar 

  • Kleinberg J, Mullainathan S, Raghavan M (2016) Inherent trade-offs in the fair determination of risk scores. Cornell University. https://arxiv.org/pdf/1609.05807.pdf

  • Koch FA (2014) Legal and ethical encryption requirements? Using the example of the legal profession. DuD, 691 ff.

    Google Scholar 

  • Lenckner T, Winkelbauer W (1986) Computer crime - possibilities and limits of the 2nd WiKG (I), (II), (III). CR, 483 ff., 654 ff., 824 ff.

    Google Scholar 

  • Marshall AM (2008) Digital forensics - digital evidence in criminal investigation

    Google Scholar 

  • Meier B-D (2012) Sicherheit im Internet. Neue Herausforderungen für Kriminologie und Kriminalpolitik, MschrKrim, S. 184–204

    Google Scholar 

  • Meyer-Goßner L (2018) § 244. In: Meyer-Goßner/Schmitt (eds) Code of Criminal Procedure: StPO, 61st edn. Munich

    Google Scholar 

  • Michaelis P (2016) Cybersecurity: technical requirements of the “measure” according to Section 13 (7) TMG - challenge “state of the art.” ITRB, 118 ff.

    Google Scholar 

  • Momsen C (2015) Internal investigations from a criminal law perspective. In: Rotsch (ed) Criminal compliance. Baden-Baden, pp 1234 ff.

    Google Scholar 

  • Momsen C (2021a) Digital evidence and criminal defense – how international standards apply in German criminal proceedings. John Jay College of Criminal Justice, The Center for International Human Rights, CIHR-Publications, New York

    Google Scholar 

  • Momsen C (2021b) Implications and limitations of the use of AI in criminal justice in Germany. John Jay College of Criminal Justice, The Center for International Human Rights, CIHR-Publications, New York

    Google Scholar 

  • Momsen C, Bruckmann P (2019) Soziale Netzwerke als Ort der Kriminalität und Ort von Ermittlungen - Wie wirken sich Online-Durchsuchung und Quellen-TKÜ auf die Nutzung sozialer Netzwerke aus? KriPoZ, pp 20 ff.

    Google Scholar 

  • Momsen C, Grützner T (2017) Legal regulation of internal company investigations - gain in the rule of law or unnecessary complication? CCZ, 242 ff.

    Google Scholar 

  • Momsen C, Hercher N (2014) Digital evidence in criminal proceedings Suitability, extraction, exploitation, revisibility. In: The acceptance of the rule of law in the judiciary, Volume of Material for the 37th Defense Attorney Day, Freiburg 2013, pp 173 ff.

    Google Scholar 

  • Momsen C, Rennert C (2020) Big data-based predictive policing and the changing nature of criminal justice – consequences of the extended use of big data, algorithms and AI in the area of criminal law enforcement. In: KriPoZ, pp 160–172

    Google Scholar 

  • Momsen C, Savic L (2017) Explanation of several terms in the fields of digital forensics, digital evidence, cybercrime and cyberinvestigations. In: Grützner/Jakob (eds) Compliance and governance from A-Z, 2nd edn. Vienna

    Google Scholar 

  • Momsen C, Savic L (2018) § 32. In: von Heintschel-Heinegg (ed) Beck-OK/StGB, 40th edn

    Google Scholar 

  • Momsen C, Tween D (2015) Criminal compliance in the USA. In: Rotsch (ed) Criminal compliance. Baden-Baden, pp 1027 ff.

    Google Scholar 

  • Momsen C, Washington SL (2019) Wahrnehmungsverzerrungen im Strafprozess - die Beweisprüfung im Zwischenverfahren der StPO und US-amerikanische Alternativen (Perception bias in criminal proceedings - the examination of evidence in interim proceedings in the German Code of criminal procedure and US-American alternatives). In: Goeckenjan/Puschke/Singelnstein (eds) Festschrift für Ulrich Eisenberg, Berlin, pp 453 ff.

    Google Scholar 

  • Momsen C, Weichert T (2018) From DNA tracing to DNA phenotyping – open legal issues and risks in the new Bavarian Police Task Act (PAG) and beyond, Verfassungsblog, 2018. https://verfassungsblog.de/from-dna-tracing-to-dna-phenotyping-open-legal-issues-and-risks-in-the-new-bavarian-police-task-act-pag-and-beyond/

  • Momsen C, Rennert C, Willumat M (2020) Security, populism, human rights and the underestimated role of AI and big data – a review of “security and human rights”. In: Goold BJ, Lazarus L (eds) KriPoZ, 2nd edn, pp 183–189

    Google Scholar 

  • Monroy M (2017) Soziale Kontrolle per Software: Zur Kritik an der vorhersagenden Polizeiarbeit, Cilip, Oktober, 2017. https://www.cilip.de/2017/10/11/soziale-kontrolle-per-software-zur-kritik-an-der-vorhersagenden-polizeiarbeit/

  • National Research Council (2009) Strengthening forensic science in the United States: a path forward, pp 90 ff.

    Google Scholar 

  • O’Neil C (2018) Weapons of math destruction – how big data increases inequality and threatens democracy, pp 102–104

    Google Scholar 

  • Roggan F (2017) Die strafprozessuale Quellen-TKÜ und Online-Searchung: Electronic surveillance measures with risks for the accused and the general public. StV, 821 ff.

    Google Scholar 

  • Rosenau H (2018) Before §§ 32 ff. In: Satzger/Schluckebier/Widmaier (eds) Criminal Code, 4th edn. Cologne

    Google Scholar 

  • Rotsch T (2013) In: Rotsch T (ed) Criminal compliance before the tasks of the future. Cologne, pp 3 ff.

    Google Scholar 

  • Rowlingson T (2014) Digital evidence. Fed Evid Rev, 1 ff.

    Google Scholar 

  • Roxin C (2006) Criminal law general part, vol 1, 4th edn. Munich

    Google Scholar 

  • Rudolph C (2013) Forensic readiness in: acceptance of the rule of law in the judiciary, 2013, material tape for the 37th Criminal Defense Attorney Day, Freiburg

    Google Scholar 

  • Ryan DJ, Shpantzer G (2008). Legal aspects of digital forensics, abrufbar unter: http://euro.ecom.cmu.edu/program/law/08-732/Evidence/RyanShpantzer.pdf

  • Sassenberg T (2006) Dealing with IT in the law firm. AnwBl., 196 ff.

    Google Scholar 

  • Sättele A (2017) § 244. In: Satzger/Schluckebier/Widmaier (eds) Code of Criminal Procedure: StPO with GVG and EMRK, 3rd edn. Cologne

    Google Scholar 

  • Schiemann A (2017) More effective and practical design of criminal proceedings? What is left of the major reform of the StPO. KriPoZ, 338 ff.

    Google Scholar 

  • Schmölzer G (2011) Criminal offences on the Internet: a substantive consideration. ZStW, 709 ff.

    Google Scholar 

  • Schreibauer M, Hessel T (2007) The 41st Criminal Law Amendment Act to combat computer crime. K&R, 616 ff.

    Google Scholar 

  • Schulze-Heiming I (1995) The criminal law protection of computer data against the forms of attack of espionage. Sabotage and Time Theft, Münster

    Google Scholar 

  • Schumann K (2007) The 41st StrÄndG on combating computer crime. NStZ, 675 ff.

    Google Scholar 

  • Soiné M (2018). The criminal procedural online search. NStZ, 497 ff.

  • von Lewinski K (2004) Attorney-client confidentiality and e-mail. BRAK-Mitteilungen 1:12

    Google Scholar 

  • Wassermann R (1996) Insert II, recital 10 ff. In: Wassermann (ed) StPO Commentary on the Code of Criminal Procedure, vol 1. Munich

    Google Scholar 

  • Završnik A (2018) Big data, crime and social control. Routledge Frontiers of Criminal Justice

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Carsten Momsen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer-Verlag GmbH Germany, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Momsen, C. (2022). Relevance of Data Security and Data Protection in Companies from the Perspective of Criminal Law. In: Frenz, W. (eds) Handbook Industry 4.0. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-64448-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-64448-5_3

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-64447-8

  • Online ISBN: 978-3-662-64448-5

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics