Are security vulnerabilities to hacker attacks a defect for which the software provider can be held liable?

Up until 31 December 2021, this question could be answered briefly and easily with ‘No!’

In 2019, for example, the Consumer Advice Centre of North Rhine-Westphalia instituted court proceedings before the Higher Regional Court of Cologne against a large electronics retailer which sold a mobile phone with an outdated Android operating system. A technical examination by the German Federal Office for Information Security (BSI) showed that it had various security vulnerabilities and that its use thus represented a considerable security risk. In addition, security updates for this outdated operating system were no longer available at the time of purchase. In its decision of 30 December 2019 (case no. 6 U 100/19), the Higher Regional Court of Cologne nevertheless ruled that security vulnerabilities did not impair the marketability of the smartphone in question and that the functionality of the operating system itself was not impaired by this security vulnerability. Since the operating system was thus capable of providing the intended services, there was no defect.

On 1 January 2022, however, a number of significant changes in sales law came into force that particularly affect digital products. The reason for this is EU Directive 2019/771 (Sale of Goods Directive) on the one hand and Directive (EU) 2019/770 on digital content and digital services on the other hand. These directives forced the national legislatures of the European Union to adapt numerous regulations, particularly in the Civil Code (BGB) in the Federal Republic of Germany.

These adaptations constitute a significant strengthening of consumer warranty rights, especially for purchases of digital elements or digital products. This already begins with the fact that the law now mentions “goods with digital elements” for the first time. This not only refers to goods that are linked to a digital product, such as a smart TV or voice-controlled speakers, but also to smartphones. In this case, the digital element is necessary for the sold goods to work at all.

Furthermore, for these goods with digital elements, Section 475b BGB now stipulates that the entrepreneur has an “obligation to update” with regard to the digital element. This obligation does not end with the purchase, but continues to exist, namely for the period in which the consumer can expect updates based on the nature and purpose of the item. The length of this period is determined, for example, by advertising claims, the purchase price or the materials used in the production of the goods. The goods sold with a digital element must therefore not only be up-to-date when the purchase contract is concluded and the handover to the buyer, but must also be kept up to date for a sufficiently long period of time after the purchase. In the case of the Cologne court decision described above, and considering the new legal situation, there was undoubtedly a defect justifying a warranty claim from the buyer, since the operating system was no longer updated.

Furthermore, the new provision of Section 327e Para. 3 No. 2 BGB for consumer contracts regulates that the digital product must also have the necessary “security”, otherwise it is defective. Although this law does not define the concept of security in more detail, it will ultimately have to be understood as both IT security and product safety.

As a result, the consumer is entitled to assert warranty claims against the seller if this security is not guaranteed in the product sold.

Although this comprehensive change in the law is ultimately due to EU consumer protection requirements, the the expanded definition of product defects also has an impact on companies. This is because the law generally regulates in Section 434 Para. 3 Sentence 2 BGB that the insufficient “safety” of the product constitutes a material defect, regardless of whether the item was sold to a consumer or a business.

As mentioned above, the update obligation vis-à-vis consumers leads the seller – in contrast to the previous sales law – to ensure that security vulnerabilities are eliminated even long after handing over the purchased item by updating the digital element, i.e. the installed software. It is true that the consumer has no direct right to an update. If the seller fails to update the product, however, this ultimately constitutes a defect. The buyer can therefore assert extensive warranty rights even after conclusion of the contract and potentially also withdraw from the contract. Thus, security vulnerabilities in the software are currently circumstances for which the seller can be held liable.

Many questions regarding details of the new legal situation will only be clarified over time when the courts have had the opportunity to review corresponding case scenarios and apply the new legislation. The ECJ will increasingly have the last word on this issue, since it is a matter of EU law. Unfortunately, the legislature did not directly create its own software law in this case. It is already becoming apparent that there will be delimitation problems between contracts with consumers on the one hand and those with businesses on the other, as many of the new special regulations only apply to consumer contracts.