Are security vulnerabilities to hacker attacks a defect for which the software provider can be held liable?

High-profile cyberattacks like Locky or Emotet clearly illustrate the risks and threat scenarios for software-based products. IT security has also been an issue of great concern to PROMOS consult for many years. In his article, the lawyer Stephan Wiedorfer examines the question of who can be held liable for security vulnerabilities that invite hacker attacks.
Gewährleistungspflichten für IT-Sicherheitslücken von Softwarelösungen

Up until 31 December 2021, this question could be answered briefly and easily with ‘No!’

In 2019, for example, the Consumer Advice Centre of North Rhine-Westphalia instituted court proceedings before the Higher Regional Court of Cologne against a large electronics retailer which sold a mobile phone with an outdated Android operating system. A technical examination by the German Federal Office for Information Security (BSI) showed that it had various security vulnerabilities and that its use thus represented a considerable security risk. In addition, security updates for this outdated operating system were no longer available at the time of purchase. In its decision of 30 December 2019 (case no. 6 U 100/19), the Higher Regional Court of Cologne nevertheless ruled that security vulnerabilities did not impair the marketability of the smartphone in question and that the functionality of the operating system itself was not impaired by this security vulnerability. Since the operating system was thus capable of providing the intended services, there was no defect.

On 1 January 2022, however, a number of significant changes in sales law came into force that particularly affect digital products. The reason for this is EU Directive 2019/771 (Sale of Goods Directive) on the one hand and Directive (EU) 2019/770 on digital content and digital services on the other hand. These directives forced the national legislatures of the European Union to adapt numerous regulations, particularly in the Civil Code (BGB) in the Federal Republic of Germany.

These adaptations constitute a significant strengthening of consumer warranty rights, especially for purchases of digital elements or digital products. This already begins with the fact that the law now mentions “goods with digital elements” for the first time. This not only refers to goods that are linked to a digital product, such as a smart TV or voice-controlled speakers, but also to smartphones. In this case, the digital element is necessary for the sold goods to work at all.

Informationstechnologie und Immobilien (IT&I) Ausgabe Nr. 33 / April 2022

Would you like to receive our magazine regularly? 

Our specialist magazine “IT&I – Informationstechnologie und Immobilien” is published every six months and informs you about the background and basics of current topics, details about applications for the real estate industry and the latest IT developments relating to specialist topics for the real estate industry. Sign up for the online or the printed edition here!

Furthermore, for these goods with digital elements, Section 475b BGB now stipulates that the entrepreneur has an “obligation to update” with regard to the digital element. This obligation does not end with the purchase, but continues to exist, namely for the period in which the consumer can expect updates based on the nature and purpose of the item. The length of this period is determined, for example, by advertising claims, the purchase price or the materials used in the production of the goods. The goods sold with a digital element must therefore not only be up-to-date when the purchase contract is concluded and the handover to the buyer, but must also be kept up to date for a sufficiently long period of time after the purchase. In the case of the Cologne court decision described above, and considering the new legal situation, there was undoubtedly a defect justifying a warranty claim from the buyer, since the operating system was no longer updated.

Furthermore, the new provision of Section 327e Para. 3 No. 2 BGB for consumer contracts regulates that the digital product must also have the necessary “security”, otherwise it is defective. Although this law does not define the concept of security in more detail, it will ultimately have to be understood as both IT security and product safety.

As a result, the consumer is entitled to assert warranty claims against the seller if this security is not guaranteed in the product sold.

Although this comprehensive change in the law is ultimately due to EU consumer protection requirements, the the expanded definition of product defects also has an impact on companies. This is because the law generally regulates in Section 434 Para. 3 Sentence 2 BGB that the insufficient “safety” of the product constitutes a material defect, regardless of whether the item was sold to a consumer or a business.

As mentioned above, the update obligation vis-à-vis consumers leads the seller – in contrast to the previous sales law – to ensure that security vulnerabilities are eliminated even long after handing over the purchased item by updating the digital element, i.e. the installed software. It is true that the consumer has no direct right to an update. If the seller fails to update the product, however, this ultimately constitutes a defect. The buyer can therefore assert extensive warranty rights even after conclusion of the contract and potentially also withdraw from the contract. Thus, security vulnerabilities in the software are currently circumstances for which the seller can be held liable.

Many questions regarding details of the new legal situation will only be clarified over time when the courts have had the opportunity to review corresponding case scenarios and apply the new legislation. The ECJ will increasingly have the last word on this issue, since it is a matter of EU law. Unfortunately, the legislature did not directly create its own software law in this case. It is already becoming apparent that there will be delimitation problems between contracts with consumers on the one hand and those with businesses on the other, as many of the new special regulations only apply to consumer contracts.


Stephan Wiedorfer
Stephan Wiedorfer

was born in 1967 in Munich. He studied law in Munich and, during his traineeship, worked in New York for six months for Germany’s largest record label. He has been a member of the bar since 1996 and founded his first law firm in 1999. He specialises in consulting in the field of computer and Internet law, including procedural enforcement of the relevant claims. His other areas of activity include trademark, copyright and competition law. Stephan Wiedorfer has been a certified specialist for industrial property rights since 4 February 2008. He is a member of the Deutsche Vereinigung für gewerblichen Rechtsschutz und Urheberrecht e. V. (GRUR; German Association for Industrial Property and Copyright), the Deutsche Gesellschaft für Recht und Informatik e. V. (DGRI; German Association for Law and Informatics)) and the Arbeitsgemeinschaft Informationstechnologie im Deutschen Anwaltverein (DAV-IT; Information Technology Working Group of the German Association of Lawyers).

Please wait