LG Köln - 28 O 328/21

From GDPRhub
Revision as of 09:28, 5 July 2022 by Pau.see (talk | contribs) (Textual correction, no implication for the content.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
LG Köln - 28 O 328/21
Courts logo1.png
Court: LG Köln (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 82(1) GDPR
Article 82(2) GDPR
Decided: 18.05.2022
Published:
Parties: Scalable Capital
National Case Number/Name: 28 O 328/21
European Case Law Identifier: ECLI:DE:LGK:2022:0518.28O328.21.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Justiz-Online NRW (in German)
Initial Contributor: pau.see

The Regional Court of Cologne ordered an online stockbroker to pay non-material damages of €1200 because it did not delete or change the login details of a previous business partner to its database for several years, which were later used in a data breach by a third party.

English Summary

Facts

The controller is Scalable Capital, an online stockbroker. The data subject is a customer of the controller. The controller informed the data subject about a data breach which had occurred on 19 October 2020. A third party had accessed parts of the data subject's personal information, potentially including personal, tax and contact data and their IBAN.

The breach was conducted by using the credentials of CodeShip Inc., a "Software as a Service" company which the controller had contracted in the past. The contract was terminated in 2015. After the termination, the controller did not delete or change the credentials of CodeShip Inc. The third party obtained the credentials by means of a cyber attack against CodeShip Inc. The third party used CodeShip’s – still valid – credentials three times between April and October 2020 to gain access to the controller's database. Some of the data obtained was supposedly used for identity theft or for other fraudulent behaviour.

After the breach, the controller paid the data subject a one-year subscription to the identity protection service “meine SCHUFA Plus”.

Holding

The court ordered the controller to pay €1200 as non-material damages to the data subject. The court found that the controller violated Article 32(1) and Article 5(1)(f) GDPR because it had not implemented technical and organisational measures to ensure an appropriate level of security, especially in regards to “integrity and confidentiality”. The controller contributed to the data breach and potential identity theft by not deactivating or changing CodeShip’s credentials for several years.

Although it could not be verified by the court that the data subject’s identity was fraudulently used by a third person, the court found that the risk alone establishes an immaterial damage pursuant to Article 82(1) GDPR.

When assessing the amount of damages pursuant to Article 82(2) GDPR, the court considered as mitigating factors that the data was not used for any fraudulent behaviour until the time of the decision and that the controller paid for the identity protection service.[1] Therefore, the court considered the amount of €1,200 appropriate.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

The plaintiff seeks damages from the defendant for an alleged violation of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC – so-called General Data Protection Regulation (hereinafter: GDPR).
3

The defendant provides investment services, in particular in the form of individual asset management for private customers, as well as software services related to financial services. In addition, it offers brokerage services and arranges overnight, fixed-term and flexible money offers. The plaintiff is a customer of the defendant and maintains a customer account with them. In this context, he provided the defendant with the following personal data, among others: first and last name, title, address, date of birth, place of birth, country of birth, nationality, e-mail address, telephone/mobile number, marital status, tax residency, tax ID and bank details. As part of the registration as a new customer, the plaintiff carried out a so-called Post-Ident procedure, which involves the following personal data: ID number, date of issue, issuing authority and country of issue of the ID card or passport.
4

On October 19, 2020, the plaintiff received an email from the defendant with reference to a notification that he could access in his mailbox in the online customer area. In this notification, the defendant informed the plaintiff that the protection of his personal data had been violated by unlawful access. Access to a subset of documents in the digital document archive was "with the help of internal company knowledge that is only available via appropriately secured access", but not by exploiting a technical security gap that could be directly exploited from outside. The plaintiff's personal data contained in the documents were affected by the incident. The following categories of personal data are involved: personal details and contact data, data for the legally required identification of the customer (e.g. ID data), the information recorded as part of the suitability check, data relating to the account and/or securities account (e.g. reference account details, reports, securities statements, invoices). ) and tax data (e.g. tax identification number). Regarding the possible consequences of the incident, the defendant explained that the data could be used to try to persuade those affected to behave in a certain way, in particular to prompt the disclosure of further confidential information or payments. Furthermore, attempts at identity abuse could be made with the help of the data. For further details, please refer to Annex K2, Bl. 24 f. referenced.
5

The hackers were able to gain unauthorized access to the plaintiff's data using access data obtained as a result of a cyber attack on CodeShip Inc. This is a global company that offers "Software as a Service" solutions for companies of different sizes and industries and which had contractual relationships with the defendant until 2015. CodeShip was given access to the access data as part of the contractual relationship. The defendant did not change the data after the end of the contractual relationship, nor did the defendant check whether the data had been deleted at CodeShip.
6

After this incident, the defendant set up a special page on its website for "frequently asked questions about the data protection incident at TD", which can be accessed at the URL https://de.t.d/e.
7

There she reported under the question "Have my data been used?" that some customers had been contacted using the data by third parties and third parties had also contacted journalists with reference to the incident. The defendant also stated on this page that the unauthorized access to its digital data archive had been determined on the occasion of a customer inquiry on October 16, 2020 and had taken place at three times in the period from April to October 2020. A total of around 33,200 of the defendant's customers were affected by this unauthorized access to data. For further details, please refer to Appendix K3, p. 26 ff. referenced.
8th

After the data incident became known, the defendant took extensive immediate IT measures to prevent further unauthorized access and contacted the responsible authorities on October 19, 2020, including filing a criminal complaint with the Munich I public prosecutor.
9

In November 2020, the plaintiff accepted the defendant's offer to register free of charge for the identity protection "mein SCHUFA Plus" as a customer affected by the unauthorized data access. The subject of the offer was the assumption of costs by the defendant for the first year of the contract and the activation fee of EUR 9.95. If the services are used beyond the first year of the contract, the contract is automatically extended by a further year at a price of EUR 4.95 per month (Annex K3, p. 30 f. d.A.).
10

The plaintiff claims that a digital copy of the identity card or passport is made as part of the post-identification process carried out when registering as a new customer. In view of the risk of misuse of his data, the plaintiff has been checking every e-mail and invoice receipt - especially in connection with online purchases - as well as all account transactions for suspicious movements since the data incident. Since the data theft, he has been accompanied by a constant feeling of insecurity.
11

The plaintiff is of the opinion that the defendant has not processed his personal data in a way that ensures adequate security of the data. Otherwise, unauthorized access to such a large amount of sensitive personal data would not have been possible using company-internal access information. If the defendant had an authorization concept, this was insufficient and the data was not sufficiently segmented. If appropriate security measures had been implemented, it would not have been possible for such a large amount of data to be moved unnoticed without this being noticed immediately. The defendant itself stated that the unauthorized access was only noticed through a customer inquiry. The fact that the defendant took measures after the security incident to prevent unauthorized access to the data also speaks in favor of the fact that no adequate security measures had been implemented at the time of the unauthorized access.
12

The plaintiff further claims that he suffered irreversible damage as a result of the unauthorized access. Due to the risk of identity misuse associated with the data protection incident, it is clear that the data concerned are now permanently beyond the control of the plaintiff. In particular, it is also about data that is not subject to change in the course of life, which means that even moving house or changing e-mail addresses and mobile phone numbers cannot compensate for the loss of control. The plaintiff had to expect every day that third parties would conclude contracts or initiate payments in his name. He has to live with the fact that data that typically only serves to identify the plaintiff (such as date and place of birth) is circulating somewhere on the dark web. The meticulous control of all account movements and letters as well as e-mails caused by the data protection incident means an irreversible restriction for the plaintiff's participation in legal and business transactions, which cannot be sufficiently compensated for by the use of services such as "meine Schufa plus". . The risk of identity misuse does not decrease over time either, because the data is still circulating and being sold on the dark web decades later. The fact that other victims have already received blackmail emails shows that the data is already in the hands of criminals. The plaintiff has to live with the fact that the risk of identity abuse could materialize. The theft of his telephone number and e-mail address is inherently associated with the risk that these will be used for spam messages. Countering this with a change means immense effort and a partial loss of accessibility.
13

Finally, the plaintiff is of the opinion that he has also suffered damage as a result of the data protection incident in that he has incurred enormous personal effort in this connection, for example through his own examination of the matter, his own research, the verification measures of his own account and the use the service "meine Schufa plus".
14

The plaintiff requests
15

to order the defendant to pay the plaintiff reasonable immaterial damages, the amount of which is at the discretion of the court, but at least EUR 5,001.00, plus interest of five percentage points above the applicable base rate since lis pendens (10/25/2021) to pay.
16

The defendant requests
17

reject the complaint.
18

She alleges that the plaintiff's data affected by the data incident had already been the subject of previous data incidents that had occurred at other companies. The plaintiff's identity card was not affected by the data incident because of the way the plaintiff was identified using the Post-Ident procedure. In particular, the number of the identity card was not affected. The defendant did not have a copy of the identity card. The defendant also claims that the information recorded as part of a suitability check and - with the exception of the IBAN of the reference account - data on the securities account or clearing account were not affected. The plaintiff only used brokerage services, so that a suitability test did not take place. At no time was it possible to access customer passwords, so that the plaintiff's assets at the custodian bank were never at risk.
19

The defendant denies with ignorance that the plaintiff checks all e-mail and invoice receipts as well as account movements for suspicious movements. She further denies that third parties had acquired the plaintiff's identity, that the plaintiff could not keep his e-mail address and cell phone number free from spam and that he had made the "personal effort" he had allegedly made in connection with the data incident. The defendant also denies, without knowing it, that other victims received blackmail e-mails. To their knowledge, there were only a very small number of contacts with customers. In this regard, the investigating authorities had expressed the assumption that the attackers were trying to put pressure on the defendant by contacting the customers.
20

The defendant is of the opinion that it is not responsible for any violation of the General Data Protection Regulation. Her technical and organizational measures, on which she reports in detail, are appropriate at all times and in every respect. On the one hand, this is illustrated by the fact that at the time of the data incident, its information security management was certified by TÜV Rheinland according to the generally recognized ISO 27001:2013 standard. On the other hand, the competent data protection authorities would not have initiated any proceedings or other measures against them due to data protection inadequacies either after the data protection incident or at any other time.
21

The defendant claims that it uses a secure, standardized IT infrastructure with, among other things, application and database servers, storage capacities, redundancy systems and backup solutions to process all customer business. The document archive affected by the unauthorized access, in which some of the customer data was stored in separate folders, was encrypted using the highly effective AES-256 encryption method (so-called Advanced Encryption Standard, i.e. symmetric encryption method). This means that customer data is permanently encrypted in the so-called “rest state”. This IT infrastructure on which the document archive is based is certified according to IEC 27001:2013, 27017:2015, 27018:2019, ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1. The defendant manages data (including customer data) in separate sub-environments, which are completely independent environments, each with their own infrastructure resources, in accordance with system specifications. The processing of customer data in the affected document archive is also done with a corresponding segmentation, i.e. using separate folders for which the access rights are restricted accordingly. Access by a user always requires the entry of the individual access data and, due to the prescribed "multi-factor authentication", the entry of an additional authorization feature. Furthermore, access to the data itself is only possible within the scope of the authorizations previously granted to the respective user. The specific authorizations of a user would be assigned according to the strict "need-to-know" principle (principle of necessity), i.e. depending on which authorizations the user actually needs in view of his function. Digital user management, on the other hand, i.e. setting up and deleting users and assigning individual access options, is only possible with specific, restricted authorizations.
22

The defendant also claims that it has specified other security mechanisms, such as secure/encrypted VPN connections and "IP whitelisting" (restriction of access to certain end devices).
23

In addition, the defendant has a comprehensive, written information risk and information security management system. It is laid down in detail in numerous sets of rules and regulates in particular access and access control as well as the processing and handling of customer data. The defendant has implemented strict entry and access controls, which include multi-factor authentication, detailed regulations for assigning and handling passwords, and a granular rights and role concept, according to which customer data is assigned the highest available security level, "Strictly Confidential". The access and access control measures mentioned are regularly checked to ensure that they are up-to-date and effective. Access to the document archive, among other things, is also controlled by measures for detection, monitoring and prompt reaction. In particular, access by users would be logged and documented by digital security services.
24

Furthermore, the defendant claims that it instructs its employees to keep the numerous existing security features (such as firewalls, virus scanners, VPN connections and encryption services) activated at all times and to only use approved hardware and software. The employees are regularly trained in compliance requirements, which include IT and information security and data protection. Employees would also be made aware of reporting obligations, especially with regard to data incidents. The defendant regularly has external and internal tests and audits carried out, such as penetration and application tests and tests as part of the re-certification according to ISO 27001:2013. After evaluating the results of these tests, any optimization measures would be implemented, which in turn would be understood and evaluated using so-called "re-tests". At the time of the data incident, the certification according to ISO 27001:2013 was available for a period of validity from March 12, 2018 to March 11, 2021 (Annex B1, p. 98 ff. of the case). At the beginning of 2021, despite the data incident, the defendant received a new certificate after a successful re-certification audit (Annex B2, p. 102 ff. of the case). The TÜV Rheinland, as an independent testing body, has certified the defendant that "the management system of the organization meets the requirements of the standard(s) and is appropriately maintained and implemented", "a mature approach to software development" and a "[high] security awareness of the stakeholders".
25

The defendant is of the opinion that it was a "collateral victim" of the cyber attack on CodeShip, but not of a "hack" of its system. The company-internal information was not made available by a (human) user, such as an employee of the defendant. The competent prosecuting authorities ruled that out after thorough investigation and examination. The unauthorized access was not foreseeable for the defendant, even despite appropriate security precautions.
26

For more details on the facts and the dispute, reference is made to the content of the pleadings exchanged between the parties and the attachments that were the subject of the oral hearing.
27

Reasons for decision:
28

I
29

The lawsuit is admissible. The district court of Cologne is locally responsible according to §§ 44 Abs. 1 S. 1 DSGVO, 12 ZPO.
30

II.
31

The lawsuit is partially justified.
32

1.
33

The plaintiff is entitled to compensation for immaterial damage under Art. 82 (1) GDPR to the tenored extent. According to this provision, any person who has suffered material or non-material damage as a result of a breach of this regulation is entitled to compensation from the controller or processor.
34

By not changing the access data provided to CodeShip after the end of the contractual relationship, the defendant violated its obligation under Art. 32 GDPR and Art. 5 GDPR. According to Art. 32 GDPR, the person responsible and the processor have appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons to ensure a level of protection appropriate to the risk. Pursuant to Article 5(1)(f) GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical means and organizational measures (“integrity and confidentiality”).
35

The Chamber assumes a violation of these requirements due to the fact, which is undisputed between the parties, that the access data provided to CodeShip was not changed for several years after the end of the contractual relationship with the contractual partner. In doing so, the defendant created the risk that the data of those affected would not only be exposed to misuse in the event of deficiencies for which it was responsible, but also through access made possible intentionally or negligently by CodeShip employees. In view of the sensitivity of the stored customer data, the defendant cannot in particular claim that it could have assumed that the data would be permanently and completely deleted by CodeShip (also in a parallel case LG Munich I, judgment of December 9, 2021, 31 O 16606/20, juris, para. 36). In any case, a review of the deletion would have been indicated, which the defendant does not submit either.
36

The failure to be blamed on the defendant was - which is sufficient - in any case a contributory cause of the damage suffered by the plaintiff (cf. LG Munich I a.a.O. Rn. 39).
37

The plaintiff also suffered damage within the meaning of Art. 82 GDPR. Recitals 75 and 85 DS-GVO list examples of which specific impairments can constitute "physical, material or non-material damage", such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorized cancellation of pseudonymisation or other significant economic or social disadvantages. According to recital 146 GDPR, the concept of damage must also be "broadly interpreted in the light of the case-law of the Court of Justice in a way that fully corresponds to the objectives of this regulation" and the "data subjects should be entitled to full and effective compensation for damages receive the damage suffered". In the foreground here is a deterrent effect of the compensation, which is to be achieved in particular by its amount. This idea is also derived from Art. 4 III TEU. According to this, the member states are required to effectively sanction violations, because this is the only way to ensure effective enforcement of EU law - and thus also the DS-GVO (LG Munich I a.a.O. Rn. 41 with w.N.).
38

Based on the extent of the stolen personal data communicated to the plaintiff in a letter dated October 19, 2020, the defendant itself assumes, according to this letter, that an attempt could be made to persuade the data subjects to certain behaviors, in particular to prompt the disclosure of further confidential information or payments , and that there was a risk that the data would be used for attempts to misuse identity. In the opinion of the Chamber, against this background, the further circumstances of the actual or perceived impairment of the plaintiff as a result of the incident, some of which are disputed between the parties, are not decisive.
39

The criteria of Art. 83 (2) can be used to determine the amount of damages, such as the type, severity and duration of the violation, taking into account the type, scope or purpose of the processing in question, the categories of personal data affected, The determination is otherwise the responsibility of the court according to § 287 ZPO (LG Munich I a.a.O. Rn. 44 with further references).
40

Here, when assessing the amount, it had to be taken into account that misuse of the data to the detriment of the plaintiff had not yet been established, and for the time being there was therefore no risk. As correctly worked out by the LG Munich I.a.O., however, the intention of the EU legislator to achieve a deterrent effect with the help of the claim for damages must also be taken into account. In favor of the defendant, however, it is important - as already explained in the oral hearing - that the data protection violation attributable to it was only one of several causes that only caused the damage in combination. Because there was another at least negligent violation at CodeShip and last but not least the intentional illegal action of the hackers themselves. It should also be taken into account that the defendant temporarily financed the "my Schufa Plus" offer for the plaintiff. After weighing the relevant aspects, the Chamber therefore considers a payment of damages in the tenored amount to be appropriate.
41

The claim for interest is justified by §§ 291, 288 Para. 1 BGB.
42

2.
43

Since the chamber does not decide in the last instance, a preliminary ruling by the European Court of Justice is not required, even in accordance with the decision of the Federal Constitutional Court of January 14, 2021 - 1 BvR 2853/19.
44

III.
45

The procedural ancillary decisions are based on §§ 92 Paragraph 2 No. 2, 708 No. 11, 711 ZPO.
46

Amount in dispute: 5,001 euros.
  1. The court awarded the data subject less damages than LG München - 31 O 16606/20.