EuroCloud: State Searches as an Important Component of IT Security Policy

  • Guidelines support providers in dealing with investigative officers
  • Balancing act between cooperation and obligations to customers

It may not happen often, but when it does, it is invariably unexpected: Public prosecutor investigations can affect any IT, data, and service provider. The level of the associated risk varies, depending on which services are offered and who a provider’s customers and clients are. One way or another, a danger exists that the investigations taking place at the provider in question could result in major collateral damage. And if the public prosecutor, police, tax or customs investigating officers are already standing at your door for the purpose of a search, it is far too late to just then start thinking about the right course of action. In a current set of guidelines EuroCloud, in cooperation with the German law firm Derra, Meyer & Partner Attorneys-at-Law, explains what needs to be considered in advance and what rights and obligations are associated with the actual search.

“The investigations signify a legal disruption of the technical and organizational measures that are designed to protect the company’s IT from attacks and outages. Depending on the process, the state search can have the same impact as an IT security incident. This is why it is essential to view the preparation for a state search as an integral component of your IT security policy,” urges Andreas Weiss, Director of EuroCloud Deutschland_eco e. V.

For providers in particular, the search is a fine balancing act. On the one hand, no one is forced to either actively participate in the investigation or to voluntarily provide information. On the other hand, a provider is contractually obliged to protect its customers. “If the provider is not prepared for the measure and this leads to damage to customers against whom the investigative measure is not directed, a liability risk exists for the provider,” stresses Dr. Jens Eckhardt, EuroCloud Board Member for Legal & Compliance and co-author of the guidelines.

Define processes in advance

It is therefore important to familiarize yourself with the legal framework in advance and to define the measures to be taken in the event of searches, seizures, or requests for information. As is customary in IT security, the process should be tested on a concrete basis, because in most cases it is only then that the real problems become apparent.

Amongst the most important parameters to be defined in advance are:

  • Who has to inform whom (think in terms of management, defense lawyer, attorney, …)?
  • Who on the part of the company will coordinate the communication with the leading investigative officer and the company lawyers?
  • To what extent may employees cooperate – and where do the limits lie?
  • What information is permitted?

You will find further important details, checklists, and helpful information in the guidelines “State Searches as an Important Component of IT Security Policy”, the complete version of which can be downloaded here. These guidelines bring the reader up to speed on the most important questions to be considered in their IT security policy when it comes to defining a process description for the state search scenario. In addition, readers will receive information on how to deal correctly with “requests to preserve evidence” issued by law enforcement authorities, as well as what they should bear in mind if they become aware of content relevant to criminal law.