Compensation for insecure invoice delivery – The Higher Regional Court of Schleswig-Holstein sets high standards for data security

In its judgment of December 18, 2024 (Case No. 12 U 9/24), the Higher Regional Court of Schleswig-Holstein ruled that a craft business cannot demand payment again if an invoice was sent by email without sufficient security measures and was subsequently manipulated.

The judgment sets new standards for data protection requirements in digital business transactions and could have significant practical consequences for companies.

The facts of the case: Invoice fraud through manipulated e-mail

A craft enterprise issued a final invoice in the amount of € 15,000 to a private customer. This was sent as a PDF attachment by email. Unknown third parties intercepted the email in transit, manipulated the account data listed in the PDF and forwarded it to the defendant.

The client then settled the invoice through not to the company's account, but to the fraudsters' manipulated account. When the craft company then demanded the re-payment, the customer refused on the grounds that the unsecured transmission of the invoice by email was negligent and that she had suffered damage as a result.

The district court had initially ruled in favor of the company. However, the Higher Regional Court of Schleswig-Holstein revised the decision and found that the defendant was entitled to claim damages under Art. 82 GDPR, which could be set off against the claim for compensation.

Insecure transmission – Violation of the GDPR

The court found that the company had violated the principles of the General Data Protection Regulation (GDPR) by sending the invoice unencrypted.

In particular, the relevant provisions are:

• Art. 5 para. 1 lit. f GDPR: Companies must process personal data securely.
• Art. 24 GDPR: Controllers must implement appropriate technical and organizational measures to protect the data.
• Art. 32 GDPR: The controller shall adapt the level of security to the existing risk.

In the opinion of the Higher Regional Court, the transport encryption (TLS) used by the company was insufficient to ensure the protection of personal data. End-to-end encryption would have been necessary to prevent unauthorized manipulation of the invoice.

Since the company had not ensured this protection, the Higher Regional Court of Schleswig-Holstein ruled that the defendant had culpably and unlawfully processed personal data and therefore affirmed the defendant's claim for damages under Art. 82 GDPR.

What does the ruling mean in practice?

If the ruling stands, it will significantly raise the requirements for sending invoices securely by email.

1. Companies are liable for inadequately protected invoices

The judgment makes it clear that companies are liable for insecure data transfers if this results in financial damage to the customer. Companies must therefore ensure that technical protective measures meet the requirements of the GDPR.

2. End-to-end encryption as a new minimum requirement?

Until now, transport encryption (TLS) has been considered sufficient for business transactions. However, the Higher Regional Court of Schleswig-Holstein goes beyond this practice and considers end-to-end encryption to be necessary for security-critical documents such as invoices.

However, this view contradicts previous case law, in particular a ruling by the Higher Regional Court of Karlsruhe (Case No. 19 U 83/22), which decided that end-to-end encryption is not required for sending invoices.

In its guidance of June 16, 2021, the Data Protection Conference (DSK) also stated that transport encryption is generally sufficient as long as no special categories of personal data according to Art. 9 GDPR are affected.

The ruling also does not refer to end-to-end encryption as the only possible measure. It would also be conceivable to secure the PDF with electronic signatures or similar.

3. New risks for actions for damages

The judgment could also lead to an increase in claims for damages under Art. 82 GDPR. Customers who are victims of invoice fraud could increasingly invoke this judgment to refuse to make a further payment.

Furthermore, the question arises as to whether “professional” plaintiffs could use this judgment to assert claims for damages in the event of insecure invoice transfers.

What do companies need to do now?

The judgment makes it clear: companies need to review their internal security measures and, if necessary, adapt them to avoid claims for damages and legal risks.

The following measures are highly recommended:

• Implement secure email encryption: Measures to prevent the manipulation of content should be reviewed and introduced.
• Use digital signatures: These help to ensure the authenticity of invoices.
• Consider alternative transmission methods: Sending invoices via secure customer portals or by post can be a secure alternative.
• Verify bank details: new account details should be confirmed via a second communication channel (e. g. by telephone or letter).
• Inform customers about security measures: companies should actively inform customers that they should check invoices for forgeries and confirm bank details.

Conclusion: More responsibility for companies in digital business transactions

The judgment of the Higher Regional Court of Schleswig-Holstein sets a clear signal for higher security requirements when sending digital invoices.

Companies must now ensure that their IT security measures meet the increased requirements. Otherwise, they may face not only fines but also claims for damages that could be based on this judgment.