Email security in legal transactions

Two cases, one problem: invoice fraud by email

Two recent judgements - from the Higher Regional Court of Karlsruhe and the Higher Regional Court of Schleswig-Holstein - concerned invoices that were sent by email. In both cases, the invoices were manipulated and the recipients paid into the false accounts specified in the manipulated invoices. The money was lost and could not be recovered. The question was whether to pay again or who should bear the loss. The courts came to different judgements - with far-reaching consequences for companies.

TLS vs. E2EE: What really protects?

In its judgement, the Schleswig-Holstein Higher Regional Court effectively demanded the introduction of end-to-end encryption (E2EE) for sending invoices and other critical emails. However, according to Dr Thomas Lapp, specialist lawyer for IT law and Chairman of NIFIS e.V., this view falls short of the mark:
‘E2EE protects confidentiality - but not the authenticity or integrity of a message.’
Even an encrypted email can be manipulated if the recipient does not know for sure who sent it. The solution therefore lies not only in encryption, but also in the electronic signature.

The better solution: qualified electronic signature (qeS)

The qeS is the legally secure proof that a message is unchanged and authentic. It is equivalent to a handwritten signature (Section 126a BGB) and can be used even more easily in future with modern tools such as the EU Digital Identity Wallet. The EU DI Wallet is part of the new German government's digital strategy.