Email Security: Protecting Messages from Dangers (Ruling)

The digitalization is advancing, and with it the importance of secure communication. A recent court ruling makes clear how important adequate security measures are when sending e-mails – especially when it comes to financial transactions. What does that mean for companies? And which encryption methods are really safe?

Court ruling: Inadequate security can be costly

A company was recently sued in court because a sent invoice was manipulated by a hacker attack. The customer refused to pay the fake invoice, and the court ruled in his favor! The reason: The company had taken insufficient security measures when sending the invoice.

The judgment of the Schleswig-Holstein Higher Regional Court of 18.12.2024 (Case No. 12 U 9/24) makes it clear: Companies are liable under the General Data Protection Regulation (GDPR), if they do not sufficiently protect sensitive data. The mere use of transport encryption is not sufficient, especially when high financial risks are involved. The revision to the judgment was allowed.

Another court has decided otherwise, at least for authorities: The OVG Münster has On 20 February 2025 (Case No. 16 B 288/23), it was decided that authorities are not required to send emails with end-to-end encryption.

The court decisions have the following impact on secure e-mail communication:

The Importance of Encryption for Secure Emails

The foundation for secure e-mails is encryption. This technology serves to protect sensitive information during transmission and keep it from unauthorized access.

Imagine your email is like a letter that passes through various hands before it reaches its recipient. Without encryption, the content of the letter would be accessible to anyone who holds it. Encryption, on the other hand, ensures that the content of your email can only be read by the sender and the recipient.

There are two main types of encryption: transport encryption and end-to-end encryption. E-mails are usually encrypted during transport today, but they are not end-to-end encrypted.

Transport encryption protects your emails during transport between your email program and your provider's server. Many email providers support this type of encryption to secure your data from the start.

End-to-end encryption offers even higher protection. This technology encrypts your emails so that only the sender and recipient can decrypt them. Even your email provider cannot see the content of your messages.

In relation to the verdict, this means:

• Transport encryption: Protects data during transmission from A to B. Imagine it like a sealed envelope protected on its way to the post office. But that's not enough for the court, because the transport service provider is officially not as trustworthy as Deutsche Post.
• End-to-End Encryption: Encrypts data so that only the sender and recipient can read it. The sender encrypts the data, and only the recipient can decrypt it with a key. The email provider has no access to the content. The court emphasized that end-to-end encryption is the appropriate protection when transmitting invoices with potentially high financial risks. While transport encryption is better than no encryption at all, it does not provide comprehensive protection against targeted attacks.

For end-to-end encryption, sender and receiver must individually agree on a contract. Typically this is done by exchanging keys or electronic certificates.

With end-to-end encryption, communication between you and the recipient is absolutely secure. There are various plugins for email clients that allow you to activate this type of encryption. The use of end-to-end encryption is particularly important when exchanging sensitive information such as passwords, financial data or personal matters via email.

Digital Signatures: Security through Authentication

In addition to encryption, digital signatures provide another important protection mechanism for your emails.

A digital signature is like an electronic signature that you can attach to your e-mails. This signature confirms that the message actually comes from you and has remained unchanged. The recipient can verify this signature to ensure that the email is authentic and has not been tampered with.

Digital signatures are particularly useful for important business communications or when you want to ensure that your messages have not been altered.

The Right Choice: Encryption vs. Digital Signature

Both encryption and digital signatures contribute to the security of your e-mails but serve different functions.

Encryption protects the content of your emails from unauthorized access, while digital signatures confirm the authenticity of the message. In many cases, it makes sense to combine both technologies to ensure comprehensive protection for your communication.

The burden of proof lies with the company

It is also important: Companies must prove that they have taken all necessary security measures. If data are compromised due to inadequate security precautions, the company must demonstrate that it has fulfilled its duty of care.

What does this mean for companies?

In contrast to authorities, companies now have practically more homework to do:

• Risk assessment: Consider the specific risk and potential damage when choosing an encryption method.
• End-to-End Encryption: Use end-to-end encryption for sensitive data, especially invoices and payment requests.
• Documentation: Document all security measures so that in case of an incident you can prove that you have fulfilled your duty of care.
• Training: Train your employees in handling sensitive data and secure communication methods.

The following diagram illustrates the consequences of these judgments in sending e-mails: