Who is Liable for a Virus Infection?

Not all viruses or trojans are sent purposely. It will be disastrous if the longtime expected e-mail of your friend turns out to be a file terminator and all digital company data gets lost. Who will pay the repair bill?


German law on torts says whoever purposely or negligently damages somebody’s property is liable for damages (§823 BGB). Liability is without question in case of distribution on purpose. More difficult is the question in case of negligently passing on an infection. Does the transmitter of a virus have the duty to protect his PC against such malware (= software having the only purpose to spy and /or damage)? Supposing there is such duty, was it disobeyed or did he not comply with duty (forbearance)? A liability can also be derived from contractual relationships. Whoever promises that his or her software is virus free, can be held liable if that is not fact.

In this article, we will explore the case of negligent infection. Actually, there is no legal rule saying that you must prevent damaging somebody else. However, if you open a source of danger then you are responsible that nobody will be hurt. In German, this is called “Verkehrssicherungspflicht”. Of course, a computer is – by itself – nothing dangerous. Some professionals argue that viruses are no special danger. They are so common that they can be considered as the “online risk”, a risk so general that nobody can be held responsible. The state of danger of infection is usually very high that antivirus software belongs on every computer. The receiving person must, therefore, take security precautions at his/her own cost and own risk.

Standing judgment of Federal Court of Justice shows, persons sending e-mails ought to take reasonable, i.e. economically reasonable, precautions to prevent dangers from others. If you, as a private person, have a free antivirus software and regularly update it that will be the absolute minimum expected from you. Standard, however, is nowadays to also have firewalls and software patches of all installed programs. This, however, is only true for private persons.

Professionals are expected to do much more. The Gesetz zur Kontrolle und Transparenz im Unternehmen (= Act on Controlling and Transparency in Companies) provides IT-risk analysis, a secure infrastructure and regular staff training. The Federal on Data Protection (Bundesdatenschutzgesetz) demands on top of that the special protection of personal data. These tasks cannot be delegated to the staff. If this were done, any occurred damage would be demandable on the grounds of “Organisationsverschulden” or organizational negligence. Do not forget this is theory and not practice.

Will you, as a business, be liable for damages due to breaking data protection law? The legal opinions are diverse. One thing is sure, you will not be liable for only deleting, destroying, damaging personal data. Liability can arise upon wrong data or disclosing data to third parties.

Should it happen that somebody wants to hold you liable, first defenses will be to allege that the virus is so new and your regularly updated antivirus software seems not to have had a patch against that one. Negligence can only be assumed if an existing protection software could have recognized and deleted the problem.

A word to penal law in this matter: Negligently passing a virus or malware is not subject to penal prosecution (§§202a, 303a, 303b StGB)!

Published on the old CMS: 2007/2/11
Read on the old CMS till November 2008: 78 reads

Additional information