The legal term “state of the art” has received increased attention in recent years. Here’s what it means. And these measures can be taken.
What is the “state of the art”?
State of the art – this term is increasingly heard and read. It is used in various areas, including IT.
Since it is an indeterminate legal term, the meaning of “state of the art” turns out to be vague and sometimes subjective. In the german Jura Forum it is explained thus:
“The state of the art summarizes the technical possibilities that are guaranteed at the current point in time and that are in turn based on scientific and technical knowledge.
By the clause “state of the art” for example in contracts, it should be ensured that it comes to the use of the best available technology.”
The following paragraphs explain what the “best available techniques” or “state of the art techniques” mean in IT and especially in information security.
State of the art in information security
The further development of hardware and software is advancing steadily and rapidly. All systems that were considered high-end or cutting-edge a few years ago are now obsolete. Unlike hardware, software can be constantly improved, optimized and adapted with updates.
But at some point, the end of the line is reached here as well. The product life cycle ends and a new software and/or hardware generation takes over. At that point, the hardware and software that has been used up to now is no longer state of the art. It should be replaced – in some cases it even has to be.
Software that is provided with security updates by the respective manufacturer is generally recognized as state of the art.
Conversely, this means that software without manufacturer support is generally no longer considered state of the art! Measures must therefore be taken if the software in question is to continue to be used.
Extended support for Windows Server 2008 R2 SP 1 ended at the beginning of 2020, which means that from this point on, the operating system was no longer a “state of the art techniques”
Windows 11 is here. Companies should definitely find out when the official end of support for Windows 10 begins.
What does the GDPR have to do with the state of the art?
One important reason why IT managers in particular are increasingly talking about the state of the art is the General Data Protection Regulation (GDPR).
Supposedly simple things such as transferring data from A to B or using personal data for a purpose other than that for which it was intended are prohibited under the GDPR without a permit. And state of the art measures are required to protect personal data.
If companies collect and process employee and customer data with systems that do not comply with the state of the art, this may already constitute a violation of the GDPR, which applies throughout Europe.
In the event of data protection violations, the national supervisory authorities levy fines. These can be very high! Even minor violations can cost a company six-figure sums, while serious incidents are sanctioned with up to 20 million euros or up to 4% of the total global annual turnover according to Art. 83 of the GDPR.
IT security law and other legislative measures
Even apart from sanctions such as fines, every company is obliged
to keep its customers’ information and its own information secret and secured [confidentiality]
to secure its own systems against intentional or unintentional manipulation by means of various measures [integrity]
to make information available in a stable and efficient manner [availability]
To ensure that these very important targets are turned into real measures, the IT SiG (IT Security Act) was passed back in 2015. The German Federal Office for Information Security (BSI) comments:
“The aim of the IT Security Act is to improve IT security at companies and in the federal administration, as well as to provide better protection for citizens on the Internet.”
The IT Security Act, the GDPR and other ordinances, regulations/laws and recommendations are intended to ensure that IT security in Germany and Europe is advanced in line with the current state of the art.
Among other things, the Critical Security Controls (CSC) of the Center for Internet Security (CIS), which we highly recommend as a CIS member, can support this.
Measures for state of the art techniques
Here some examples:
- Enforcement of strong passwords
- Use of trusted connections to company networks such as VPNs
- Encryption of hard disks, files, and folders
- Increasing router security
- Proper communication via instant messenger
- Implementation of system hardening measures, e.g. with the Enforce Administrator
- Regular audits, e.g. compliance checks for Windows 10
Even if the state of the art is not exactly defined legally, there are some sources and references which describe the term and its application very well.
Securing and the hardening of It systems as well as protecting data and information are not lapidary matters! They are essential for the business and continued existence of companies.