Ransomware: using contractual terms to protect yourself from the consequences

9 June, 2017

Malicious content infecting the computer systems of your business, and particularly ransomware, can have a devastating impact on your business.  This article looks at the contractual provisions that you can use in contracts to try and mitigate the impact of such an event if it affects the delivery of your services to customers or other third parties.

 

What is ransomware?

Ransomware is a malicious programme that infects internet-connected computers like a virus. Once activated it can lock down documents, folders, other data, and even render the entire machine inoperable. The victim is then told that their computer will only be unlocked if they pay a ransom. Unfortunately there is no guarantee that the computer will be unlocked – or that files will not be permanently destroyed – even if the ransom is paid. Ransomware is one of many cyber-threats that exist today.

An immediate loss of IT systems and equipment would present a huge problem for most businesses. If goods cannot be produced or services cannot be rendered, customers will nevertheless expect you to meet your contractual obligations to them.

 

A good excuse?

If you do not fulfil your side of the bargain, the other party may seek to recover the losses that they have suffered as a result of your breach of contract. As the victim, could you rely upon the fact that your inability to meet your obligations was not your fault? In legal terms, this is an argument that the contract has been frustrated by your inability to perform it.

But frustration cannot be argued when the contracting parties can foresee that a particular problem might occur. If a risk – such as a ransomware attack – is foreseeable, the law assumes that it is covered by the contract. Any losses arising as a result of that risk and consequent breach of contract will be borne by the defaulting party.

Furthermore, frustration cannot be argued if the problem has arisen because of a party’s own negligence. Investing in cyber-security is normal in today’s business world;  whilst in the past it may have been wise and prudent to specifically invest in anti-ransomware solutions, there may come a point – if it hasn’t arrived already – that to do so simply meets a common level of business competence. The prevalence and increased awareness of ransomware may be creating an expectation that businesses take measures to guard against it. In other words, guarding against the risk of ransomware may become the new normal. The courts will not allow a business to rely on an event which “it had means and opportunity to prevent but nevertheless caused or permitted to come about.”[1]

 

A better way

While it is unlikely that 100% IT protection can be guaranteed whatever systems you have in place, contractual terms can be used to mitigate your losses if the worst does occur.

Many contracts include a force majeure clause that excuses one or both parties from their obligations if specific events get in the way. Examples of such events include war, acts of God, fire, industrial action, epidemics, or government or public authority action. Consideration might be given to including events such as “cyber-attack” or “IT failure as a consequence of malicious third party software” in a force majeure clause.

However the event is defined, the clause should state what will happen to the contract if it occurs: will the contract be suspended or terminated; will one party be absolved of liability; or does one party have to first take all reasonable steps to fulfil its obligations?

Unless your contract provides you with a “way out” when unexpected difficulties arise, your business may find itself hostage to its own obligations. As the bar for arguing frustration can be high, you may either have to go to great expense to fulfil your obligations by other means, or leave yourself open to a claim for the damage suffered by the other party.

A specific force majeure clause might help you to walk away from a bad situation and mitigate your losses when the worst happens.

 

Terms and Conditions

Most business relationships are not carried out under bespoke contracts but under one party or the other’s standard terms and conditions.  If you are at risk in terms of being able to deliver your services in the event of a cyber-attack, and that could result in claims being made against you, then you should ensure that:

  • Your terms and conditions are the ones forming the basis of the contract;
  • Those terms and conditions contain a clause which excludes liability in the event of a cyber-attack.

You should note that where another party is contracting on the basis of your standard terms and conditions and these exclude liability then it is likely that the terms will have to pass a reasonableness test.

 

Conclusions

Your contractual terms with customers will not prevent a cyber-attack but may seriously reduce the damage to your business caused as a result by limiting claims for damages from those customers you are unable to provide services to as a result.

 

[1] The Super Servant Two [1990] 1 Lloyd’s Rep. 1