Copy
January, 2015
Volume 2, Issue 1
 
View this email in your browser
THE BUSKLAW NEWSLETTER
 

 
MANY LAWYERS WRITE CONTRACTS.

I WRITE CONTRACTS IN PLAIN ENGLISH.

I SPECIALIZE IN INFORMATION TECHNOLOGY TRANSACTIONS.

I HAVE OTHER CORPORATE LAW EXPERTISE TOO.
Focus on:

Contractual Liability for Damages Caused by Malicious Code
 
Most information technology contracts contain vendor-oriented liability limitations or exclusions for damages caused by malware or viruses in the product being acquired. Vendors argue that their products would cost a lot more if they had to be liable for these damages. They also contend that the likely result of malicious code is customer data loss or corruption, but the customer should be responsible for backing up its data and restoring to a previous uncontaminated version if need be. They point out that it is nearly impossible to put an objective price tag on the loss of customer data. And they don’t want to give a blank check to the customer under these circumstances.
 
In the context of data loss, these arguments have some validity. But there is a recent case of malware causing physical damage as described by Wired Magazine here: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/. This article reports that hackers penetrated an unnamed steel mill in Germany and disrupted control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
 
What this means for IT customers is clear: pay careful attention to the risk-shifting provisions in your vendor contracts! Make sure that the damages exclusion or limitation provisions don’t let the vendor off the hook for physical property loss or damage caused by malware in the vendor’s system or software. And make sure that the vendor can’t argue that the normal contractual provision excluding indirect, incidental, or consequential damages extends to loss or damage to physical property. And if there is a limitation on direct damages for physical property loss or damage, the dollar amount of the limitation should be based on a reasonable assessment of what the customer could lose if the malware in the vendor’s product gets lose inside the customer’s network.
 
Finally, IT customers should obtain cyber risk insurance and make sure that there are no exclusions in the policy that would apply to exclude the insurer’s obligation to pay for physical loss or damage resulting from a hacker’s intrusion.  In my experience, cyber risk insurance has grown more affordable in recent years, and the scope of insurable occurrences has broadened (and the list of policy exclusions has decreased). If you don’t yet have cyber risk insurance, it is definitely worth investigating! But don't buy the policy without having an experienced attorney review it. (Note that your insurance broker has a vested interest in just selling you the policy.) 

 
LEGAL DECISION OF NOTE:
The case of Doe v. Henry Ford Health System decided by the Michigan Court of Appeals on December 18, 2014.
 
Why is this decision important?  

Because the court decided that "actual injury" is necessary for plaintiff to recover damages in data breach incidents. And damages can't be "presumed" from the hacker's intrusion into a network containing plaintiff's personal information. Plaintiff must suffer actual damages to establish Defendant's liability for them; e.g., the cost of correcting identity theft resulting from the hacker's theft of the plaintiff's personal information. This is now the law in Michigan, unless the decision is appealed to and reversed by the Michigan Supreme Court.
PLAIN ENGLISH ARTICLE OF THE MONTH 

My article, "Fighting the Good Fight: Plain-Language Tales from the Corporate Trenches," was published in the January, 2015 issue of the Michigan Bar Journal
 
Tweet
Forward
Share
Chadwick C. Busk
 
ABOUT CHAD:
 
For 34 years, as in-house counsel, I handled the legal aspects of all IT deals for a major West Michigan retailer.
I reviewed, drafted, and negotiated a lot of other contracts too. 

I write contracts in Plain English, i.e., with no legal jargon.
I'm a 1974 Hope College graduate (magna cum laude) and a 1977 graduate of Notre Dame Law School.
I retired from my in-house position in June, 2014, to focus on writing contracts extremely well for the benefit of my corporate clients.  
Follow Me on Twitter
Follow Me on Twitter
I'm on LinkedIn
I'm on LinkedIn
HOW TO GET PREVIOUS BUSKLAW NEWSLETTERS:

Interested in BUSKLAW Newsletters from prior months? Here are the links: 

 
Month/Year Topic Link
September 2014 Why Plain English http://eepurl.com/2o_Jv
October 2014 IT SOWs from the Customer’s Perspective http://eepurl.com/4N4v5
November 2014 Master Professional Services Agreements http://bit.ly/1I0RhUc
 
December 2014 How NOT to Form a Contract by Your Email http://eepurl.com/-imVf
 
 

Please visit my website for more articles and more about my areas of expertise. 

Let me know if there are any legal topics related to commercial or IT contracts that you would like me to discuss in future newsletters. 

 

And please consider sharing this newsletter with your colleagues! 

DISCLAIMER AND CONTACT INFORMATION:

Copyright © 2015 BUSKLAW PLC. All rights reserved.


Nothing in this newsletter can be construed to be legal advice or create an attorney-client relationship with the reader. If you would like to find out more about me or my services, please email me or call me at 616-951-3947. 


My email address is: 
busklaw@charter.net

unsubscribe from this list    update subscription preferences