I SPECIALIZE IN INFORMATION TECHNOLOGY TRANSACTIONS.
I HAVE OTHER CORPORATE LAW EXPERTISE TOO.
Contractual Liability for Damages Caused by Malicious Code
Most information technology contracts contain vendor-oriented liability limitations or exclusions for damages caused by malware or viruses in the product being acquired. Vendors argue that their products would cost a lot more if they had to be liable for these damages. They also contend that the likely result of malicious code is customer data loss or corruption, but the customer should be responsible for backing up its data and restoring to a previous uncontaminated version if need be. They point out that it is nearly impossible to put an objective price tag on the loss of customer data. And they don’t want to give a blank check to the customer under these circumstances.
In the context of data loss, these arguments have some validity. But there is a recent case of malware causing physical damage as described by Wired Magazine here: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/. This article reports that hackers penetrated an unnamed steel mill in Germany and disrupted control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
What this means for IT customers is clear: pay careful attention to the risk-shifting provisions in your vendor contracts! Make sure that the damages exclusion or limitation provisions don’t let the vendor off the hook for physical property loss or damage caused by malware in the vendor’s system or software. And make sure that the vendor can’t argue that the normal contractual provision excluding indirect, incidental, or consequential damages extends to loss or damage to physical property. And if there is a limitation on direct damages for physical property loss or damage, the dollar amount of the limitation should be based on a reasonable assessment of what the customer could lose if the malware in the vendor’s product gets lose inside the customer’s network.
Finally, IT customers should obtain cyber risk insurance and make sure that there are no exclusions in the policy that would apply to exclude the insurer’s obligation to pay for physical loss or damage resulting from a hacker’s intrusion. In my experience, cyber risk insurance has grown more affordable in recent years, and the scope of insurable occurrences has broadened (and the list of policy exclusions has decreased). If you don’t yet have cyber risk insurance, it is definitely worth investigating! But don't buy the policy without having an experienced attorney review it. (Note that your insurance broker has a vested interest in just selling you the policy.)
Because the court decided that "actual injury" is necessary for plaintiff to recover damages in data breach incidents. And damages can't be "presumed" from the hacker's intrusion into a network containing plaintiff's personal information. Plaintiff must suffer actual damages to establish Defendant's liability for them; e.g., the cost of correcting identity theft resulting from the hacker's theft of the plaintiff's personal information. This is now the law in Michigan, unless the decision is appealed to and reversed by the Michigan Supreme Court.
Nothing in this newsletter can be construed to be legal advice or create an attorney-client relationship with the reader. If you would like to find out more about me or my services, please email me or call me at 616-951-3947.