Ransomware: Don’t be held hostage to your contractual obligations
Last month’s WannaCry ransomware attack affected more than 230,000 computers in over 150 countries. High-profile victims included the NHS, Nissan, FedEx, Telefonica, and Renault. But many thousands of others were also hit. The effect was crippling.
An immediate loss of IT systems and equipment would present a huge problem for most businesses. If goods cannot be produced or services cannot be rendered, customers will nevertheless expect you to meet your contractual obligations to them. If you do not then you may be on the receiving end of a claim for damages.
A good excuse?
As the victim of a cyber-attack, could you rely upon the fact that your inability to meet your obligations was not your fault? In legal terms, this is an argument that the contract has been frustrated by your inability to perform it.
In simple terms, the answer is probably not. Frustration cannot be argued when the contracting parties can foresee that a particular problem might occur. If a risk – such as a ransomware attack – is foreseeable, the law assumes that it is covered by the contract.
Furthermore, frustration cannot be argued if the problem has arisen because of a party’s own negligence. Accordingly, if your IT security is not up to scratch then you may not be able to rely on this doctrine.
Include a force majeure clause in your contracts that excuses one or both parties from their obligations if specific events such as a “cyber-attack” or “IT failure as a consequence of malicious third party software” occur.
Subject to ensuring that this clause is incorporated into the contract and not unreasonable (click here for a more detailed discussion of these aspects https://www.crippspg.co.uk/ransomware-using-contractual-terms-protect-consequences/) this provides a first line of defence against claims of damages from disappointed customers.
For further guidance and information on this topic please visit our restructuring & insolvency page