Posted March 20, 2014
Law Seminars International hosted a thought-provoking teleconference event last week on “Contractual Protections for Cyber Attacks.” While most information security presentations emphasize technology solutions, this one focused on the legal aspects of cyber attacks for attorneys, risk management professionals, contract professionals, and lawyers, and specifically, on the importance of updating contracts to protect your business.
There is no denying that the frequency and severity of cyber attacks is on the rise among business of all sizes and in all verticals. The attacks are far-reaching, causing potentially irreparable damage, including fraud, theft of intellectual property and personal identifying information (PII), network outages, and serious harm to brands and reputation. While these problems were historically the province of information technology (IT) and security departments, recent large-scale attacks have escalated them to a C-level and board-level concern.
The speakers, a distinguished team of legal experts, discussed the benefits of updating contracts as a solution to this pervasive issue, and how those provisions can help prevent substantial costs, breach of contract due to inability to perform, and damaged customer perception.
Are Your Force Majeure Clauses Up to Date?
A French term that literally translates as “greater force”, force majeure is included in contracts to remove liability for natural and unavoidable catastrophes. It protects both parties in the event that obligations of a contract can’t be performed due to causes that are outside their control, such as natural disasters that could not be avoided through the exercise of due care. Precedent shows that courts tend to interpret these provisions narrowly. As a result, companies often have detailed language in their contracts to specifically address what constitutes such events’ foreseeability, their control, and the degree of care required to prevent or mitigate their effects.
Force majeure clauses tend to evolve with each new threat or unforeseeable risk. For example, in response to the tragic events of September 11, 2001, many companies began to include “terrorism” and “terrorist threats” in their force majeure clauses.
Accordingly, an important starting point for addressing concerns about cyber attacks and their effects on an organization’s rights and obligations is adjusting the force majeure clause. There are a number of ways to achieve this goal, depending on business needs and current contract language. An update may be as simple as adding, “cyber attacks” to the list of events, if the language of force majeure clause supports the addition.
However, companies may need to narrow the definition of force majeure events to those both beyond the parties’ control and unforeseeable because it can be argued that cyber attacks are foreseeable because of their prevalence. Additionally, vendors may resist a change of the force majeure definition because of the effects on them.
Conversely, including changes that excuse the vendor’s performance with a time limit and an obligation to mitigate the impact may be better received. Contracting parties must also consider payment excuses, suspension, and scope during drafting. Edits to the force majeure clause must be negotiated between parties to arrive at a solution that both are comfortable with and will not compromise the nature of the agreement.
Should You Have a “Cyber Attacks” Clause?
Another option is to remove cyber attacks from the force majeure clause and either draft a provision of the contract specifically addressing cyber attacks, or include it elsewhere in the agreement. Considerations when drafting this provision should include the following:
- Define “cyber attacks,”
- Outline party rights and obligations, and
- Reconciling it with other clauses in the agreement, namely the force majeure.
This directed provision allows for parties to flush out fault diagnosis and isolation, problem identification, software “fixes,” third-party vendor obligations, and other remedial measures.
What about Service Level Agreements?
Service Level Agreements “SLAs” are a vendor’s performance assurances, laying out the metrics by which services are measured, and the remedies or penalties, if any, if the agreed-upon levels aren’t met. SLA provisions can be another place to mitigate payment and performance issues by outlining termination, making SLAs the basis for express warranties and adjusting the basis for refunds such as interruption credits. The terms and exclusions may undermine the force majeure clause, so make sure to reconcile these provisions.
Conclusion: Updating Contracts Can Help, But Proactive Threat Intelligence is Critical
As this discussion illustrates, updating contracts on a regular basis is important for any organization. There are other contract provisions that may provide added protections, such as disaster recovery. Identifying the potential impact to critical infrastructure and operations – and the chain reaction this may set off with partners and customers – is an important consideration in this exercise.
While contract updates can protect your organization after an attack, using global threat intelligence to detect potential cyber attacks before they occur can help you avoid many of these issues. In our upcoming blog posts, we’ll explore this topic in more detail.