Can an IT vendor be held liable for a ransomware attack?

It is increasingly common for hackers to hold company software hostage using so-called "ransomware. The ransomware is often acquired accidentally by clicking on a link in a spam e-mail, or because hackers deliberately manage to infiltrate (often not updated) software. Since virtually all software, files and data are held hostage by the ransomware, the financial consequences for the company are often huge. To prevent further damage, in many cases a ransom is paid (often in Bitcoins), in exchange for a decryption key to regain access to the software and data.  

But who is actually liable for such an attack? Can an IT supplier be liable for its customer's damages as a result of a ransomware attack? Or is it only the business owner itself that must pay for the consequences? In an issue recently before the Amsterdam Court of Appeal (ECLI:NL:GHAMS:2021:508), the court considered this question.  

What was going on?

In the aforementioned matter, a conflict had arisen between an ICT supplier and a (former) customer who had fallen victim to a ransomware attack. The ICT supplier had delivered software for the client and, in return for payment, had also performed monthly management and maintenance activities on the basis of a Service Level Agreement (SLA). Part of this SLA was that the ICT supplier would maintain an adequate backup system.

In March 2016, the customer announces its desire to terminate the agreement with the ICT supplier. As of March 2016, the ICT supplier then prepares the transfer of the management and maintenance of the software. In April 2016, the customer notifies that it will enter into an agreement with a new party. The SLA with the ICT supplier is then permanently terminated on June 21, 2016. All software access codes are provided to the customer on this date. In addition, the ICT supplier also prepares a handover report describing, among other things, the backup system. Thus, although the former ICT supplier actually stopped its operations on June 21, 2016, the new ICT supplier starts its operations (only) on August 1, 2016.

The customer is then hit by a ransomware attack on July 19, 2016 (just after the transfer, that is). The hostage software makes use of the software impossible and the customer is forced to pay the hackers €1,371.21 in Bitcoins on July 26, 2016 to unblock it. The hackers then give the de-cryption code to the customer on July 29 so the software can be released.

What does the client claim?

In the proceedings before the subdistrict court, the client claims payment of over €18,000.00. This is because the client takes the position that the ICT supplier has failed to comply with the SLA and is therefore liable for the damage it has suffered as a result. In particular, the damages are due to the ICT supplier's alleged failure to have adequate backups of the software, as a result of which the hostage software could not be immediately restored. Instead, the ICT supplier is claiming payment of an invoice for work it had to perform because of the extra work due to the ransomware attack.

What does the district judge rule?

The Subdistrict Court rejected the client's claim and allowed the ICT supplier's claim. The Subdistrict Court ruled that the client itself had chosen to allow the new ICT supplier to start working only on August 1. The consequences of this are therefore entirely at the expense and risk of the client. In addition, it is insufficiently substantiated that no adequate backups would have been made by the ICT supplier. The client disagrees with this judgment and appeals.

What does the court rule?

The court ruled otherwise, finding that the lack of backups did constitute a breach of the SLA. Because of the lack of these backups, the client could not respond adequately to the ransomware attack. The fact that there was in fact no longer an agreement between the client and the ICT supplier does not alter this. However, the Court of Appeal did rule that the fact that the customer could be hacked can to a large extent be attributed to the customer himself. The client must therefore bear 2/3 of the damage himself.  

Practical tips for practice

Companies are increasingly dependent to a great extent on software for the operation of their business. It is therefore crucial that they are well prepared in the event of a ransomware attack. The moment you enter into an agreement with an IT supplier, you should therefore make clear agreements about implementing damage control measures and performing regular backups. For example, how quickly should the IT supplier respond, what concrete actions will be taken and how often will backups be made? You should also consider who is liable when. Are you switching ICT suppliers? Avoid situations where you are without support and check whether backups are up-to-date. It is precisely in these situations that you are vulnerable and it is often difficult to successfully recover any damage from the former ICT supplier.

Do you have questions about drafting ICT contracts or would you like legal advice in the event of a ransomware attack? If so, please contact one of our specialists Valerie Lipman or Joost van Dongen.

This page was last updated on August 8, 2023.