Ransomware attack: who is responsible for security and backups?

That a hack can have far-reaching consequences was demonstrated once again a few weeks ago when the computers of a major supplier of Albert Heijn were hacked. As a result, many of the trucks of the supplier in question could no longer deliver, causing a shortage of cheese in supermarkets for days.

This is just one of many examples of hacks with ransomware, which are only expected to become more common in the near future. Especially in the manufacturing and logistics sector. A hack can bring the entire production process or transportation to a standstill. Parties in these industries are therefore an interesting target for hackers, as they may be more inclined to pay hackers to prevent further damage. But what about liability for damages resulting from a ransomware attack? And who is responsible for proper security and backups?

First of all, it is of course not true that hacks can be completely prevented. However, adequate security can minimize the risk of hacks. This means regularly updating the software used and constantly checking and adjusting security measures taken: what is adequate security today may not be tomorrow. In addition, making good backups can ensure that hackers do not have to be paid, since access to data in that case is not completely lost due to a hack. If it is subsequently determined that a ransomeware attack could have been prevented by proper security or no damage would have occurred if regular backups had been made, the question is who can be held liable for this damage.  

In many cases, an IT supplier will have been engaged to supply certain hardware and software or to build an IT infrastructure. Whether ensuring proper security, updating software and making backups is also the responsibility of the IT supplier, in principle, depends on what the parties have contractually agreed on. For example, has the IT supplier been given a single specific assignment or is the IT supplier responsible for the entire IT management? In some cases, clear agreements will have been made. If that is not the case, then it must be assessed what the parties could reasonably understand in connection with the scope of the assignment and what they could mutually expect from each other. In connection with the answer to the question of what the parties could mutually expect from each other, the expertise of the parties also plays a role.  

If an IT supplier is engaged to provide a total package, it is more likely to assume that this includes security than if a single order is given to an IT supplier for the delivery of a specific component, for example. To avoid discussion, it is important to make clear agreements with an IT supplier about the security measures to be taken, their updating and the responsibility for making backups, for example in a Service Level Agreement (SLA). If the IT supplier is not used for this purpose, at least ensure an internal process under which security measures are checked periodically and backups are made regularly. In this way, damage from ransomware attacks can be prevented as much as possible.