Hacked: who pays the bill?

On 9 March 2022, the District Court of Overijssel has ruled in a case between Cottoncounts, a company trading in home furniture, and CCG Retail, a software company. The server of Cottoncounts had been hacked, after which all company data was encrypted by means of ransomware and thousands of product and atmospheric photos of articles from its range were lost. Cottoncounts held CCG Retail liable for this, because it had built the IT infrastructure (or at least had it built) and had inadequately secured it (or at least had it secured). The claim involved € 29,246.94. A 'purchase and service agreement' had been concluded between Cottoncounts and CCG Retail, on the basis of which a 'total package' had been agreed with regard to the software.

Software company responsible for security?

The court first ruled on the question of whether the security of the network by CCG Retail was also part of the purchase and service agreement. There is no provision for this in the agreement, so the court must therefore answer this question on the basis of facts and circumstances.

The court ruled that it is difficult to imagine that a total package was agreed upon that did not include security. CCG Retail had the responsibility towards Cottoncounts to make security part of the total package or else explicitly discuss with Cottoncounts that security would precisely not be part of the package. In the latter case, Cottoncounts could then have provided security in a different way. The fact that CCG Retail outsourced the hosting of the server to another company does not relieve CCG Retail of its responsibility to ensure adequate security of Cottoncounts' data.

Next, the court ruled that CCG Retail did fail with one of the servers and not with the other server. On the one server, backups were made every two weeks, which is not unusual in the IT industry. These backups ensured that the loss of company data was ultimately limited. This was not the case with the other server. On this server product and atmospheric photos of the furniture company were stored. According to the judge, CCG Retail knew or should have known that keeping the product and atmospheric photos was of great importance to the furniture company.

Damages

Next, the judge addresses Cottoncounts' claim for damages. CCG Retail is liable in principle for Cottoncounts' damages. Cottoncounts claims various items of damages. The judge ultimately awards an amount of €7,000.- as compensation for the loss of product and atmospheric photos. Also, an amount of € 272,25 is allocated as compensation for the repairs made to one of the servers.

And Now?

If a software company agrees a 'total package' with the customer without explicitly making agreements about security, the software company cannot hide behind the fact that no agreements were made about security. If software suppliers are unwilling to assume this responsibility, they must therefore indicate this explicitly and be clear with the customer about what they do and do not supply on this point. Outsourcing these services to a third party does not relieve software suppliers of their responsibility for adequate data security. If things go wrong, the software company may have to pay for some of the damage. 

Questions?

Do you have any questions about what this judgment could mean for your business or organization? If so, feel free to contact us.