Cyberattacks on the nation’s critical infrastructure are becoming more frequent, more severe, and more dangerous. The Wall Street Journal reported that the growing trend of cyberattacks is “part of a growing criminal pivot from stealing data to hobbling operations via ransomware, where companies are hit with demands for million-dollar payments to regain control of their operating systems.” In May of 2021 alone, cyberattacks shut down the nation’s largest pipeline responsible for supplying nearly 50% of the East Coast’s diesel, petrol, and jet fuel;  the world’s largest meat supplier;  and San Diego-based Scripps Health’s electronic medical records, radiology, and other systems. These events are emblematic of a shift away from cyberattacks that to seek profit from identity theft to “industrial-scale hacking” aimed at obtaining ransoms paid in cryptocurrency. As a result, any “company that relies on their information technology to provide a good or a service is a target,” and manufacturers, chemical companies, and other nontraditional companies are “being hit more frequently than four or five years ago.”
The increase in frequency, severity, and danger of these attacks has given rise to a related increase in litigation. With businesses operating in critical business sectors—which are heavily reliant on supply chains—becoming more appealing targets of cyberattacks, litigation arising out of the failure to satisfy contractual obligations owed to vendors, suppliers, and consumers is likewise becoming more frequent, more complicated, and more expensive. As such, cyberattack victims are now bearing increasingly significant legal exposure, an item we previously discussed in “COVID-19-Related Supply Chain Breakdowns Lead to Increased Risk of Cyberattacks.”
Businesses operating in the energy, financial services, healthcare, critical manufacturing, and other critical infrastructure sectors must prepare for the legal challenges that can arise from cyberattacks. But, as the saying goes, “an ounce of prevention is worth a pound of cure.” This article outlines crucial steps businesses can take to insulate themselves from liability before a cyberattack occurs.
Force majeure clauses are contractual provisions that relieve parties of their contractual obligations due to circumstances beyond both parties’ control. These provisions usually “vary in specificity and can cover acts of war, natural disaster, and government orders.” However, economic hardship alone or difficulty of performance generally do not qualify as force majeure events. What is needed, generally, is an event that makes the parties’ performance of their contractual obligations “objectively impossible.”
As seen with the Colonial Pipeline and JBS cases, cyberattacks can and often do result in the shutdown of an affected company’s operations. These shutdowns are necessitated by public health and safety concerns along with usually immediate governmental intervention. And because these attacks are outside of a party’s control, they likely qualify as force majeure events.
As such, energy, manufacturing, financial services, and other entities that provide critical infrastructure services and bear legal exposure due to their place in supply chain networks should review their force majeure clauses to ensure that they effectively balance risk in the case of a cyberattack. Relatedly, such parties should also review contractual provisions that function similar to force majeure clauses, e.g., commercial impracticability of performance, material adverse change, impossibility, etc. Moreover, such businesses should also consider redrafting these clauses to include cyberattack as a force majeure event. Doing so removes doubt as to whether such an attack would qualify as a force majeure event. However, attention should be paid to how redrafting these provisions may impact contract negotiations, as expanding the definition of force majeure events can force price increases due to the reallocation of risk.
In addition to force majeure clauses, two other types of contractual provisions should be examined: consequential damages waivers and liquidated damages clauses. Consequential damages, as opposed to direct damages, do not directly arise from a contractual breach but are a foreseeable consequence nonetheless. Waivers of these types of damages are frequently added to commercial contracts. Liquidated damages provisions, often seen in construction contracts, also seek to regulate the type of relief an aggrieved party may seek. These clauses provide that, in the event of a breach, a party’s damages may be speculative or otherwise difficult to calculate. In such an event, the parties agree to a set sum that will represent the aggrieved party’s damages.
Given the disruptions that can be caused by a cyberattack, businesses should consider if and how waivers of consequential damages and liquidated damages provisions are or can be used in their contracts. To that end, a business should consider whether a waiver of consequential damages either immunizes it from liability or prevents it from recovering loss occasioned by a counterparty’s breach due to cyberattack. For example, businesses at greater risk of failing to satisfy obligations to vendors, suppliers, or other contractual counterparties should consider more robust waivers of consequential damages. Similarly, businesses relying on contractual counterparties that are at greater risk of cyberattack should consider a limited waiver or even the elimination of such a provision altogether. Likewise, if a business utilizes a cybersecurity service provider, consideration should also be given to the ramifications of any consequential damage’s waiver present in the service contract with the provider.
Similarly, contracting parties should consider the use of narrowly tailored liquidated damages provisions that set a particular sum of money as an aggrieved parties’ damages due to a contractual breach caused by a breach of contract. These provisions may be particularly useful because the consequences of a cyberattack are often hard to predict. Depending on the size of the liquidated damages sum, these provisions could be appealing to businesses exposed to large liabilities caused by the inability to satisfy many of their contractual obligations.
An additional contractual consideration concerns the possibility of adding an exculpatory clause that specifically addresses cyberattack. Usually, an exculpatory clause immunizes a party from liability arising from a contract except where such liability is caused by gross negligence or willful misconduct.
Exculpatory clauses are less common in arms’ length contracts between two parties. However, that should not deter parties from exploring the inclusion of such clauses. For example, a “cyberattack exculpatory clause” could immunize a party from liability caused by its failure to perform certain obligations due to cyberattack. Excluded from such immunity would be liabilities caused by the parties’ failure to take reasonably prudent steps to protect from cyberattack, such as engaging a cybersecurity vendor, implementing security protocols, etc.
It is important to note that an exculpatory clause can greatly impact the contractual allocation of risk. As such, the inclusion of such a clause could affect the value of a contract or other terms. Nevertheless, where a party bears great potential exposure from a cyberattack, the cost of including an exculpatory clause can easily be justified.
Every business should have cyber insurance, which insures against the financial consequences of a cyberattack. These policies can cover a large swath of items, ranging from the recovery of electronic data to forensic analysis of the attack to indemnity and defense in the (likely) event that litigation is commenced after a cyberattack. As with all insurance policies, the scope of the policy along with its limits will vary on a case-by-case basis.
Virtually all businesses rely on computer networks to conduct business, which leaves them exposed to the risk of a cyberattack. Reasonably prudent business practices thus dictate the absolute necessity of obtaining a cyber insurance policy. Indeed, the failure to obtain such insurance could easily expose a business’ directors and officers to claims of breach of fiduciary duty. As a result, businesses—along with their risk managers—must evaluate both the scope and policy limits of such insurance.
Much like maintaining a cyber insurance policy, companies at risk of cyberattack should also retain a cybersecurity firm. Cybersecurity specialists play an integral role in minimizing legal exposure in the event of an attack by monitoring, detecting, and establishing security protocols for a company’s information infrastructure. These firms can help identify areas of exposure and implement mitigation to help avoid the prospect of a cyberattack.
As a matter of best practices, every company should engage some form of cybersecurity protection, which provides an added layer of defense in the unfortunate event of litigation arising out of a cyberattack. The affected business can point to its retention of a cybersecurity firm as evidence of its acting in a reasonable and prudent manner or as evidence that its actions were not a cause of loss.
Finally, should a cyberattack occur, it is imperative that the affected business onboard a suite of professionals as soon as possible to help mitigate the consequences. Cybersecurity firms should be engaged to conduct a forensic analysis of the cause of the attack, recover any lost data, and bring the company’s networks back online. Alongside the cybersecurity firm, the company’s insurance carrier(s) and/or broker(s) should be brought into the fold as well. This enables a prompt determination of the scope of loss and facilitates an expeditious resolution of the company’s claim. Legal counsel should be also brought on board—they can help manage the investigation into the cause of the attack, begin a preparation of the company’s defense, pursue claims against those who may have some responsibility for causing the attack, and otherwise mitigate resulting litigation risks.