CYBER security is a growing risk for all businesses, and cyber security issues need to be placed on the management board’s agenda sooner rather than later.
Leaving aside damage to reputation, loss of trade and potential data protection and other regulatory issues, businesses should be aware of the significant potential litigation risks that arise out of cyber attacks.
Cyber security attacks are hitting the headlines with worrying regularity. Increasingly, any business that retains information about its customers, especially financial details, represents a potential target for hackers, and the attacks themselves are becoming increasingly sophisticated. As a law firm, we have had to realise that hackers may target us, in view of the valuable client data, as well as monies, that pass through our systems. With this in mind, we have had to take steps to address the ever-growing threat of being targeted by hackers by asking ourselves whether our systems have any vulnerabilities.
A business that suffers a successful attack of this nature may be liable to its customers for breach of contract. Businesses can be heavily exposed to claims if, as a result of any attack and the disruption it causes, they fail to fulfil contractual obligations unrelated to cyber security.
It is also possible that, in some businesses, the occurrence of the attack itself may be sufficient to be a breach of an express or implied term that customer data would be stored securely and with due care.
A business’s contractual commitments and requirements should, therefore, be considered in the context of cyber security. Under English law, contractual obligations cannot easily be avoided. Unless one party can successfully argue that a cyber attack has caused a contract to be frustrated because a material change in circumstances has rendered it physically or commercially impossible to perform (which is a difficult argument to run, not least because the doctrine of frustration is usually construed narrowly by the courts), then the only other way for a party to avoid performing its contractual obligations without incurring liability would be to invoke a force majeure clause.
Accordingly, in the absence of a force majeure clause that specifically contemplates failure to perform as a consequence of cyber security issues, even relatively minor interruptions can result in liability for breach of contract.
A force majeure clause deals with the happening of events outside the control of the contracting parties. It is usual for parties to provide in a contract that such events will not make the defaulting party liable if they prevent it from performing its obligations.
Whether or not a cyber attack amounts to an event of force majeure will depend on the actual wording of the relevant force majeure clause.
Against this background, prudent businesses would be well advised to conduct a regular audit of their key existing and outbound customer agreements in the context of cyber security risk to ensure that, so far as is legally permissible, liability as a result of failure to deliver for cyber security reasons is addressed and limited.
Christopher Buck is a Solicitor and Associate Partner in the Corporate Commercial department of Franklins Solicitors LLP, which has offices in Milton Keynes and Northampton. Christopher seeks to provide cost effective solutions to businesses and can be contacted on 01908 660966 or email
By Christopher Buck
Associate Partner
Franklins Solicitors LLP
