28 Jun '22
On 9 March 2022, the District Court of Overijssel has ruled in a case between Cottoncounts, a company trading in home furniture, and CCG Retail, a software company. The server of Cottoncounts had been hacked, after which all company data was encrypted by means of ransomware and thousands of product and atmospheric photos of articles from its range were lost. Cottoncounts held CCG Retail liable for this, because it had built the IT infrastructure (or at least had it built) and had inadequately secured it (or at least had it secured). The claim involved € 29,246.94. A 'purchase and service agreement' had been concluded between Cottoncounts and CCG Retail, on the basis of which a 'total package' had been agreed with regard to the software.
The court first ruled on the question of whether the security of the network by CCG Retail was also part of the purchase and service agreement. There is no provision for this in the agreement, so the court must therefore answer this question on the basis of facts and circumstances.
The court ruled that it is difficult to imagine that a total package was agreed upon that did not include security. CCG Retail had the responsibility towards Cottoncounts to make security part of the total package or else explicitly discuss with Cottoncounts that security would precisely not be part of the package. In the latter case, Cottoncounts could then have provided security in a different way. The fact that CCG Retail outsourced the hosting of the server to another company does not relieve CCG Retail of its responsibility to ensure adequate security of Cottoncounts' data.
Next, the court ruled that CCG Retail did fail with one of the servers and not with the other server. On the one server, backups were made every two weeks, which is not unusual in the IT industry. These backups ensured that the loss of company data was ultimately limited. This was not the case with the other server. On this server product and atmospheric photos of the furniture company were stored. According to the judge, CCG Retail knew or should have known that keeping the product and atmospheric photos was of great importance to the furniture company.
Next, the judge addresses Cottoncounts' claim for damages. CCG Retail is liable in principle for Cottoncounts' damages. Cottoncounts claims various items of damages. The judge ultimately awards an amount of €7,000.- as compensation for the loss of product and atmospheric photos. Also, an amount of € 272,25 is allocated as compensation for the repairs made to one of the servers.
If a software company agrees a 'total package' with the customer without explicitly making agreements about security, the software company cannot hide behind the fact that no agreements were made about security. If software suppliers are unwilling to assume this responsibility, they must therefore indicate this explicitly and be clear with the customer about what they do and do not supply on this point. Outsourcing these services to a third party does not relieve software suppliers of their responsibility for adequate data security. If things go wrong, the software company may have to pay for some of the damage.
Do you have any questions about what this judgment could mean for your business or organization? If so, feel free to contact us.
Contact
11 Nov 24
14 Oct 24
13 Oct 24
07 Oct 24
13 Aug 24
13 Aug 24
04 Jun 24
13 May 24
02 May 24
08 Apr 24
04 Apr 24
21 Mar 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.