https://ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/Cyber/hacking-3112539_960_720.png

Hacked: who pays the bill?

28 Jun '22

On 9 March 2022, the District Court of Overijssel has ruled in a case between Cottoncounts, a company trading in home furniture, and CCG Retail, a software company. The server of Cottoncounts had been hacked, after which all company data was encrypted by means of ransomware and thousands of product and atmospheric photos of articles from its range were lost. Cottoncounts held CCG Retail liable for this, because it had built the IT infrastructure (or at least had it built) and had inadequately secured it (or at least had it secured). The claim involved € 29,246.94. A 'purchase and service agreement' had been concluded between Cottoncounts and CCG Retail, on the basis of which a 'total package' had been agreed with regard to the software.

Software company responsible for security?

The court first ruled on the question of whether the security of the network by CCG Retail was also part of the purchase and service agreement. There is no provision for this in the agreement, so the court must therefore answer this question on the basis of facts and circumstances.

The court ruled that it is difficult to imagine that a total package was agreed upon that did not include security. CCG Retail had the responsibility towards Cottoncounts to make security part of the total package or else explicitly discuss with Cottoncounts that security would precisely not be part of the package. In the latter case, Cottoncounts could then have provided security in a different way. The fact that CCG Retail outsourced the hosting of the server to another company does not relieve CCG Retail of its responsibility to ensure adequate security of Cottoncounts' data.

Next, the court ruled that CCG Retail did fail with one of the servers and not with the other server. On the one server, backups were made every two weeks, which is not unusual in the IT industry. These backups ensured that the loss of company data was ultimately limited. This was not the case with the other server. On this server product and atmospheric photos of the furniture company were stored. According to the judge, CCG Retail knew or should have known that keeping the product and atmospheric photos was of great importance to the furniture company.

Damages

Next, the judge addresses Cottoncounts' claim for damages. CCG Retail is liable in principle for Cottoncounts' damages. Cottoncounts claims various items of damages. The judge ultimately awards an amount of €7,000.- as compensation for the loss of product and atmospheric photos. Also, an amount of € 272,25 is allocated as compensation for the repairs made to one of the servers.

And Now?

If a software company agrees a 'total package' with the customer without explicitly making agreements about security, the software company cannot hide behind the fact that no agreements were made about security. If software suppliers are unwilling to assume this responsibility, they must therefore indicate this explicitly and be clear with the customer about what they do and do not supply on this point. Outsourcing these services to a third party does not relieve software suppliers of their responsibility for adequate data security. If things go wrong, the software company may have to pay for some of the damage. 

Questions?

Do you have any questions about what this judgment could mean for your business or organization? If so, feel free to contact us. 

Contact

Attorney at law, Partner

Dorine ten Brink

Expertises:  Contract law, Arbitration, Privacy law, IT-Law, Cybersecurity , Transport and Logistics, Commercial Contracts, E-commerce, German Desk,

Attorney at law, Partner

Matthijs Gardien

Expertises:  Contract law, Litigation, IT-Law, Cybersecurity , Privacy law, Start-up and Scale-up, Commercial Contracts, E-commerce, Artificial intelligence,

Attorney at law

Bine Schoenmaker

Expertises:  IT-Law, Privacy law, Contract law, Technology, Media and Telecom, Healthcare, Artificial intelligence, Commercial Contracts,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Subject(s)

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.