Ransomware attacks remains problematic across industries, with technology providers facing particularly complex legal implications. Decisions about payment, the implications of refusing, and potential data exposure are rarely straightforward and the legal ripples can outlast the incident.

The attack itself usually freezes the servers, makes the information stored on them available to the attackers, and prevents the company from operating for up to several days. Often the ransom message comes with the additional threat that the taken over information will be made public. All of this can bring multifaceted adverse legal consequences.

Brief legal landscape

Ransomware attacks may trigger a range of legal obligations: from national laws, including those that implement EU directives like the Directive on measures for a high common level of cybersecurity across the EU and its national implementations (NIS2 Directive)[1], to EU regulations that apply directly such as the General Data Protection Regulation (GDPR)[2], and even international frameworks like the Budapest Convention on Cybercrime.

Some instances of such obligations include potential civil liability towards partners, potential criminal liability of management, the burden of tracing and prosecuting the attackers, efforts to mitigate damage and recover information, and the prospect of widespread data leakage. Many companies are also under reporting obligations to the owners of the stolen data or administrative bodies, which if not fulfilled can cause liability or public fines.

However, one cannot forget the contractual obligations resting on the company.

As the dust settles and company recovers from the attack it is worth to revisit clients’ agreements and ascertain legal risks related to contractual obligations that the company might face as a result of the attack.  

Many of the services agreements tech companies conclude with clients contain confidentiality clauses fortified with a penalty clause for such violations. Violation of such obligations might materialize, especially if the hackers try to sell or publish the information online.

Some contracts contain also guarantees related to security of the servers or confidential information stored thereon armed with liability rules, although the effective enforcement of such clauses is not always straightforward under Polish law, as we have previously mentioned  in our post on Drafting R&W liability clauses under Polish law.

Lastly, as the ransom attack prevents the company from regular operations another set of legal risks arises in relations with contractual non-performance. A client unhappy with such a situation may be inclined to pursue their rights through dispute proceedings.

Mitigating measures

Among the defenses raised to such allegations is force majeure – but the effectiveness of that defense is far from settled.

Polish law, in contrast to some of the other civil law jurisdictions does not define force majeure in its civil code. Force majeure is an open ended term defined within the purposes of a particular proceedings. Courts, however, generally recognize three necessary elements to qualify an event as force majeure: (1) the event is out of control of the party, (2) is impossible to predict, and (3) both the event and its harmful results cannot be prevented[3].

So, can a ransomware attack qualify as force majeure?

As the lawyers love to say – it depends – in this case, above all – on the contract.

In commercial relations parties are free to define force majeure in the contract as they see fit. Usually parties soften the requirements including reasonableness qualifiers ( e.g., reasonably unforeseeable, reasonably unpreventable) rather than absolute impossibility and supplement the definition with a list of events which qualify as force majeure, such as: war, terrorist attack, or floods.  The definition, however, still leaves a wide margin of interpretation when considering whether a ransom attack could qualify as force majeure.

Scale of the attack can also matter. In the U.S. case Heritage Valley Health System, Inc. v. Nuance Communications, Inc. (W.D. Pa. 2020), the court noted (in dicta) that the 2017 NotPetya ransomware – widely attributed to a state-backed operation by Russia that affected many other companies and organizations worldwide – was arguably beyond a vendor’s reasonable control.[4]

But there’s a counterweight: foreseeability. The threat of cyberattacks have become a part of our reality,  which makes it harder to say an incident was truly unforeseeable.

This would be particularly challenging for technology providers – especially those operating in or adjacent to cybersecurity – because the expertise in the topic would raise the standard of what the company could reasonably foresee and prevent.

Another set of challenges for tech companies providing cybersecurity solutions appear when it is their client whose servers get attacked with ransomware. If the client is the one hit by ransomware, the provider’s own performance often comes under the microscope, with potential for claims to appear. Force majeure defense in such a case might not always end in success as some courts might find a computer virus neither unpredictable nor irresistible, as has held the Court of Appeal in Paris.[5]

Broadly defined force majeure clauses might be one potential solution to minimize the effects of the attack – but not the only one.

• Prevention is always better than cure, so ensure that all personnel is sufficiently trained in ransomware avoidance.
• Have a clear action plan on what to do and who to contact in case of an attack.
• Consider buying an insurance on cyber-related risks and legal costs.
• If you want to avoid publicity implement arbitration clauses in your contracts to ensure confidentiality in case of legal disputes.
• Finally, when under the attack – preserve all the evidence – logs, correspondence with the intruder,  network captures, malware samples, backups, disk images of the affected systems and anything related to the attack. This will help in any potential civil disputes.

Ransom attack is not easy for a company, but legal claims it can cause might also not be  – so stay mindful of the risks and keep trusted guidance within reach.

By Aleksandra Kozerska and Alexey Pirozhkin

---

[1] Directive (Eu) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).

[2] Regulation (Eu) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[3] See for instance: Wyrok SA w Lublinie z 19.11.2019 r., III APa 15/19, LEX nr 2750252.

[4] Heritage Valley Health System, Inc. v. Nuance Communications, Inc. (W.D. Pa. 2020) https://law.justia.com/cases/federal/district-courts/pennsylvania/pawdce/2:2019cv01535/261980/24/.

[5] Paris Court of Appeal, Div 5, Ch 11, Judgment, 7 February 2020, No 18/03616, Mise à jour informatique v E.X.M. Euro et Expertise Monétique.