On May 10th, the Overijssel District Court ruled that the Hof van Twente municipality is not entitled to its 2020 cyberattack damage claim. During the incident, the cyber criminals encrypted the municipality’s systems and backups and deleted a swath of virtual servers. Hof van Twente refused to cough up the €750,000 in ransom money to the hackers, resulting in the crash of their entire IT infrastructure. They then turned around and blamed their IT service provider – Switch IT – demanding four million euros in compensation. Many companies and institutions were flabbergasted by the claim’s rejection but also saw it as a wake-up call. And that’s why I’d like to explain what happened, including what the IT service provider’s role is in a situation like this.
Duty of care is codified in Dutch law. That means service providers, e.g., IT companies, must exercise due care when acting as responsible service providers (Art. 7:401 of the Dutch Civil Code). In other words, how would a competent, reasonable professional have acted in the same situation? This topic bears consideration because it is often appealed to by parties who haven’t sufficiently covered their bases in writing. And this was precisely what happened in the case of Hof van Twente Municipality vs. Switch IT.
IT service providers must consider the interests of third parties. That’s only logical, given that IT service providers are often a link in the chain to their own clients’ customers. Consequently, terminating a contract could affect the whole chain, not just the direct client. In PinkRoccade vs. Uniface, the court ruled that the interests of the rest of the chain outweighed those of the terminating party (the IT service provider). The IT provider could not terminate the contract, especially because of the security risks involved.
No system is 100% secure (Arnhem-Leeuwarden Court of Appeals, 09-04-2018). Theoretically, any IT infrastructure could be hacked. Consequently, an IT service provider cannot offer any guarantees of that order; however, they may be held responsible or liable in the event of an attack.
Simply warning the client about security risks doesn’t always mean the IT service provider is in the clear. For example, the O’Cliance case ruled that the IT service provider had violated its duty of care by failing to take sufficient security measures. The court decided that the ‘all-in plan’ sold could reasonably be expected to include the recommended security measures. Refusing to make the recommended security measures available does not exempt a service provider selling an ‘all-in plan’ from its duty of care.
In Hof van Twente Municipality vs. Switch IT, the court ruled that Switch IT had not violated its duty of care based on the European tender and a separate duty of care. This was due to several key factors:
Hof van Twente claimed that tens of thousands of login attempts were made on the municipality’s servers – login attempts not reported by the IT service provider. Monitoring server, storage, and network facilities had been stipulated by the contract parties. Unauthorized login attempts and/or brute-force attacks would only trigger a functional monitoring alert if the network’s capacity, performance, and availability were affected. According to the Court, the municipality had claimed but failed to substantiate that this was the case here. The municipality had attempted to go through the Baseline Informatiebeveiliging Overheid (BIO) [Baseline Data Security Authority and Baseline’s predecessor – BIG – to impose the security monitoring requirements on the IT service provider as a duty of care. But the court disagreed. That was because the contract stipulated functional monitoring. There was no basis for assuming that the duty of care could arbitrarily be invoked to cover free security monitoring.
The municipality had its own account with administrator rights (i.e., unrestricted access) and 24/7 access to its backup files through an Internet connection under its own administration. Switch IT had warned Hof van Twente about this system’s inherent risks and offered a more secure backup solution. But the municipality rejected the offer citing budgetary constraints. Here, the court ruled that the municipality had hindered the IT service provider from exercising its duty of care.
Hof van Twente had committed several careless acts that left it venerable to the cyberattack, e.g., opening an RDP port in its firewall and setting a weak password. What’s more, the municipality failed to notify Switch IT of these changes.
Security is complex. And these days, a whole host of security services are available on the market. Keeping up with the latest innovations is tough, and so is knowing whether you’re doing it right. This case teaches us that absent (basic) security measures and a failure to report security risks don’t automatically mean that the IT provider is guilty of a duty of care violation.
Forewarned is forearmed. So, pull out your current IT contract and take a good look at exactly what the agreements are. Get good advice, and if shared administration is involved, make sure you have clear agreements on how to report changes. We’d be happy to lend you a hand.
Safety is in the details!
Share article
