IT service provider liable for damages caused by ransomware

Written on 15 Jul 2020

A ruling of the Dutch Court of Amsterdam has been published in which an IT service provider was liable for damages caused by a successful ransomware attack on one of its customers. Even though the customer refused to follow the IT service provider's advice on certain security measures, the court ruled that the IT service provider did not warn sufficiently for the related risks and had to reimburse part of the damages.

What happened?

An administrative office requested an IT service provider to set up and maintain the office's IT infrastructure. Parties agreed on a "total package", but neglected to specify the details in writing.

The administrative office subsequently became victim of a ransomware attack, resulting in hackers being able to encrypt all computer files (including back-ups). As a result, the office was not able to continue to operate its business anymore. The encrypted files would be released after payment of around 3 Bitcoins (equalling a value of ± €3,000 at that time).

Results from the following external investigation showed that the attack could have been prevented with relatively simple (technical) preventive measures, such as a decent firewall and the installation of appropriate (physically separated) back-ups. None of these measures was put in place. Following the outcome of the investigation, the administrative office filed a lawsuit against the IT service provider to recover its damages.

Arguments made

The administrative office argued that it entrusted its complete IT infrastructure to the IT service provider – and it considered IT security to form part of that service. The provider was considered an expert, was aware of the customer processing of sensitive data and should, therefore, have advised and acted accordingly.

The IT service provider, on the other hand, argued that network security was not considered part of the services agreed by parties. Furthermore, it actually advised using strong passwords, a firewall and external back-ups, but these recommendations were neglected by the administrative office for reasons of costs and practicality. The IT service provider proceeded accordingly. According to the IT service provider, the administrative office accepted the risks associated with these choices and was therefore the party to blame.

As parties did not put the details of the agreement in writing, the court had to determine whether it could reasonably be expected that the security measures were part of the "total package".

The court considered the IT service provider to be primarily responsible for the arrangement of proper security measures. Customer's rejection of certain security measures did not relieve the IT service provider of its responsibility to ensure proper IT security. According to the court, the IT service provider could also have: (i) refused the assignment, (ii) proposed alternatives or, (iii) at least, warn its customer explicitly and repeatedly on the risks involved, rather than simply continuing with the agreed way forward.

Although the usage of weak passwords by the administrative office did not relieve the IT service provider from its responsibility, the court considered this to a relevant element while determining the amount of damages to be reimbursed.

The ruling

The court ruled that the IT service provider had to pay two thirds of the damages caused by the ransomware, being the sum of: (i) Bitcoins paid to the extortionist, (ii) the costs of the external IT security audit, and the (iii) administrative office's lost revenue during the period in which it was not able to carry out its activities.

Why this matters

  • IT service providers have a far-reaching duty to ensure the proper implementation and security of the IT service and/or network they maintain. They must act pro-actively and send clear and repetitive warnings about the consequences of a customer's choice.
  • If a customer ignores the warnings, or if the IT security risks are considered too high, the IT service provider should consider refusing the assignment.
  • If parties neglect to agree on detailed written arrangements, the court will determine what is considered a "reasonable" division of responsibilities. The likelihood is that the IT service provider, as the expert, will be the party that is taking most risks.
  • Using weak passwords may result in a successful argument that (at least) part of the damages will be considered the customer's own fault.

The ruling can be found here (only in Dutch).