IT service providers may pick up the bill for a cyberattack
The Digital Age comes with many advantages. A profession that has certainly thrived surfing the waves of digital transformation is that of the IT service provider. More often than not an independent consultant, the services of the IT expert are much sought after by SME and international corporation alike.
But the Internet of Things and our collective Cloud existence also comes with an elevated cybersecurity risk. Ask the many companies (of all ilks and sizes) that have seen their databases hacked or encrypted by malware and face tough internal decisions (not to mention inevitable bad publicity) when faced with ransomware.
In such cases of cybercrime, managers are likely to look for root causes of their woes and more often than not, fingers point in the direction of the IT specialist.
Adding to the charge, both Belgian and Dutch courts have recently ruled that in the absence of a written agreement, the quality of IT services are benchmarked to the specific needs of the client. This would include cybersecurity measures.
In addition, the IT service provider bears a heavy duty to inform his clients in view of the specific nature of the services he or she provides. This duty naturally extends to cybersecurity risks and the required measures to be taken to address such risks. Neglecting that duty may even entail the nullity of the agreement (due to a lack of informed consent by the client).
Should a client throw caution to the cyberwind and refuse to accept adequate cybersecurity measures being implemented, the IT service provder should either refuse the job or inform the client in writing on the risks that the lack of such measures would entail.
It is to be recommended that the client would countersign such written warning for acknowledgement and as a waiver of redress against the service provider if the risks as described would materialise.
The bill for disregarding these legal considerations may be high. Should the IT service provider be held liable, unless otherwise limited or capped by contract, the calculation of damages is likely to include lost profits in addition to any costs (like IT forensics) made in relation to the cybercrime.
In summary, in this golden age for their profession, IT service providers should think twice before engaging into any business relationship without a proper, written services agreement in place and without taking out professional liability insurance.