MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

IT

Damaged by Cyber Attacks. What is the Liability for Damages of System Vendors? Explanation of Contract Document Examples

IT

Damaged by Cyber Attacks. What is the Liability for Damages of System Vendors? Explanation of Contract Document Examples

In recent years, cyber attacks against corporations have been on the rise.

According to a survey by the Japanese Network Security Association (JNSA), the proportion of personal information leaks due to unauthorized access was 4.7% in 2013, but it increased to 20.3% in 2018 (2018 Japanese Information Security Incident Survey Report.jn).

In this article, we will explain the scope of responsibility that system vendors bear when they are subjected to cyber attacks, based on past court precedents. We will also discuss the roles and responsibilities that vendors and users should agree upon in their contracts for joint cyber attack countermeasures, based on model contracts.

Do System Vendors Bear Liability for Damages from Cyber Attacks?

Do System Vendors Bear Liability for Damages from Cyber Attacks?

When a company on the user side suffers damage from a cyber attack, the primary party to be held responsible should be the perpetrator of the cyber attack. However, if there is a possibility that the attack was facilitated due to negligence in system development and operation, the user side may be allowed to claim damages against the system vendor.

The grounds for a damage claim against the system vendor include the following:

  • Liability for non-conformity
  • Violation of duty of care

However, there may also be instances where the user side is at fault, leading to an escalation of the damage. In such cases, the user side can also be held responsible. In actual court cases, this has been considered as a factor for offsetting negligence, and there have been instances where the damages claimed against the system vendor were limited.

System Vendor’s Liability for Damages and Contract Document Examples

There are three representative examples of IT system contracts between system vendors and corporate users:

  1. Software Development Contract
  2. System Maintenance and Operation Contract
  3. Cloud Service Usage Contract

The liability for damages is determined by the initial contract, so we will explain it for each type of contract below.

Software Development Contract

A software development contract is an agreement made when a company (the user) entrusts the development of its own system to a software vendor.

If a cyber attack on the user’s company reveals vulnerabilities in the software that exacerbate the damage, the user can hold the vendor accountable.

The responsibilities borne by the system vendor vary depending on the type of software development contract, and can be divided into two categories:

  • Contract for service: Liability for non-conformity with the contract
  • Quasi-mandate contract: Breach of duty of care

Contract for Service

A contract for service is an agreement in which the completion of the system is promised, and payment is made for the resulting product.

If the delivered product “does not conform to the purpose of the contract”, the contractor will be liable for non-conformity with the contract (Japanese Civil Code Articles 559 and 562) for a certain period after delivery.

In other words, if a cyber attack easily causes system failure, the product is considered “not conforming to the purpose of the contract”, and the user may claim damages due to liability for non-conformity with the contract.

Whether this claim is recognized depends on the level of software security agreed upon between the parties in advance.

[Example of Liability for Non-Conformity with Contract]

Article X: After the completion of the inspection in the previous article, if a discrepancy (including bugs, hereinafter referred to as “non-conformity with the contract”) is found in the delivered items, Party A may request Party B to perform additional fulfillment (hereinafter referred to as “additional fulfillment”) of the correction of the non-conformity with the contract, and Party B shall perform the additional fulfillment. However, if it does not impose an unreasonable burden on Party A, Party B may perform additional fulfillment by a method different from the method requested by Party A.

2. Notwithstanding the preceding paragraph, if the purpose of the individual contract can be achieved even with the non-conformity with the contract, and if additional fulfillment requires excessive costs, Party B shall not be obliged to perform the additional fulfillment stipulated in the preceding paragraph.

3. If Party A suffers damage due to the non-conformity with the contract (limited to those caused by reasons attributable to Party B), Party A may claim damages against Party B.

Source: Information System Model Transaction Contract (Second Edition).jn

Quasi-Mandate Contract

In a quasi-mandate contract, the application of liability for non-conformity with the contract does not apply because there is no obligation to complete the product. Instead, it carries the obligation to “handle the affairs of the mandate with the care of a good manager” (duty of care).

If a system failure occurs due to a cyber attack, even if the level of security was not determined at the time of the contract, the development of such a system could be considered a “breach of the duty of care” (Japanese Civil Code Articles 656 and 644), and there is a possibility of a claim for damages.

[Example of Duty of Care]

Article X: Party B shall provide services (hereinafter referred to as “requirement definition creation support services”) to support the creation of requirement definition documents by Party A, based on the information system concept documents, system planning documents, etc. created by Party A, upon concluding an individual contract as specified in Article X.

2. Based on its specialized knowledge and experience in information processing technology, Party B shall perform support services such as research, analysis, organization, proposal, and advice with the care of a good manager to ensure that Party A’s work is smoothly and appropriately carried out.

Source: Information System Model Transaction Contract (Second Edition).jn

System Maintenance and Operation Contract

A system maintenance and operation contract is an agreement in which a company entrusts a software vendor with the task of maintaining and operating existing software. When entering into a maintenance and operation contract, it is common to include the required security level in the contract document, such as in a business specification document.

If damage occurs due to a cyber attack, and the security level of the system is lower than the level agreed upon at the time of the contract, the vendor may be pursued for breach of contract based on non-performance liability.

However, if the security level is not specified in advance, maintaining and operating a system vulnerable to cyber attacks may be considered a violation of the duty of care, and the vendor may be held responsible.

Cloud Service Usage Agreement

A Cloud Service Usage Agreement is a contract that is concluded when using services provided by a vendor on the cloud. As it is assumed that the vendor will provide the same service to a large number of users, it is common to contract according to the terms of use set by the vendor.

Generally, this contract includes provisions in advance for liability in the event that the service cannot be provided due to a cyber attack.

In a Cloud Service Usage Agreement, the following are typically stipulated at the time of the contract:

  • SLA (Service Level Agreement): Guarantee of quality and operational rules
  • Limitation of Liability Clause: Scope of the vendor’s liability for non-performance of obligations in the event of damage

An SLA is a document that formalizes the user’s demand level and the provider’s operational rules. If the service stipulated here cannot be provided, you can make a claim for damages as a partial breach of obligation. In addition, a “Limitation of Liability Clause” may be set up in the contract to limit the requirements for the vendor to receive a claim for non-performance of obligations, and even if liability is recognized, to limit the amount of compensation.

However, as the Limitation of Liability Clause often contains provisions favorable to the vendor, it may be subject to some restrictions under Japanese case law if a dispute arises.

[Example of Limitation of Liability Clause]

Article X: Party A and Party B may claim damages against the other party if they suffer damage due to a cause attributable to the other party in the performance of this Agreement and individual contracts, limited to (XXX damage). However, this claim cannot be made after XX months have passed from the completion date of the acceptance of the deliverables stipulated in the individual contract that caused the claim for damages or the confirmation date of the end of the work.

2. The total cumulative amount of damages for the performance of this Agreement and individual contracts, regardless of the cause of the claim, including non-performance of obligations (including liability for non-conformity), unjust enrichment, tort, etc., shall be limited to the amount of XXX stipulated in the individual contract that caused the cause of liability.

3. The preceding paragraph shall not apply in the case of intentional or gross negligence on the part of the obligor of damages.

Source: Information System Model Transaction Contract (Second Edition)

Criteria for Determining the Scope of Liability for Damages on the System Vendor Side

Criteria for Determining the Scope of Liability for Damages on the System Vendor Side

When a user company suffers damage due to a cyber attack, under what specific circumstances might the responsibility of the system vendor who developed the system be questioned?

In the following, we will explain based on actual court cases where the responsibility of the system vendor was questioned.

Whether Measures in Line with the Technical Level at the Time of Development Have Been Implemented

In actual court cases where responsibility is disputed, it is important whether the system vendor has implemented security measures at the level in accordance with warnings and manuals from government agencies and industry groups at the time of development.

There are court cases like the following where the system vendor was ordered to pay damages for damage caused by a cyber attack.

[Court Case] Tokyo District Court, January 23, Heisei 26 (2014)
User: X Co., a retailer and mail-order seller of interior goods
Vendor: Y Co., which was contracted to design and maintain a web order system

An incident where 7,000 pieces of customer credit card information were leaked due to a cyber attack

■Judgment
Approximately 20 million yen in damages ordered to the system vendor
An amount exceeding the development fee of approximately 2 million yen was recognized
X Co. was also found to be at fault, with a 30% offset for negligence

■Reason
・The system vendor neglected to implement security measures in line with the technical level at the time.
・Despite having received a risk explanation from the system vendor, the user company, which neglected to take measures, was also found to be at fault, and a 30% offset for negligence was applied.

At the time in 2014, “SQL injection attacks” were the main method of cyber attacks, and the Ministry of Economy, Trade and Industry had published a document called “Alert on Thorough Implementation of Safety Management Measures for Personal Data Based on the Personal Information Protection Law (Japanese Personal Information Protection Law).jn“, pointing out cyber risks and calling for system strengthening.

The judgment recognized the responsibility of the system vendor who had not taken measures and ordered damages, but also found the user company to be at fault and recognized a 30% offset for negligence.

Whether the User Company is at Fault

The user company that orders system development also has obligations, and if there is any negligence, it may bear all responsibility.

Although not a case of a cyber attack, there are also precedents where the responsibility of the user company was fully recognized and damages were ordered.

[Court Case] Asahikawa District Court, August 31, Heisei 29 (2017)

User: University Hospital
Vendor: System company commissioned to develop an electronic medical record system by the university hospital

Additional requests by doctors on the ground began immediately after the start of the project.
The demands did not stop and the development was delayed, and the university hospital notified the termination of the contract due to the delay.

■Judgment (Appeal)
Approximately 1.4 billion yen in damages ordered to the university hospital
The first trial judgment, which ordered both parties to pay damages, was overturned

■Reason
・The problem was that the hospital did not listen to the vendor’s warning that if they responded to additional requests, they would not meet the deadline.

This lawsuit is a case where the user side notified the termination of the contract due to the delay in system development, and the user side and the vendor side each sued for compensation from the other.

In the judgment, the cause of the development delay was recognized as the user side not listening to the warning from the system vendor side, and 100% of the responsibility was recognized on the user side, and the claim from the user was rejected. The vendor side has a “project management obligation” to manage the progress of the project so that it can meet the deadline. On the other hand, the user side also has a “duty of cooperation”, and if it neglects it, it may bear all responsibility, and in actual court cases, the compensation responsibility is determined by the ratio.

Three Key Points for Secure System Development

Three Key Points for Secure System Development

To prepare for cyber risks, it is crucial that both users and vendors work together on countermeasures.

In the following, we will explain the measures that vendors and users can take from their respective positions.

Understanding Cyber Risks Pointed Out by Government Agencies

System vendors should check the guidelines issued by specialized agencies such as the Ministry of Economy, Trade and Industry and the Information-technology Promotion Agency (IPA), understand the current cyber risks and their countermeasures, and then proceed with development and operation.

Not only vendors, but also user-side companies should have a certain understanding of the content and request development and operation in accordance with the guidelines, and include a clause on the level of security in the contract.

Reference: Ministry of Economy, Trade and Industry | Cybersecurity Management Guidelines Ver 2.0.jn

Reference: Information-technology Promotion Agency | How to Create a Safe Website.jn

In particular, in fields such as finance, high-level security may be required by laws and guidelines. We explain in detail about security measures for crypto assets below.

Both Parties Understand the Need for Security

The Ministry of Economy, Trade and Industry’s “Cybersecurity Management Guidelines Ver2.0.jn” clearly states that “cybersecurity measures are a management issue”.

Instead of leaving everything to the vendor because you don’t understand security, the company should consider its risk management as part of management and take responsibility for countermeasures.

Both Parties Cooperate to Deal with Cyber Attacks

When a cyber attack occurs, the ordering party and the vendor should cooperate to minimize the damage, rather than blaming each other.

However, in system development, the position of the ordering party tends to be strong, and the system development tends to proceed with a focus on cost and delivery time. The vendor may not be given enough money or time, and even if they propose security measures, they may not be accepted.

However, the guidelines point out that user-side companies should not perceive the implementation of security measures as a “cost”, but should position it as essential for future business activities and growth and perceive it as an “investment”.

In system development, it is important for vendors and users to deal with cyber attacks together on an equal footing.

Summary: Consult Lawyers for System Development Contract Creation to Minimize the Damage from Cyber Attack

If damage occurs due to a cyber attack, the vendor involved in system development may be held responsible by the user company for neglecting cyber risk measures.

However, the user company that neglected its obligation to cooperate with the vendor also bears responsibility.

In order to minimize the damage from cyber attacks, it is necessary to determine the system level and the scope of each party’s responsibility in the contract.

When creating contracts for system development, consult a lawyer with advanced expertise who understands the content of the guidelines and the current cyber risks.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the Internet, and law. When it comes to system development contracts, it is necessary to create a contract document. Our firm handles the creation and review of contract documents for various cases, from companies listed on the Tokyo Stock Exchange to venture companies.

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Category: IT

Tag:

Return to Top