An agreement for the provision of IT infrastructure entails an obligation to provide an adequate backup and security system, even if this has not been agreed between the parties

On March 9, 2022, the Overijssel District Court issued a ruling in the case of H.O.D.N. Cottoncounts (“Cottoncounts”) v. CCG Retail B.V. (“CCG Retail”) concerning the agreement concluded between the parties for the provision of an IT infrastructure. At the heart of this case is the question of whether the provision of an adequate backup and security system forms part of this agreement, without the parties having made any agreements in this regard. The answer is affirmative, according to the Overijssel District Court.

On December 5, 2016, Cottoncounts and CCG Retail entered into a purchase agreement under which CCG Retail sold and delivered software, hardware, and a link to Cottoncounts. In addition, the parties entered into a service agreement for maintenance of this software and telephone support. On September 7, 2020, Cottoncounts was hacked, resulting in the loss of professional photos of its entire product range. Cottoncounts holds CCG Retail liable for the damage it has suffered.

Cottoncounts substantiates this claim by arguing that CCG Retail failed to fulfill its obligations under the agreement because CCG Retail did not make complete backups of its servers. CCG Retail disputes that it failed to fulfill its obligations under the agreement. According to CCG Retail, it is very likely that Cottoncounts opened a so-called phishing email, which gave a hacker access to Cottoncounts' servers, for which CCG Retail cannot be blamed. Furthermore, according to CCG Retail, the agreement does not contain any provisions regarding network security, and it disputes that there is a special duty of care to secure Cottoncounts' data.

The District Court of Overijssel considers the following. Since the parties did not (fully) set out their agreements on paper, the answer to the question of whether network security is part of the agreement must be inferred from other facts and circumstances. In this regard, it is important to consider what the parties could reasonably have understood about the scope of the agreement and what they could expect from each other. The District Court of Overijssel considers that, given the stated and undisputed importance of security, it is difficult to imagine how the agreement for the delivery of a total package could not also include the installation of the associated security measures.

CCG Retail could not therefore simply assume that Cottoncounts did not value adequate security as part of the total package it had purchased. CCG Retail also did not claim that it understood or was allowed to understand from Cottoncounts that Cottoncounts did not consider security important. In this situation, CCG Retail therefore had a responsibility towards Cottoncounts to either make (adequate) security part of the total package or to explicitly discuss with Cottoncounts that CCG Retail would not provide this. Cottoncounts would then have had the opportunity to arrange this itself in another way. Without entering into a discussion about security, Cottoncounts could therefore rely on CCG Retail to arrange this as part of the agreement.

Cottoncounts' assertion that the agreement also includes an obligation to set up an adequate backup and security system is therefore successful. The court concludes that the damages claimed by Cottoncounts are eligible for award. It is also important to note that CCG Retail was unable to invoke the liability limitations in its general terms and conditions because, according to the Overijssel District Court, it did not give Cottoncounts a reasonable opportunity to take note of them.

This ruling once again demonstrates the importance of providing an adequate backup and security system and the agreements relating thereto. The importance of backups was previously discussed in a recent ruling by the Amsterdam Court of Appeal. This ruling highlights the importance for IT service providers to clearly define their services and therefore also to specify what is not covered by their services. This is because certain elements (such as providing backups and security) may be deemed to be included in the agreement if the agreement leaves a gap in this regard. Finally, it is important to provide your general terms and conditions in the correct manner to prevent them from being invalidated. This Legal Update also includes the infographic, which we created in collaboration with Getting The Picture.

Do you have questions about your IT-related agreements? Feel free to contact one of our specialists.

This is a Legal Update from the Tech & Data and Commercial Contracting & Dispute Resolution team.