One of the biggest threats businesses now face are cyberattacks and ransomware. Daily, we see headlines about companies and government agencies being hit with ransomware attacks that cripple victims until they either pay the ransom or rebuild their systems. No sector is safe, and any reputable business has, by now, taken steps to protect itself from such attacks. This protection most often comes in the form of strengthened IT security measures and obtaining cyber insurance to offset any financial losses from cyberattacks.
However, many businesses have yet to consider another important step: updating their contracts to excuse their performance if they are victimized by a ransomware attack. Often, contracts contain what are called “force majeure” clauses that excuse a party’s performance under a contract if they are impacted by circumstances outside their reasonable control. For example, typical force majeure clauses excuse a party’s performance due to acts of God, strikes, war, pandemics, terrorist attacks, etc. As long as a party takes reasonable measures to protect itself and avoid the impacts of such events, it will likely be excused from performing under a contract for as long as the event impacts their operations. Typically, for an event to be considered a valid excuse under a force majeure clause in a contract, it must be specifically listed or identified and outside the party’s reasonable control.
It is likely that many business contracts do not list “cyberattacks” or “ransomware demands” in their list of force majeure events. Businesses should consider adding these events to their standard contract terms going forward. Doing so would not necessarily be a magic bullet, especially if the company did not take reasonable steps to avoid the attack in the first instance. But, given that most cyberattacks are launched by anonymous organizations or individuals unaffiliated with a specific terrorist group or nation state, it is unlikely that such events would be considered acts of war or terrorist attacks under a force majeure clause.
Therefore, much like last year when businesses were advised to consider adding the term “pandemic” to their standard force majeure clauses, they should also consider adding cyberattacks or ransomware demands as events that might excuse their performance until the consequences of the attack are remediated. If you have questions and would like further information, please contact PLDO Partner Brian J. Lamoureux at 401-824-5100 or email [email protected]. Attorney Lamoureux is a member of the firm’s litigation, employment, and cybersecurity teams.
Disclaimer: This blog post is for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.