With a major IT outage such as the recent well-publicised CrowdStrike outage, the initial focus is on remediating affected machines and systems and ensuring that normal operations can be resumed as quickly as possible. Once the dust settles, the focus of the impacted customer shifts to: (a) ensuring that appropriate measures are in place to prevent, or at the very least mitigate the impact of, any recurrence; and (b) assessing any recourse or remedies which may be available. In this article we consider what these remedies might be and the challenges of pursuing them.
IT outages: Contractual remedies when the lights go out
In a previous article, we considered the potential lessons to be learned from the CrowdStrike global IT outage, particularly in terms of release cycles and testing and how to prevent, or at least mitigate, the impact of such an outage in the future. We turn now to considering the potential remedies which may be available to customers where these types of incidents occur and the challenges of pursuing them.
Potential remedies
- Service credits – Contracts with software vendors will generally provide for service credits to be awarded to customers as a financial remedy for failures to meet expected service levels, such as availability of a particular service to a customer. These will usually need to be claimed by the customer rather than applied automatically by the software vendor.
- Claim for breach of contract – The general position under English contract law is that, where one party has breached a provision in a contract, the other party may be entitled to bring a claim to recover losses it has suffered as a result of that breach. A major IT outage may constitute a breach of a contractual provision for which such a claim could be issued.
- Termination – Major IT outages can cause customers to lose faith in the affected software or vendor (or both). In these circumstances, in addition to, or instead of, claiming service credits or issuing a claim for breach of contract, customers may consider seeking to terminate the statement of work for the affected software or the agreement with the software vendor in its entirety.
- Insurance – In addition to potential remedies which might be pursued against the software vendor, customers may also have a potential insurance claim under any relevant insurance policies which the customer has in place, e.g. a business interruption or cyber insurance policy.
Challenges of pursuing these remedies
Each of these potential remedies will need to be considered in the context of the IT outage in question and with reference to the contractual terms in place between the customer and the software vendor. Some of the common challenges/limitations which can arise in relation to each are:
- Service credits
- Whether or not these can be claimed from the software vendor depends on the terms of the Service Level Agreement (SLA) in place between the customer and the software vendor.
- As mentioned above, a common metric in SLAs is the availability of the software, usually measured as a percentage assessed over a specified period. These are often subject to a number of caveats, such as permitted downtime for scheduled and emergency maintenance. In a case such as the well-publicised CrowdStrike outage, such service levels are also subject to arguments that the services promised under the contract themselves were "available" – the actual issue being a knock-on impact to a third-party system.
- Another key issue is that, even where the threshold for claiming service credits is met, they may be of limited financial value against the overall financial impact of the service level failure on an affected business.
- Claim for breach of contract – There are often a number of hurdles to overcome in pursuing a breach of contract – e.g.:
- Sole remedy – It is a market norm for software vendors, in their standard terms, to seek to make service credits the sole financial remedy available to customers. Alternatively, they may seek to limit their liability in cases of non-performance to a "fix or refund" remedy under which they would only be obliged to fix the offending fault, or if unable to do so, provide a refund of fees paid for unused services. If a customer has been unable to negotiate away from such a limited/sole remedy position, it would be difficult to make a claim for any financial loss beyond this.
- Has there been a breach? – Where a customer's contract with the software vendor does not specify that either the ability to claim service credits or a "fix or refund" is the customer's sole remedy, the next hurdle is establishing whether there has been a breach of any term of the contract. The type of provisions that may have been breached in the context of an IT outage include reasonable skill and care obligations, commitments not to cause disruption to any of the customer's third-party systems and obligations to maintain specified information security standards.
- Typical exclusions/limitations – Any breach of contract claim will be subject to liability exclusions and limitations. Software vendors will typically seek to exclude specific types of losses such as profit and revenue, include a financial cap on their liability and impose mitigation obligations on customers.
- Termination
- The ability to terminate a contract following a major IT outage is dependent on what termination rights are available to the customer in the contract agreed with the software vendor. It is unusual for software vendors to agree to include any kind of "for convenience" termination right, but they will generally agree to a termination right which is triggered by a material breach. As with a breach of contract claim, the exercise of this kind of termination right would require identification of what (if any) clauses might have been breached by the outage. There would then come the question of materiality of the breach and whether this is sufficient, and any specific process for the termination right (e.g. does it allow for a remedy period?).
- Pursuing the approach of terminating the contract also comes with some important practical considerations – e.g. how easy would it be to find a replacement software product/vendor quickly? Would moving to another software product/vendor be prohibitively expensive?
- Insurance
- The ability to claim on any insurance policy will depend on the terms and coverage (including any exclusions) provided by specific policies, with a wide range of coverage provided. For example, many cyber policies will focus on third-party losses arising from data breaches or security failures. Claimants will typically need to follow a specified process to preserve a claim (including, for example, in relation to notification to the insurer) and so customers would need to ensure they were familiar with such processes and follow them strictly.
How to address these challenges
Once a contract is already in place between a customer and a software vendor, it may be possible to navigate the challenges considered above but it is unlikely that it will be possible to lessen them. It is therefore important for customers to give thought at the pre-contract and negotiation stages to the potential occurrence of this type of scenario, and what remedies they would like to be available should it arise.
Even where a software vendor seeks to impose its standard terms, there will often be scope for a degree of negotiation, in particular where a customer has some form of leverage (whether commercial or otherwise). If negotiation is not possible, customers should still ensure that terms for IT systems and services are fully reviewed and that any risks are clearly understood at the time of signing. This applies equally to software and systems that are considered "off-the-shelf" or non-core - the CrowdStrike outage demonstrates that even a seemingly small or non-core system can, in a world of interconnected IT infrastructure and systems, have a critical impact on a wider business.
Next steps
Recent events highlight the importance for customers of understanding the contractual terms in place with software vendors and what remedies might be available in the event of a major outage – even where the systems or services in question are not obviously part of a business's "core" systems, as they may have a wider impact than initially expected.
If you would like help reviewing your existing arrangements or in negotiating your future arrangements, we would be happy to discuss how we can provide support from a legal perspective. Please get in touch with us or your usual AG contact.
Related Insights
Authors
Related Sectors
Related Specialisms
To the Point
Subscribe for legal insights, industry updates, events and webinars to your inbox
Sign up nowGet up to date with our latest news on LinkedIn
Follow now