Organizations are increasingly outsourcing (much of) the maintenance of the technical IT environment to an external IT service provider.

Not only because of the contemporary complexity of this environment, but also because maintenance is time-consuming. However, this has made the question of who is liable for damages in the event of a cyber attack much more complex. An example of this is the court ruling in the case of the Hof van Twente municipality against IT service provider Switch IT Solutions.

The case study: Hof van Twente

A well-known case on cybercrime and liability is that of the Hof van Twente municipality with a court ruling made in May 2023. The municipality was hacked in 2020 and its systems and backups were encrypted. The hackers demanded €750,000 to release the systems again. Because the mayor refused to pay, the municipality ended up suffering a loss of as much as €4.2 million because all systems had to be rebuilt.

How had the hackers gotten in? They had used software that fires different combinations of login names and passwords at systems until it finally found the right combination. This is one of the oldest forms of attack that is almost always ultimately successful, although it sometimes takes several months to years.

In this case, the municipality’s system administrator had set an easily retrievable password (Welcome2020), which made it very easy to get in. In addition, a self-managed RDP port to the outside had become open due to an internal modification in the firewall.

The municipality then held its IT vendor liable, arguing that they should have prevented the hack. The municipality felt that the service provider should have warned them of the poor security. However, the court rejected the municipality’s claim. Indeed, there is no evidence that IT partner Switch failed to fulfill contractual obligations or acted negligently, so there can be no wrongful act.

You can find the full ruling here.

The Court of Twente does not resign itself to the ruling and has appealed. When the appeal will be heard is not yet clear.

Heightened duty of care

Whether an IT vendor is liable for damages from a cyberattack depends on the specific circumstances of the case. In addition to contractual obligations, an IT service provider also has a duty of care. This means that he must act as would be expected of a reasonably acting and competent IT supplier. This involves an aggravated duty of care, previous case law shows. However, making good arrangements in advance can prevent situations like the one at the Hof van Twente.

Practical Tip

As a service provider, it benefits you to not only record in the contract with the client what has been agreed upon, but also to name what has not been agreed upon. Here it is important to record what the parties’ intentions were at the time the contract was made: what were the considerations at the time and what were the objectives.

As a service provider, make sure that advice and warnings given to the client are in black and white if the client chooses not to follow up on them.

Further: as a service provider, put in your terms and conditions that you are not liable for things like data loss and indirect damages. The digital industry trade association, NLdigital, offers general terms and conditions that limit your liability. Members can download it for free and non-members can purchase this processor agreement.

Not a nice-to-have, but a must-have

Clients are increasingly requiring their IT service provider(s) to carry professional liability insurance. However, the dividing line is thin: does the claim stem from careless counseling or is it purely a cyber incident? Because IT companies tend to deal with complex risks, we always recommend purchasing both professional liability insurance and cyber insurance from the same insurer.

Want to discuss the possibilities of such insurance for your IT organization? Or exchange views on topics related to cybercrime combined with liability?

Contact Kim Kooij or our other cyber specialists:
Shirvan Loetawan and Jeroen van Heteren.