Apologies to all while I geek out on contract law for a moment.
I recently had to accept an updated EULA from a vendor that I’m working with in support of Advanced Cyber Law, and because I’m a lawyer and I can’t help myself, sometimes I really DO read the fine print. The “fine print” discussed below one comes from a company that’s clearly paying attention to cybersecurity risks, because buried deep inside the agreement is a force majeure clause that’s a force of cyber to be reckoned with!
Force majeure clauses are known as the “acts of God” clause – the actions that are outside the control of the parties because something extraordinary prevented the party from meeting his or her contractual obligations, it could not have been reasonably anticipated, and the party made a reasonable effort to satisfy their end of the bargain.[1]
The issue of whether cyberattacks are force majeure events are emerging in the courts. There were several cases in 2020 involving Nuance Communications and two health providers, where the Court wrestled with the implications of Russian cyberattacks but was inconclusive as to whether the attack itself was a force majeure issue.[2] While litigants wrestle with the issue, it’s worthwhile for parties to think about whether they should sign a contract with cyberattacks included as force majeure events.
Here’s the language that really caught my attention (my emphasis added in bold):
COMPANY is not liable for any delay or failure in performance of its obligations from any cause beyond COMPANY’s control, including, but not limited to, acts of God, changes to laws or regulations, embargoes, wars, terrorist acts, failures by a third-party technology service provider, riots, fires, earthquakes, floods, pandemics, power outages, strikes, weather conditions, acts of hackers, acts of internet service providers, acts of any other third party, or acts or omissions of Employer, Employer’s agents, assigns or any other third party acting on Employer’s behalf.
While the lawyer who wrote that company’s clause gets an A for effort in identifying a range of potential issues (power outages? Really?) it’s the cyber clauses that caught my attention. “[F]ailures by a third-party technology service provider” is a vague statement to begin with, and it is questionable whether simple negligence or an error or omission by a third-party service provider not a party to the contract would be considered by the court. The same would hold true for an “act of internet service providers”, and it is hard to understand how a court would allow for the normal operation of an internet service provider (ISP) not a party to the agreement would be considered a “force majeure” event. There’s little likelihood that either party’s contractual terms with an ISP would support that argument. If these terms were present in a draft agreement, the first two clauses are items to either strike or negotiate heavily.
The relevant and potentially useful addition is, of course, the “acts of hackers” term. It remains unclear whether “hackers” is a sufficient term, given the foreseeability of cyberattacks by both cyber criminals and nation state attackers, depending upon the target. If that term were to emerge during a contract negotiation, that would definitely be a clause worth drilling into. More precision around “hackers” and of course the “acts” of those hackers would matter. Hackers can compromise systems, networks, and data, and companies can still perform under a contract, so it’s important to have a clear meeting of the minds as to why an “act of a hacker” – from a nation state attacker all the way down to an “advanced persistent teenager” would be a reasonable excuse for performance.
But I’ll sleep just fine knowing this clause is in my current contract as my scenario is low-risk and low-consequence. I would love the opportunity to spar with opposing counsel as to why a cyberattack may, or may not, be a force majeure event. I just didn’t expect a small vendor to be the one to raise the issue. In some ways, that’s a good thing. It’s proof that cybersecurity is becoming more mainstream, even if the arguments being raised are not.
[1] force majeure | Wex | US Law | LII / Legal Information Institute (cornell.edu); Fore Majeure – Definition, Application, Examples (corporatefinanceinstitute.com); Preparing for Cyberattacks and Limiting Liability (natlawreview.com).
[2] Princeton Cmty. Hosp. Ass’n, Inc. v. Nuance Commc’ns, Inc., No. 1:19-00265, 2020 WL 1698363, at *5 (S.D.W.Va. Apr. 7, 2020); and Heritage Valley Health Sys., Inc. v. Nuance Commc’ns, Inc., 479 F. Supp. 3d 175, 184 n.4 (W.D. Pa. 2020).
