The General Counsel was challenged in 2020, not only due to the impact of the corona-crisis in general, but also and more specific in regard to the dependence of his/her company on information technology. Video calling became the norm for almost every meeting and, partly due to the VPN connection, people were able to work from home. Next to challenges in regard to cybersecurity and data-privacy, the GC has been more likely to encounter diverge Legal IT issues as a hybrid way of working will continue to be the norm. In this article we will give you as General Counsel some tools which might assist you when you are about to purchase a software application that supports your business-critical processes or if you are considering taking an IT dispute to court. Please note that the below tools are applicable when you decide to acquire customised software or if you acquired of the shelf software which the supplier extensively configurated.
The duty of care
The IT supplier must observe the care of a good contractor in the performance of his work, as laid down in general terms in Article 7: 401 Dutch Civil Code. The duty of care in IT contracts can also be further developed contractually. This makes the duty of care strongly casuistic in nature. Fortunately, an increase in case law is visible, which means that this somewhat vague concept of “duty of care” is becoming increasingly.
Total assignment
The extent to which an IT supplier must take into account a duty of care depends first of all on the size of the assignment: is it a simple assignment or a total assignment? More generally, it can be deduced from Dutch case law that, as soon as a company is about to grant an assignment in which the IT supplier must manage the entire IT infrastructure, the duty of care on the IT supplier grows.
An example from Dutch case law (ECLI:NL:RBAM:2018:10124): an administration office had become the victim of a ransomware attack, in which hackers had entered the network and locked all company files (including all backup files) on the server. Forensic research showed that the attack could have been prevented by a combination of stronger passwords, a VPN connection and a better backup facility. The court ruled that the IT supplier had not properly executed the order by omitting the aforementioned security measures. In fact, the fact that the customer had rejected the security measures did not change this opinion. The court held that the IT supplier could not suffice with a single warning and acquiescence in the choice of the customer, because the security is part of a network and therefore it was a total assignment. Another factor was that the supplier was a professional expert. The IT supplier had the duty of care to warn the IT customer urgently of the risks that the failure to take security measures entailed.
The degree of dependence
Strong dependence can be aggravating when it comes to the duty of care. Particularly if the IT supplier also acts as an advisor, he has an increased duty of care. The increased duty of care means, among other things, that it must keep the interests of the customer in mind throughout the project and must inform the customer about the risks to the success of the project. As an example we refer to a statement in which the IT supplier had to develop software, which software would run on the customer’s existing IT infrastructure (ECLI:NL:RBDHA:2020:4735). In general, the performance of the software depends, among other things, on the quality of the IT infrastructure. In the present matter, the position of the IT supplier that the IT infrastructure was outdated, as a result of which the performance of the developed software was not optimal, could not help him. The judge ruled that the IT supplier had failed, because he should have warned the customer, partly because of his capacity as an advisor.
Market-based software
In addition to the above-mentioned issues, the market and the expertise of the parties can also influence the justified expectations. Another example from Dutch case law (ECLI:NL:GHAMS2020:1987): a customer had a CRM system built by an IT supplier. The parties had not put any further agreements on paper with regard to the functionalities, look and feel and performance. However, well-documented studies showed that the software had persistent problems. This while the market offers many alternative CRM systems and the market should be considered quite mature. The judge ruled that the professional IT supplier had to deliver a CRM system that “meets the average expectations that a customer can derive from it”. In other words, if the market is saturated with competing products, the IT supplier applies market-based prices and the agreement does not specify in so many words which standards the software must meet, then a customer may expect that this software will be supplied with which the average employee can be worked.
Of the shelf software solutions
From the examples described above, you may have already concluded that the IT supplier of standard/ of the shelf software solutions (who does not act as an advisor) has not yet been discussed. More generally, we can conclude that IT suppliers of standard software are less affected by a duty of care, let alone an increased duty of care. The reason for this is that the agreement on which it is based often does not qualify as a contract for services, but rather as a purchase. In that case, the duty of care does not apply. In this case, whether the product is compliant is the benchmark.
We hope that we have been able to provide you with some helpful tools. Should you have questions regarding the above, please do not hesitate to contact us.