I recently wrote about the WannaCry ransomware attack that crippled companies around the globe and recommended that cyberattacks be addressed in the force majeure provision of a construction contract.

Last week, there was another global cyberattack that was first believed to be another form of ransomware known as Petya, but it turned out that the attack was something more sinister.

Instead of being ransomware, which (usually) results in the victim getting their files and information back at a later date, experts have concluded that last week’s attack was actually malware that was a “wiper,” which prevents the user from ever accessing their files.  In other words, a hacker that unleashes a “wiper” on a system is not trying to make money by demanding some type of ransom payment for the information – they just want to damage and destroy.

In addition to adding cyberattacks to the force majeure provision, you should also consider including a contractual provision addressing other potential remedies in the event of a cyberattack.   For instance, parties may want to consider a termination provision that is triggered by a cyberattack.

Every project is different, so there is no “one size fits all” approach for addressing a cyberattack in a contractual provision, but here is a framework that you may be able to customize for your project:

Cyberattacks. The term “cyberattack” in this Contract shall mean, “an attempt by hackers to damage or destroy a Party’s computer network or system.”  In addition to any other remedy available under the Contract (including any extension of time under Section _____), either Party may terminate the Contract upon _____ days written notice if either Owner or Contractor is the victim of a cyberattack that: (i) substantially deletes or destroys Owner’s or Contractor’s electronic files related to the Project such that Owner or Contractor are unable to continue performing their obligations under the Contract; or (ii) prevents Owner or Contractor from being able to access their electronic files related to the Project for more than _______ days.  If Owner terminates the Contract under this Section _____, Contractor shall be entitled to recover (insert remedies, i.e., treated as termination for convenience, or payment to Contractor of a termination fee). If Contractor terminates the Contract under this Section _____, then Contractor shall (insert remedies, i.e., limited to payment for properly performed work, or payment to Owner of a termination fee).

Cybersecurity is an issue that is not going away.  Whether you use a provision similar to the one above or draft your own provision, make sure you address the issue in your construction contracts.

Have you ever said: “I don’t have a contract with the architect yet.  I only signed a proposal.

I’ve heard this statement or something similar from clients multiple times over the years.  They are usually surprised to find out, however, that if they signed a proposal then they already have a contract.  Here’s some advice for owners and contractors: do not sign proposals from design professionals unless you have them reviewed by counsel!

caution 2

Many design professional proposals contain unfavorable terms and conditions that result in an owner or contractor waiving important legal rights and remedies.  For instance, proposals often contain provisions limiting the design professional’s liability or requiring the owner or contractor to indemnify the design professional from any claims.  Also, proposals often exclude any mention of insurance or ownership of the work product.

Many times, Owners and contractors sign these proposals thinking that they are simply locking in a price for a scope of services, and that the parties will sign a more formal agreement later to establish other terms.  But once a proposal is signed, the parties have a contract.  At that point, the design professional may refuse to sign another agreement.  And if problems arise later on, an owner or contractor may find they have very little recourse.

Let me share a real life story to illustrate my point.  A general contractor’s work required the services of a geotechnical engineer for a new phase of a project, so one of the contractor’s project superintendents called the engineer to get pricing for the engineer’s services.  The engineer faxed its pricing for the services on its standard proposal form (which included the engineer’s standard terms and conditions) to the job trailer.  The superintendent signed and returned the proposal, and the engineer performed the services.

A few months after the project was complete, a large slab in an area of the project began to heave and crack, and ultimately had to be completely replaced.  The cause – the geotechnical engineer’s negligence in performing its services.  The cost of replacing the slab exceeded $1 million but the contractor’s efforts to recover that amount from the engineer were unsuccessful.  Why?  Because hidden within a paragraph of the engineer’s standard terms and conditions was language limiting the engineer’s liability to a very nominal amount.

Even though no one really contested that the damages were caused by the engineer’s negligence, the court enforced the limitation of liability provision, and the contractor and its carrier were the parties were stuck with the repair costs.

So the next time you get a proposal from a design professional, have it reviewed by a lawyer familiar with construction law who can appreciate the potential impact of any terms and conditions in the proposal.  It may slow the process down slightly, but it will be worth it in the long run.

Recently, the largest single ransomware attack to date occurred when ransomware known as WannaCry attacked companies around the world.  These companies will likely not know the extent of the damage caused by this attack for months, if not years.  WannaCry is just one of several ransomware threats that companies face.

Ransomware either prevents a user from accessing their computer or their files until a ransom is paid to the hackers.  Ransomware can infect a system in various ways, and hackers are becoming more and more creative about ways to deceive  an employee into unknowingly infecting a company’s network.

Cybersecurity

Contractors are not immune to ransomware (or other cyberattacks).  A successful ransomware attack on a contractor’s network would likely shut down the contractor’s operations on its projects for a period of time.

No access to email or any documents until the contractor pays the ransom (which will likely have to be paid in bitcoin, which would probably present its own challenges).  And even then, some hackers would not release the files back to the contractor even after the ransom was paid.  Think of the impact that this would have on a contractor’s business operations.  No bids could be submitted and every project would be delayed.

The business impact would be catastrophic.  There are insurance professionals that can help address potential business interruption damages.  But what about liability for project delays due to a ransomware attack?  Would the delays be excusable under the contractor’s contracts?  Most likely not.

Force Majeure

Many contracts contain a force majeure clause that addresses various events that would be considered excusable delays, or in some contracts, these events give one or both parties the right to suspend the work or terminate the contract.  Most force majeure clauses are not broad enough, however, to cover a ransomware attack.

This means that contractors would potentially be responsible for damages on every project that is delayed by a ransomware attack.  Depending on the terms of the contract and the owner’s course of action, the contractor could be faced with significant liquidated damages, its work being supplemented, or its contract being terminated.

The Wannacry attack will like only embolden hackers who seek to use ransomware to extort money from companies.  Contractors should make sure that the force majeure clauses in their future contracts include ransomware attacks and other cyberattacks in the list of events that are excusable delays.  And then hope that you never need to rely on it in the future.