A spectacularly large US company flattered a UK start-up with a huge contract which was eventually signed and secured. This would give them the capital they need to multiply their success. The contract wasn’t exclusive and the start ups web application was valuable to many similar companies. A fantastic “result” and only two types of insurance were required by the US company.
Welcome back, or if you’re new here sign up to our RSS feed to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.
Contractual responsibility
The contract issued by the American client had 2 pages making direct reference to the type of due diligence, risk management and business insurance required of the start-up. The rest of the contract revealed 26 further liabilities and requirements that were, or would become, necessary.
Not all were manageable for a small company with limited cash flow. The really fine points of the contract referenced this exact point and made it clear they would take full and furious legal action if something went wrong. Ouch, a soft landing is required so we received an introduction.
Part of the liability related to the website, which was provided as a service, and had to be operational 99.9% of the time. The US company staff would be trained to use it and then supported 24/7. It had to work and the contract made it clear that they would want compensation for any downtime over 0.01% in any one year. Keep in mind that one way to compensate is not charge fees that are due.
Penetration testing must be the answer
It helps work out weaknesses today yet doesn’t account for advances made by hackers tomorrow. IT Systems security methods of suppliers aren’t always reliable and data theft was the main concern of the US client. They made the UK startup contractually liable for the costs of notification to the relevant authorities and those whose personal data is compromised.
This is a really tough figure to try and quantify because few own up when they have a data breach so the statistics cannot be compiled. Contrast that with fires where it is easier to quantify losses.
That won’t change just because it becomes a must to do (new regulations are due to land in the EU in 2015). So if some Herbert got at the data, the US company would have to spend to meet US regulations and the UK start-up could be ruined by the losses. Identity theft costs vary from person to person so it really is a difficult number to calculate.
Legal liabilities change across borders or state lines
The chances of a breach are minuscule, the costs ridiculous. The damage to brand immeasurable. Get a lawyer to get legal on your contracts and they’ll close the gaps. Some clauses don’t hold water in the UK yet US companies issue proceedings where they want. The contract formed a vicious circle when the statement of work and suppliers agreement were reviewed together. No stone had been left unturned and the US company had a fair minded legal team. That is not always the case.
However, there was a liability of millions and the supplier of the application’s infrastructure were only going to cough up £182k if they failed to maintain their supply. Worse still, the infrastructure wasn’t easy to transfer to a new supplier and a 30 day window tied the start-up down. No fix in 30 days and the US contract terminated automatically. And further contracts would not have been issued by them or anyone else.
We deal with cyber risk every weekly basis. It rarely touches the smaller business, yet their suppliers are at risk. Cloud sounds great yet it is not as solid as your own database with your own security. The solutions are a contractual nightmare.
Wrap up: It is not unheard of for a large company to issue a contract to a start-up, allege an error and drown them in legal proceedings. This is because they can then strike a deal which leaves the start-up Directors free of debt if they give up their Intellectual Property. Only in America? No! Uk companies do this too. Does Directors protection work in these cases? No! See why here: https://cobinecarmelson.com/wp-content/uploads/2011/11/What-are-Directors-real-risks.-CCLv5-URL.pdf
Top tip
One digital games company signed an NDA and found the other signatory copied their ideas and started selling their titles. It cost £300,000 to force them to stop and compensate the original designer. There is no point getting someone to sign an NDA unless you have the means to enforce it!