2021 Litigation Forecast - IT disputes and COVID-19: Act in haste and repent at leisure
In March 2020, many New Zealand businesses were less than fully-prepared to provide IT support to their workforce at short notice to enable them to work ‘remotely’ during the lockdown.
Business continuity plans did not generally foresee that most or all staff, in all locations, would be working remotely at the same time for some months.
Transactions and systems were implemented quickly without the safeguards provided by normal procurement processes.
How organisations responded
Many business and other organisations, public and private, found that they did not have sufficient software licences for the number of people who needed to work remotely when lockdown started. Many staff found themselves locked out of their systems because the maximum number of logins was exceeded. As organisations scrambled to deal with this, thousands of staff were temporarily allocated time slots in which they could go online through their VPNs and do their work.
Organisations found that their top priority was to arrange additional software licences as soon as possible, with the senior executive team prioritising speed of execution above all else. They had to act quickly to be able to work in a locked down environment, including rapidly scaling their online working capabilities, deploying more licences and in some cases setting up whole new online web-based stores or environments to replace physical environments. Given the urgency and the workload, there was little appetite or need among providers to negotiate terms.
Decisions were made and actions taken with the best intentions, but with speed of execution being the top priority, sometimes little to no regard was given to contractual terms, cyber security protections, or privacy and other regulatory implications. Transactions were recorded in email exchanges or telephone calls and supplier terms were accepted without question.
With business largely returned to normal, albeit with many staff still working remotely some or all of the time, organisations need no longer act in haste. There is now an opportunity to reflect on the position they find themselves in and consider whether they may need to repent at their leisure and remedy problems before they become worse.
We consider some typical scenarios, the risks that may result and mitigation strategies that may assist.
- Did your organisation allow staff to download new software to enable remote working, or deploy it at speed without proper due diligence on the suppliers or their terms?Some organisations allowed staff to accept suppliers’ terms and conditions without challenge or even review, or accept ‘click wrap’ online terms, or simply download and use software which constituted acceptance of linked terms and conditions. Many supplier terms are one-sided or onerous, with substantial minimum terms and fees. Many are also inadequate in terms of regulatory compliance and data protection.
- Did your organisation deploy or use additional licences without using a contractual process?Some organisations will have found that this placed them in breach of their supplier’s terms and that onerous breach penalties applied. Others found that it moved them to a different pricing structure. Many licences have minimum terms and fixed fees, even though the need for additional licences was only temporary. Acquiring further licences may also increase support and maintenance costs.
- Did your organisation maintain cyber safety standards when additional staff began remote working for the first time?Remote working comes with risks. Users must be vigilant with their use of passwords and two-factor authentication systems. There have been reports of online scammers persuading poorly trained staff who were unfamiliar with remote working to allow them to access systems. Some organisations relaxed requirements for regular password changes and other security requirements such as payment authorisation systems when these were found to create difficulties for staff working remotely. This created opportunities for hackers and fraudsters. Some organisations hurriedly built jury-rigged solutions to enable them to function at a minimum level. A Minimum Viable Product or hastily thrown together website solution may enable an organisation to continue in operation, but it should be checked carefully as soon as possible. A cyber-attack can have significant financial and negative public relations consequences.
- Did your organisation begin to use, or increase its use of, cloud or “as a service” licensing arrangements or costs as it scaled up its capacity? If so, was the correct contractual process followed? Did this move the organisation into a higher cost bracket with a commitment to pay for services that it no longer needs? Some organisations will have found themselves bound to a prescribed minimum service period and high fees.
- Is your business primarily a ‘bricks and mortar’ business that hurriedly went online? Did you consider whether any regulatory rules applied to your new way of working? For example, alcohol suppliers that moved to an online business model must comply with different rules for the sale of liquor. If you began collecting and processing customer records, have you complied with the Privacy Act and rules relating to data retention and protection? If you set up an online payment portal, where you may collect and store credit card details, have you considered the implications of any payment rules and regulations? If you set up a website, did you check it for vulnerabilities? Cyber criminals were also at home under lockdown, honing their skills. Cyber breaches are reported to have increased substantially during and after the lockdown.
- If you are a director of any companies that might have done any of these things, have you asked the right questions of your management team, CIO/CTO? Directors and senior management should consider whether their organisations may have breached any contractual terms and incurred penalties, incurred onerous long term obligations, given undertakings regarding the use of their data, otherwise accepted unfair or unreasonable terms, increased their cyber risk or exposed their organisation to a technical vulnerability. If issues are identified, directors and senior management should consider the potential consequences and look to mitigate these risks as soon as possible.
What can be done now?
Mitigation steps could include any or all of the following:
- Consider whether you should notify the counterparty, a regulator and/or your insurers if you have breached an agreement or any regulations.
- Consider whether there is a way to cure your breach or reduce the counterparty’s loss. Are there any limitation or liability clauses that may assist?
- Consider whether you can remedy or cease any breaches of regulations or laws.
- Review any new terms and conditions and seek to engage the supplier to vary any unreasonable or unfair terms. This could be hard to achieve but it is better to try now than later.
- If you have moved to a new pricing tier due to your increased licensing or capacity needs, but no longer need them, can you engage with your supplier to drop back down? It might also be timely to try and agree terms and costs if you need to scale up again rapidly.
- Engage an expert to test your website or your new technical solutions for vulnerabilities and fix any issues.
- If a counterparty or a regulator is uncooperative, engage specialist legal or procurement assistance.