A mistake made during a maintenance operation caused all data stored on the server of a company to be erased and lost forever. As it happened, backups were regularly made but turned out to be deficient and unusable.
Although the damage suffered was evaluated to 150,000 euros, the company obtained only 7,280 euros, as the supplier claimed, and obtained by court decision of May 2 (Tribunal de Commerce de Nanterre), the benefit of a limitation of liability clause inserted in the facilities management contract. The liability of the supplier was indeed contractually limited, as usual in IT contracts, to one year’s service fees.
In spite of the consequences being dramatic for the customer, the court did not consider the supplier guilty of gross negligence, which would have enabled the court to discard the application of the limitation of liability clause. Still, the court retained the liability of the supplier, although another clause excluded the supplier’s liability in case of data loss where the customer had failed to perform appropriate backups.
This case shows the practical importance to check the reliability of backups and the actual possibility of putting operations back in place after an incident on the basis of data backups. This task should not be entrusted blindly to suppliers; it should be verified by the customer.
It also points out that limitations of liability provisions inserted in agreements can be enforced and that without proper insurance, a company has to be prepared to bear the risk of a system failure.
Another lesson learnt is that efforts made by the supplier to remedy the situation and the negligence of the customer in supervising the security of its systems may influence the outcome of a decision regarding the liability of the supplier.
The court decision does not specify whether the hosted data included personal data, but the data was claimed to be strategic data for the company. There are chances that the server hosted personal data, as personal data often goes along with other strategic data, but here the company operated in a B2B context. Would the decision have been the same with B2C sensitive data?
Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at firstname.lastname@example.org.