Back­ups and dis­as­ter reco­very: when is the ser­vice pro­vi­der liable?

Back­ups and dis­as­ter reco­very are key aspects of cyber­se­cu­ri­ty. But sin­ce they are expen­si­ve and requi­re a gre­at deal of exper­ti­se, com­pa­nies are incre­a­singly rely­ing on spe­cia­li­zed ser­vice pro­vi­ders, and ser­vices offe­ring backup-as-a-service (BaaS) or disaster-recovery-as-a-service (DRa­aS) are very popu­lar at the moment. Howe­ver, what exact­ly would the legal situa­ti­on be in the event that the ser­vice pro­vi­der is unab­le to res­to­re the data and sys­tems? The District Court of Heil­bronn had to ans­wer this very ques­ti­on in a Judgment of 28 Janu­a­ry 2021 (Case No. Es 2 O 238/17). Below, you will find our com­men­ta­ry on the ruling, as well as prac­ti­cal advice for controllers.

The facts of the case

The plain­tiff and the defen­dant had a data back­up agree­ment which was to inclu­de “proac­ti­ve 24/7 moni­to­ring of the sys­tem.” But after the plain­tiff expe­ri­en­ced a data loss, it beca­me evi­dent that, due to a tech­ni­cal error, no exter­nal back­ups had taken place for several mon­ths. The plain­tiff was able to reco­ver at least part of the data by means of an inter­nal back­up. Howe­ver, it took the plain­tiff more than 550 work hours to res­to­re all the data, and the plain­tiff sued the defen­dant for dama­ges in the amount of about 15,000 Euros.

The court’s ruling

The District Court of Heil­bronn lowe­red the amount of the dama­ges slight­ly, but ulti­mate­ly awar­ded the plain­tiff about 12,000 Euros in dama­ges. In the grounds to its ruling, the court began by sta­ting that the back­up agree­ment was not a con­tract for works and ser­vices, as the plain­tiff had argued, but rather an employ­ment con­tract. Howe­ver, even though the defen­dant was not requi­red to ensu­re a spe­ci­fic out­co­me, the court ruled that the defen­dant did vio­la­te an obli­ga­ti­on under the con­tract and was the­re­fo­re requi­red to pay dama­ges. Spe­ci­fi­cal­ly, the defen­dant was requi­red to pro­vi­de “proac­ti­ve 24/7 moni­to­ring of the sys­tem,” as sta­ted in the tech­ni­cal details of the agree­ment. The court found that the defen­dant was the­re­fo­re requi­red to moni­tor the back­up sys­tem exten­si­ve­ly and report any pro­blems to the plain­tiff, and that its fail­u­re to do so con­sti­tu­ted a bre­ach of duty. The plaintiff’s dama­ges con­sist not of the per­son­nel expen­ses it incur­red but in the value of the data its­elf, and the court found that the value of the data can be esti­ma­ted based on the work hours spent by the plain­tiff in order to reco­ver the data. Howe­ver, the court ruled that the plain­tiff could not seek dama­ges for data rela­ting to an employee’s trai­ning, sin­ce the­se dama­ges were to the employee herself, and not to the company.

Assess­ment and prac­ti­cal advice

This ruling by the District Court of Heil­bronn unders­cores how important it is for both data back­up ser­vice pro­vi­ders and their cus­to­mers, as well as for pro­vi­ders of other IT ser­vices, to spe­ci­fy the sub­ject of agree­ment in a clear and trans­pa­rent man­ner. Other­wi­se, the cus­to­mer can­not rely on the fact that it will actual­ly recei­ve the reques­ted ser­vice, and it may be unab­le to seek dama­ges in case of vio­la­ti­ons. Par­ti­cu­lar­ly in cases were a spe­ci­fic out­co­me is requi­red, com­pa­nies would be well-advised to inclu­de an express pro­vi­si­on to this effect in the agree­ment. But a clear and trans­pa­rent defi­ni­ti­on of the requi­red ser­vice is also important for the con­trac­tor. After all, a com­pa­ny which pro­mi­ses 24/7 moni­to­ring for data back­ups will be requi­red to deli­ver on this promise.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.