Backups and disaster recovery are key aspects of cybersecurity. But since they are expensive and require a great deal of expertise, companies are increasingly relying on specialized service providers, and services offering backup-as-a-service (BaaS) or disaster-recovery-as-a-service (DRaaS) are very popular at the moment. However, what exactly would the legal situation be in the event that the service provider is unable to restore the data and systems? The District Court of Heilbronn had to answer this very question in a Judgment of 28 January 2021 (Case No. Es 2 O 238/17). Below, you will find our commentary on the ruling, as well as practical advice for controllers.
The facts of the case
The plaintiff and the defendant had a data backup agreement which was to include “proactive 24/7 monitoring of the system.” But after the plaintiff experienced a data loss, it became evident that, due to a technical error, no external backups had taken place for several months. The plaintiff was able to recover at least part of the data by means of an internal backup. However, it took the plaintiff more than 550 work hours to restore all the data, and the plaintiff sued the defendant for damages in the amount of about 15,000 Euros.
The court’s ruling
The District Court of Heilbronn lowered the amount of the damages slightly, but ultimately awarded the plaintiff about 12,000 Euros in damages. In the grounds to its ruling, the court began by stating that the backup agreement was not a contract for works and services, as the plaintiff had argued, but rather an employment contract. However, even though the defendant was not required to ensure a specific outcome, the court ruled that the defendant did violate an obligation under the contract and was therefore required to pay damages. Specifically, the defendant was required to provide “proactive 24/7 monitoring of the system,” as stated in the technical details of the agreement. The court found that the defendant was therefore required to monitor the backup system extensively and report any problems to the plaintiff, and that its failure to do so constituted a breach of duty. The plaintiff’s damages consist not of the personnel expenses it incurred but in the value of the data itself, and the court found that the value of the data can be estimated based on the work hours spent by the plaintiff in order to recover the data. However, the court ruled that the plaintiff could not seek damages for data relating to an employee’s training, since these damages were to the employee herself, and not to the company.
Assessment and practical advice
This ruling by the District Court of Heilbronn underscores how important it is for both data backup service providers and their customers, as well as for providers of other IT services, to specify the subject of agreement in a clear and transparent manner. Otherwise, the customer cannot rely on the fact that it will actually receive the requested service, and it may be unable to seek damages in case of violations. Particularly in cases were a specific outcome is required, companies would be well-advised to include an express provision to this effect in the agreement. But a clear and transparent definition of the required service is also important for the contractor. After all, a company which promises 24/7 monitoring for data backups will be required to deliver on this promise.back