Back­ups and dis­as­ter reco­very: when is the ser­vice pro­vi­der liable?

Back­ups and dis­as­ter reco­very are key aspects of cyber­se­cu­ri­ty. But sin­ce they are expen­si­ve and requi­re a gre­at deal of exper­ti­se, com­pa­nies are incre­asing­ly rely­ing on spe­cia­li­zed ser­vice pro­vi­ders, and ser­vices offe­ring backup-as-a-service (BaaS) or disaster-recovery-as-a-service (DRaaS) are very popu­lar at the moment. Howe­ver, what exact­ly would the legal situa­ti­on be in the event that the ser­vice pro­vi­der is unable to res­to­re the data and sys­tems? The Dis­trict Court of Heil­bronn had to ans­wer this very ques­ti­on in a Judgment of 28 Janu­ary 2021 (Case No. Es 2 O 238/17). Below, you will find our com­men­ta­ry on the ruling, as well as prac­ti­cal advice for controllers.

The facts of the case

The plain­ti­ff and the defen­dant had a data back­up agree­ment which was to include “proac­ti­ve 24/7 moni­to­ring of the sys­tem.” But after the plain­ti­ff expe­ri­en­ced a data loss, it beca­me evi­dent that, due to a tech­ni­cal error, no exter­nal back­ups had taken place for seve­ral months. The plain­ti­ff was able to reco­ver at least part of the data by means of an inter­nal back­up. Howe­ver, it took the plain­ti­ff more than 550 work hours to res­to­re all the data, and the plain­ti­ff sued the defen­dant for dama­ges in the amount of about 15,000 Euros.

The court’s ruling

The Dis­trict Court of Heil­bronn lowe­red the amount of the dama­ges slight­ly, but ulti­m­ate­ly award­ed the plain­ti­ff about 12,000 Euros in dama­ges. In the grounds to its ruling, the court began by sta­ting that the back­up agree­ment was not a con­tract for works and ser­vices, as the plain­ti­ff had argued, but rather an employ­ment con­tract. Howe­ver, even though the defen­dant was not requi­red to ensu­re a spe­ci­fic out­co­me, the court ruled that the defen­dant did vio­la­te an obli­ga­ti­on under the con­tract and was the­r­e­fo­re requi­red to pay dama­ges. Spe­ci­fi­cal­ly, the defen­dant was requi­red to pro­vi­de “proac­ti­ve 24/7 moni­to­ring of the sys­tem,” as sta­ted in the tech­ni­cal details of the agree­ment. The court found that the defen­dant was the­r­e­fo­re requi­red to moni­tor the back­up sys­tem exten­si­ve­ly and report any pro­blems to the plain­ti­ff, and that its fail­ure to do so con­sti­tu­ted a breach of duty. The plaintiff’s dama­ges con­sist not of the per­son­nel expen­ses it incur­red but in the value of the data its­elf, and the court found that the value of the data can be esti­ma­ted based on the work hours spent by the plain­ti­ff in order to reco­ver the data. Howe­ver, the court ruled that the plain­ti­ff could not seek dama­ges for data rela­ting to an employee’s trai­ning, sin­ce the­se dama­ges were to the employee hers­elf, and not to the company.

Assess­ment and prac­ti­cal advice

This ruling by the Dis­trict Court of Heil­bronn unders­cores how important it is for both data back­up ser­vice pro­vi­ders and their cus­to­mers, as well as for pro­vi­ders of other IT ser­vices, to spe­ci­fy the sub­ject of agree­ment in a clear and trans­pa­rent man­ner. Other­wi­se, the cus­to­mer can­not rely on the fact that it will actual­ly recei­ve the reques­ted ser­vice, and it may be unable to seek dama­ges in case of vio­la­ti­ons. Par­ti­cu­lar­ly in cases were a spe­ci­fic out­co­me is requi­red, com­pa­nies would be well-advised to include an express pro­vi­si­on to this effect in the agree­ment. But a clear and trans­pa­rent defi­ni­ti­on of the requi­red ser­vice is also important for the con­trac­tor. After all, a com­pa­ny which pro­mi­ses 24/7 moni­to­ring for data back­ups will be requi­red to deli­ver on this promise.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.