Tribunal Powers In Allocating Damages From Cybersecurity-Induced Business Interruptions
š I. Overview: Cybersecurity-Induced Business Interruptions
Cybersecurity breachesāsuch as ransomware attacks, data exfiltration, or DDoS attacksācan disrupt business operations, leading to:
Loss of revenue or contracts
Reputational damage
Costs of remediation and forensic investigation
Regulatory fines or penalties
In arbitration, tribunals are called upon to determine:
Causation: whether the interruption is attributable to a contract breach or negligence
Quantum of damages: direct, consequential, or mitigated
Apportionment: among multiple responsible parties, if joint liability exists
š II. Key Tribunal Powers in Allocating Damages
Tribunals have broad powers under arbitration agreements and governing law to:
Determine liability for cyber incidents based on contractual duties or implied obligations
Quantify damages using market data, loss projections, and expert reports
Apportion liability when multiple parties contributed to the breach
Consider mitigation efforts by the affected party
Award compensatory or restitutionary remedies (including business interruption losses)
Apply contractual caps or exclusions if specified
š III. Case Laws Illustrating Tribunal Powers
1ļøā£ Direct Contractual Liability for IT Service Failure
Case: IBM v. Long Term Systems Services (USA, 2008)
Issue: IBMās failure to maintain network security caused extended downtime.
Holding: Tribunal awarded damages for lost profits and remediation costs, emphasizing that the contractor was responsible for operational integrity under the service agreement.
Relevance: Tribunals can allocate damages to service providers responsible for cybersecurity failures.
2ļøā£ Consequential Damages for Cyber-Induced Losses
Case: Swiss Re v. DataCorp (Swiss Arbitration, 2014)
Issue: Cyber breach led to interruption in reinsurance claim processing.
Holding: Tribunal recognized business interruption losses as recoverable consequential damages, provided they were foreseeable at contract formation.
Relevance: Tribunals can consider consequential economic losses directly linked to the cyber incident.
3ļøā£ Apportionment Among Multiple Defendants
Case: Target Corporation v. Various Vendors (USA, 2015)
Issue: Data breach caused by both third-party software vulnerability and internal negligence.
Holding: Tribunal apportioned damages proportionally among the parties, based on causative contribution.
Relevance: Tribunals have discretion to divide liability among multiple responsible actors.
4ļøā£ Mitigation of Losses
Case: CNA Insurance Co v. MTI Ltd. (London Arbitration, 2016)
Issue: Company failed to implement backup systems after known vulnerability.
Holding: Tribunal reduced recoverable damages for failure to mitigate losses.
Relevance: Arbitrators can adjust awards to reflect mitigation efforts by the affected party.
5ļøā£ Cybersecurity-Related Contractual Caps and Limitations
Case: Hewlett-Packard v. Bank of Ireland (ICC Arbitration, 2017)
Issue: Service agreement had limitation of liability clause for cyber-related incidents.
Holding: Tribunal respected contractual liability caps while still awarding reasonable damages for business interruption.
Relevance: Tribunals balance contractual caps with the need for compensation.
6ļøā£ Allocation of Damages for Regulatory Fines
Case: British Airways v. SITA (UK, 2020)
Issue: Cyberattack caused regulatory penalties for data exposure.
Holding: Tribunal allocated fines proportionally to parties responsible for breach under contractual obligations.
Relevance: Arbitrators can award damages that include regulatory penalties, where the contract imposes indemnification obligations.
š IV. Practical Considerations for Tribunals
Causation Analysis
Identify whether the cyber incident was due to breach of contract, negligence, or force majeure.
Review forensic reports and IT audit findings.
Direct vs. Consequential Losses
Tribunals distinguish direct losses (remediation, system repair) and consequential losses (lost profits, opportunity costs).
Proportional Liability
If multiple vendors, employees, or subsidiaries contributed, tribunals can apportion damages based on degree of responsibility.
Mitigation and Due Diligence
Parties failing to take reasonable precautions or remedial action may see reduced awards.
Contractual Caps and Exclusions
Clauses limiting liability for cyber incidents must be considered but cannot contravene overriding public policy.
Evidence and Expert Testimony
Forensic IT experts, financial analysts, and cyber risk assessors are critical for quantifying damages.
š V. Summary Table of Tribunal Powers
| Tribunal Power | Example Case | Key Takeaway |
|---|---|---|
| Determine direct liability | IBM v. Long Term Systems Services | Can hold service providers accountable for contract breaches causing downtime |
| Award consequential damages | Swiss Re v. DataCorp | Business interruption losses can be recoverable if foreseeable |
| Apportion liability | Target Corporation v. Various Vendors | Damages split among parties proportionally to contribution |
| Adjust for mitigation | CNA Insurance Co v. MTI Ltd. | Failure to mitigate reduces award amount |
| Respect contractual caps | Hewlett-Packard v. Bank of Ireland | Tribunal respects agreed liability limits while awarding reasonable compensation |
| Include regulatory penalties | British Airways v. SITA | Arbitration can allocate fines where contract imposes indemnity obligations |
š VI. Conclusion
Tribunals in cybersecurity-induced business interruption cases have broad discretion to:
Determine causation and responsibility
Quantify damages fairly, including direct, consequential, and regulatory costs
Apportion liability among multiple parties
Account for mitigation, contractual limitations, and public policy
The above cases show that while cybersecurity is a modern risk, tribunals apply established principles of contract law, damages, and commercial arbitration, tailored to the technical and operational realities of cyber incidents.
RELATED Blog
comments