Ruslan Rakhmetov, Security Vision
We continue the series of publications devoted to the body of knowledge on cybersecurity - Cybersecurity Body of Knowledge (CyBOK). Chapter 3 of this body of knowledge describes the main regulatory norms and principles of international law that are relevant to cybersecurity and can be applied in assessing cyber risks, managing information security, and investigating cyber incidents. Today is the fifth part of the review of Chapter 3 of CyBOK, which describes the specifics of contractual relationships, the terms of contracts and the resolution of contractual disputes.
3.6. Contract
The term "contract" (or "contract") means a voluntary legal relationship between two or more persons - in fact, an agreement, the fulfillment of which is ensured by legislative norms. A contract is often understood only as a form of agreement, for example, a paper document or an email message, but a contract is primarily a legally binding relationship between entities that can be denounced in various forms.
3.6.1. Online contracts: the time of the conclusion of the contract and the format of receiving messages within the framework of the contract
In order to distinguish legally binding agreements from other communications, it may be necessary to confirm the sufficiency of communications and signs of legislative support for the agreement. The question of the sufficiency of contractual communications often arises when creating and implementing network transactional systems, and understanding the exact time of the conclusion of a contract (the so-called contractual trigger) is important when managing risks in such systems. As part of the contract communication process, the timestamps of sending a contract proposal and receiving it, and the timestamps of sending consent to the proposal and receiving it are important. It is the date and time of consent to the contract proposal that will be considered the timestamp of the creation of the contract, while it is important for developers of network transactional systems to take into account the consequences of possible network disruptions and transaction interruptions. An important point is also to establish the exact time of receipt of the message. This can be considered the timestamp of email receipt on the mail server or the time when an entry was created in the audit log about the successful receipt of the message.
3.6.2. Cybersecurity standards in contracts
Contracts can be used as mechanisms to justify the implementation of cybersecurity standards.
3.6.2.1. Supply chain
Often, the purchase contract specifies the conditions for the supplier's compliance with certain information security standards, such as ISO 27001 or other specific internal standards that are accepted by the parties to the contract. Such conditions can take various forms (warranty, audit, independent certification), and their purpose is to ensure a certain level of information security among supply chain partners. In the event of a successful cyberattack on a supplier who did not sign up to the terms of the information security provision under the contract, it will be difficult for the affected party to receive compensation from him. Receiving information about the maturity, cybersecurity and operational capabilities of the supplier before signing the contract is a confirmation of the customer's compliance with due diligence standards.
3.6.2.2. Closed trading and payment systems
Many large electronic trading or payment platforms require participants to sign contracts before connecting. These membership contracts usually contain rules for the use of platforms, communication tools, equipment, and also include requirements for compliance with certain information security standards, authentication protocols, etc. Thus, participants in such closed systems are legally obligated to comply with certain information security standards. Violation of such agreements by participants may jeopardize the subject matter of the agreement, for example, making money transfers or receiving payment. For example, a merchant who connects to a payment system and fails to comply with the payment authentication requirements may incur significant losses, for example, by failing to verify the validity of payment card data entered by a cybercriminal. One of the most well-known industry payment standards is PCI DSS (Payment Card Industry Data Security Standard). Despite some doubts about the effectiveness of this standard, its adoption has increased the level of cybersecurity of many companies processing payment card data.
3.6.2.3. Limitations and relaxations in contractual obligations
Applicable legislation may restrict certain terms of contracts and industry standards. For example, local legislation may contradict the requirements of the standards or contain standards for the protection of the rights and responsibilities of users and payment service providers, which requires harmonization of legal requirements and contract terms.
3.6.3. Guarantees and Exclusions
The term "guarantee" describes a contractual obligation regarding the quality or legal status of the goods supplied, the quality of the information provided, the status of the signatories of the contract, etc. Contracts may contain such types of guarantees as:
- Objective quality of the goods supplied: a typical buyer should be satisfied with the quality of the goods;
- Subjective quality of the goods supplied: the buyer with specific requests communicated to the manufacturer will be satisfied with the quality of the goods;
- Objective quality of service: The service provider guarantees that it will provide due care as part of the service delivery process.
The quality of goods and the quality of services need to be assessed in different ways: the conformity of goods with guarantees can be assessed before direct receipt of products on product samples, and the quality of services before their purchase can be roughly assessed only by examining the actions performed by the provider, his qualifications and the methodologies used by him. A service provider, for example, may claim to provide proper care, but at the same time provide substandard services in practice. These issues have become particularly relevant after the development of cloud services, which are increasingly being chosen instead of classic software products. Despite the frequent legal requirements for including warranty conditions in contracts, many technology and IT service providers seek to exclude such clauses from contracts, replacing them with narrower guarantees of compliance of software and services with the requirements specified in the documentation.
3.6.4. Limitations and exclusions of liability
The exclusion of liability is stipulated in the contract as a condition that the supplier will not be financially responsible for any type of damage resulting from a breach of the contract, including loss of revenue by the client, lost profits by the client, his restoration costs, etc. Limitation of liability means that the supplier may incur financial liability within pre-determined limits or calculated according to a certain formula.
Product manufacturers and IT service providers tend to include clauses on limitation or exclusion of liability in the standard forms of their contracts to manage their legal risks. Government regulators are usually suspicious of such exceptions, but to a greater extent such control is typical for the B2C sector, leaving the B2B segment less regulated.
3.6.5. Breach of contract and legal remedies
When considering contractual requirements, it is important to take into account the legal consequences of a breach of contract, i.e. non-fulfillment of contractual obligations. Violations can be of varying severity, depending on which the affected party chooses one or more means to protect its interests.:
- Damage: the injured party demands financial compensation from the party that violated the contract, which will be sufficient to compensate for the lost profit;
- Termination of the contract: in case of a serious violation, the injured party may request to terminate the contract, while the termination conditions may be specified in the contract itself.;
- Specific compensation: in the event of a serious breach of contract, the affected party may require the culprit company to perform pre-agreed actions, such as transferring the rights to the product or transferring the source code.;
- Compensation provided for in the contract: the contract may contain provisions on compensation methods and legal protection measures for the injured party - for example, the company responsible may provide additional service hours or perform work to eliminate the consequences of a violation of the contract.
3.6.6. The impact of the agreement on persons not explicitly mentioned in it
As a rule, the consequences of violating the terms of the contract apply only to the persons who have concluded this contract. Even if a third party has suffered as a result of a breach of contractual obligations, they cannot claim compensation from the company responsible. However, a third party still has the right to defend its interests in a civil lawsuit, and in complex supply chains, a third party may receive certain rights from a party to a contract (for example, the right to receive a guarantee). For example, a service provider may face compensation claims from individuals who are not parties to the contract but depend on the services provided by the company.
3.6.7. Conflict of different jurisdictions when considering disputes under contracts
The decision on which country's legislation will be applied when considering contract disputes is usually made by the court that hears the dispute. The rules may vary from country to country - for example, the EU has developed a single mechanism (Rome I, Regulation 593/2008), and in the United States, the rules for resolving contractual disputes may vary from state to state. However, there are a number of general principles.:
1) An explicit choice of the parties: the contract prescribes jurisdiction and legislative norms, according to which disputes under the concluded contract can be resolved.;
2) The lack of an explicit choice of the parties: if the parties have not prescribed in the contract the laws by which disputes under the contract will be resolved, the court decides on its own. For example, in the EU, the following rules will be used, as specified in article 4 of the Rome I Law:
- A contract for the sale of goods or for the provision of services will be governed by the laws of the country in which the seller of the goods or the service provider is a resident.;
- The contract for the sale of goods at an auction will be governed by the laws of the country in which the auction is held;
- A contract involving multiple parties and based on a specific law will be governed by this law.
3) Contracts with consumers: when a consumer is one of the parties to a cross-border agreement, the rules of law apply, which additionally protect his rights. For example, in the EU, if a supplier of products or services conducts business in the consumer's country of residence, the following rules will apply, as specified in article 6 of the Rome I Law:
- If the contract does not explicitly prescribe the laws by which disputes will be resolved, then the laws of the country in which the consumer is a resident will apply.;
- If any law has been explicitly chosen by which disputes will be resolved, then this choice cannot deprive the consumer of legal protection in accordance with the legislation of the country in which he is a resident.
.jpg)
.jpg)