Blog

The importance of cybersecurity in government ICT procurements

The Hof van Twente municipality case study has demonstrated how essential cybersecurity is in ICT procurement. Read why here.

The increasing digitization within government brings significant benefits, but also new risks. Last year, the case of the Hof van Twente municipality demonstrated how essential legal due diligence is in ICT procurement, particularly in the area of cybersecurity. The hack at Hof van Twente, and the resulting damage, highlights the need for procuring parties to make sound legal agreements in advance, to limit both operational and financial risks.

The Hof van Twente case study

In December 2020, a major cyber attack struck the Hof van Twente municipality, encrypting critical systems and backups and removing a large number of virtual servers. This attack had a direct impact not only on the municipality's operational capacity, but also on the protection of sensitive data.

In response, the municipality held IT company Switch IT Solutions responsible for the damage, claiming the company had breached its contractual obligations, duty of care, and related cybersecurity obligations. The municipality demanded compensation for the IT company's failure to adequately protect its systems, which led to the massive damage caused in the cyber attack.

Municipality gets completely wrong

The Overijssel court ruled that, despite the presence of security measures implemented by Switch IT Solutions (the "proverbial moat, walls and guards"), the municipality itself had made a critical error.

An employee of the municipality had opened an RDP port to the Internet, due to a rule change in the firewall. This made the municipality's server accessible via the Internet. The change to the firewall was not reported to Switch IT Solutions at the time. Then, some time later, an employee of the municipality set a weak password ("Welcome2020") to a domain administrator account managed by the municipality, which was guessed by hackers via a brute force attack, enabling the cyber attack.

The court concluded that because of this negligence, the municipality itself bore primary responsibility for the consequences of the attack.

The importance of legal expertise in ICT tenders

Despite the fact that the implications appear to be primarily IT technical in nature, there was also a legal component of key importance here. At the heart of the dispute is the interpretation and compliance with contractual obligations between the municipality and Switch IT Solutions. The municipality invoked the claim that the company had breached its contractual obligations, specifically the obligation to implement and maintain adequate security measures that would protect the municipality from such attacks.

The court had to assess the extent to which the IT company had fulfilled its contractual duty of care and the extent to which the municipality itself bore responsibility for the security measures and management of its IT systems. The judgment emphasized the municipality's own responsibility for the security of its systems by pointing out the specific actions by the municipality that enabled the attack, such as opening an RDP port and setting an easy-to-guess password. The court concluded that, despite the IT company's contractual relationship and obligations, the municipality's own actions had increased the security risks.

For example, it did not follow from the tender documents that the IT company had an obligation to set up the monitoring in such a way that security incidents such as password reset and the presence of malware and hacking attempts in a logging, even without leading to anomalies in the functioning of the servers, among others, would generate notifications on which, from the functional monitoring point of view, action had to be taken.

Mitigating risks

This case highlights the importance of legal expertise when entering into and executing ICT tenders. Expert legal advice can help in:

  • Establish robust contracts: ensure that all parties are clear about their obligations and the consequences of negligence.
  • Identifying and mitigating risks: determining potential risks in advance and developing effective control measures.
  • Ensuring compliance: ensuring that all activities comply with relevant laws and regulations, such as the General Data Protection Regulation (GDPR).

What can we do for you?

Louwers IP&Tech Lawyers offers specialized legal support in the field of ICT procurement for government agencies and IT procurement. Our experience and expertise enable us to advise you on applicable standards so that your projects are not only technically, but also legally sound.

For more information on how we can support your next ICT project, we invite you to meet with Frank Rutgers and/or Ernst-Jan Louwers.

Author

Expertises

Share this article

More blogs

Family name as a trade name: no problem (?)

Many companies choose to use a family name as their trade name. After all, a family name quickly feels familiar (our firm has made that choice as well). But beware: older trade names or trademarks may get in the way of using a family name.Just a quick primer. A trade name is the name under which a business is [....]

/ READMORE

Family name as a trade name: no problem (?)

Many companies choose to use a family name as their trade name. After all, a family name quickly feels familiar (our firm has made that choice as well). But beware: older trade names or trademarks may get in the way of using a family name.Just a quick primer. A trade name is the name under which a business is [....]

The right to immaterial damages under the AVG

Immaterial damages for data breach: special or sensitive personal data

In 2023, the Court of Justice ruled that a breach of the AVG does not automatically entitle you to damages. In this blog, we discuss Dutch case law regarding the right to immaterial damages for leaks of special or sensitive personal data.

/ READMORE

The right to immaterial damages under the AVG

Immaterial damages for data breach: special or sensitive personal data

In 2023, the Court of Justice ruled that a breach of the AVG does not automatically entitle you to damages. In this blog, we discuss Dutch case law regarding the right to immaterial damages for leaks of special or sensitive personal data.

The right to immaterial damages under the AVG

Intangible compensation for data breach: anxiety and stress

In 2023, the Court of Justice ruled that a breach of the AVG does not automatically entitle you to damages. In this blog, we discuss Dutch case law regarding the right to immaterial damages due to anxiety and stress caused by an AVG breach.

/ READMORE

The right to immaterial damages under the AVG

Intangible compensation for data breach: anxiety and stress

In 2023, the Court of Justice ruled that a breach of the AVG does not automatically entitle you to damages. In this blog, we discuss Dutch case law regarding the right to immaterial damages due to anxiety and stress caused by an AVG breach.

The right to immaterial damages under the AVG

Intangible compensation for data breach: feeling unsafe

In 2023, the Court of Justice ruled that a breach of the AVG does not automatically entitle you to damages. In this blog, we discuss Dutch case law regarding the right to immaterial damages for feeling unsafe due to an AVG breach.

/ READMORE

The right to immaterial damages under the AVG

Intangible compensation for data breach: feeling unsafe

In 2023, the Court of Justice ruled that a breach of the AVG does not automatically entitle you to damages. In this blog, we discuss Dutch case law regarding the right to immaterial damages for feeling unsafe due to an AVG breach.