The increasing digitization within government brings significant benefits, but also new risks. Last year, the case of the Hof van Twente municipality demonstrated how essential legal due diligence is in ICT procurement, particularly in the area of cybersecurity. The hack at Hof van Twente, and the resulting damage, highlights the need for procuring parties to make sound legal agreements in advance, to limit both operational and financial risks.
The Hof van Twente case study
In December 2020, a major cyber attack struck the Hof van Twente municipality, encrypting critical systems and backups and removing a large number of virtual servers. This attack had a direct impact not only on the municipality's operational capacity, but also on the protection of sensitive data.
In response, the municipality held IT company Switch IT Solutions responsible for the damage, claiming the company had breached its contractual obligations, duty of care, and related cybersecurity obligations. The municipality demanded compensation for the IT company's failure to adequately protect its systems, which led to the massive damage caused in the cyber attack.
Municipality gets completely wrong
The Overijssel court ruled that, despite the presence of security measures implemented by Switch IT Solutions (the "proverbial moat, walls and guards"), the municipality itself had made a critical error.
An employee of the municipality had opened an RDP port to the Internet, due to a rule change in the firewall. This made the municipality's server accessible via the Internet. The change to the firewall was not reported to Switch IT Solutions at the time. Then, some time later, an employee of the municipality set a weak password ("Welcome2020") to a domain administrator account managed by the municipality, which was guessed by hackers via a brute force attack, enabling the cyber attack.
The court concluded that because of this negligence, the municipality itself bore primary responsibility for the consequences of the attack.
The importance of legal expertise in ICT tenders
Despite the fact that the implications appear to be primarily IT technical in nature, there was also a legal component of key importance here. At the heart of the dispute is the interpretation and compliance with contractual obligations between the municipality and Switch IT Solutions. The municipality invoked the claim that the company had breached its contractual obligations, specifically the obligation to implement and maintain adequate security measures that would protect the municipality from such attacks.
The court had to assess the extent to which the IT company had fulfilled its contractual duty of care and the extent to which the municipality itself bore responsibility for the security measures and management of its IT systems. The judgment emphasized the municipality's own responsibility for the security of its systems by pointing out the specific actions by the municipality that enabled the attack, such as opening an RDP port and setting an easy-to-guess password. The court concluded that, despite the IT company's contractual relationship and obligations, the municipality's own actions had increased the security risks.
For example, it did not follow from the tender documents that the IT company had an obligation to set up the monitoring in such a way that security incidents such as password reset and the presence of malware and hacking attempts in a logging, even without leading to anomalies in the functioning of the servers, among others, would generate notifications on which, from the functional monitoring point of view, action had to be taken.
Mitigating risks
This case highlights the importance of legal expertise when entering into and executing ICT tenders. Expert legal advice can help in:
- Establish robust contracts: ensure that all parties are clear about their obligations and the consequences of negligence.
- Identifying and mitigating risks: determining potential risks in advance and developing effective control measures.
- Ensuring compliance: ensuring that all activities comply with relevant laws and regulations, such as the General Data Protection Regulation (GDPR).
What can we do for you?
Louwers IP&Tech Lawyers offers specialized legal support in the field of ICT procurement for government agencies and IT procurement. Our experience and expertise enable us to advise you on applicable standards so that your projects are not only technically, but also legally sound.
For more information on how we can support your next ICT project, we invite you to meet with Frank Rutgers and/or Ernst-Jan Louwers.