The increasing digitization within government brings significant benefits, but also new risks. Last year, the case of the Hof van Twente municipality demonstrated how essential legal due diligence is in ICT procurement, particularly in the area of cybersecurity. The hack at Hof van Twente, and the resulting damage, highlights the need for procuring parties to make sound legal agreements in advance, to limit both operational and financial risks.
The Hof van Twente case study
In December 2020, a major cyber attack struck the Hof van Twente municipality, encrypting critical systems and backups and removing a large number of virtual servers. This attack had a direct impact not only on the municipality's operational capacity, but also on the protection of sensitive data.
In response, the municipality held IT company Switch IT Solutions responsible for the damage, claiming the company had breached its contractual obligations, duty of care, and related cybersecurity obligations. The municipality demanded compensation for the IT company's failure to adequately protect its systems, which led to the massive damage caused in the cyber attack.
Municipality gets completely wrong
The Overijssel court ruled that, despite the presence of security measures implemented by Switch IT Solutions (the "proverbial moat, walls and guards"), the municipality itself had made a critical error.
Een medewerker van de gemeente had een RDP-poort naar het internet opengezet door een regelwijziging in de firewall. Hierdoor werd de server van de gemeente via het internet bereikbaar. De wijziging aan de firewall is destijds niet gemeld aan Switch IT Solutions. Vervolgens heeft een medewerker van de gemeente enige tijd later een zwak wachtwoord (“Welkom2020”) ingesteld op een door de gemeente beheerd domeinbeheerdersaccount, dat via een brute force-aanval is geraden door hackers, wat de cyberaanval mogelijk maakte.
The court concluded that because of this negligence, the municipality itself bore primary responsibility for the consequences of the attack.
The importance of legal expertise in ICT tenders
Despite the fact that the implications appear to be primarily IT technical in nature, there was also a legal component of key importance here. At the heart of the dispute is the interpretation and compliance with contractual obligations between the municipality and Switch IT Solutions. The municipality invoked the claim that the company had breached its contractual obligations, specifically the obligation to implement and maintain adequate security measures that would protect the municipality from such attacks.
The court had to assess the extent to which the IT company had fulfilled its contractual duty of care and the extent to which the municipality itself bore responsibility for the security measures and management of its IT systems. The judgment emphasized the municipality's own responsibility for the security of its systems by pointing out the specific actions by the municipality that enabled the attack, such as opening an RDP port and setting an easy-to-guess password. The court concluded that, despite the IT company's contractual relationship and obligations, the municipality's own actions had increased the security risks.
Zo volgde bijvoorbeeld uit de aanbestedingsstukken niet dat het IT-bedrijf de verplichting had om de monitoring zo in te richten dat beveiligingsincidenten zoals wachtwoordresets en de aanwezigheid van malware en hackpogingen in een logging, ook zonder dat dat tot afwijkingen in het functioneren van onder meer de servers leidde, meldingen zou geven waarop, vanuit de functionele monitoring bezien, actie moest worden ondernomen.
Mitigating risks
This case highlights the importance of legal expertise when entering into and executing ICT tenders. Expert legal advice can help in:
- Establish robust contracts: ensure that all parties are clear about their obligations and the consequences of negligence.
- Identifying and mitigating risks: determining potential risks in advance and developing effective control measures.
- Ensuring compliance: ensuring that all activities comply with relevant laws and regulations, such as the General Data Protection Regulation (GDPR).
What can we do for you?
Louwers IP&Tech Lawyers offers specialized legal support in the field of ICT procurement for government agencies and IT procurement. Our experience and expertise enable us to advise you on applicable standards so that your projects are not only technically, but also legally sound.
For more information on how we can support your next ICT project, we invite you to meet with Frank Rutgers and/or Ernst-Jan Louwers.