Using contracts for protection against the effects of cyber crime

1 August, 2017

Food service companies that believe cyber crime is something mainly affecting big organisations need to think again if they are to protect their businesses, writes Elliot Fry of law firm Cripps Pemberton Greenish.


Although the media tend to focus on high profile victims of cyber crime – such as the disruption caused to the NHS by WannaCry ransomware in May – it is an issue that affects businesses of all shapes and sizes.


A recent government report indicated 68 per cent of large businesses and 52 per cent of small businesses had suffered a cyber security breach in the past year. Don’t assume that just because your business isn’t national, or high profile, or based around online sales, you’ll be safe. Cyber criminals will target anyone, and may see smaller businesses as more vulnerable.


Cyber security breaches carry a number of adverse potential consequences, ranging from reputational damage and business interruption to possible claims for compensation if you are unable to fulfil your side of a contract. Failure to protect data can also put businesses at risk of fines from the Information Commissioner’s Office.


What can food service businesses do to protect themselves?

Mitigating and minimising risk requires more than just effective firewalls and antivirus software. While it is unlikely 100 per cent IT protection can ever be guaranteed, contractual terms can be used to mitigate losses if the worst does occur.


Many contracts include a force majeure clause that excuses one or both parties from their obligations if specific events get in the way. Examples include war, acts of God, fire, industrial action, epidemics, or government or public authority action. Consideration might also be given to including events such as “cyber attack” or “IT failure as a consequence of malicious third party software” in a force majeure clause.


However the event is defined, the clause should state what will happen to the contract if it occurs: will the contract be suspended or terminated; will one party be absolved of liability; or does one party have to first take all reasonable steps to fulfil its obligations?


Unless your contract provides you with a ‘way out’, your business may find itself hostage to its own obligations. You may either have to go to great expense to supply the promised goods and services by other means, or leave yourself open to a claim for the damage suffered by the other party.


Terms and conditions

Most business relationships are carried out under one party or the other’s standard terms and conditions. If you are at risk of not being able to deliver your services in the event of a cyber attack, you should ensure your terms and conditions are the ones forming the basis of the contract; and that these contain a clause excluding liability in the event of a cyber attack.


Other steps to take

There are other steps food service operators should consider, including:

  • Taking out specialist insurance. Many insurance companies offer a policy covering cyber attacks, and practical advice on risk management and loss prevention. 
  • Implementing segregated networks and least-privilege models to ensure the effect of any breach is minimised.
  • Training staff to identify and avoid suspicious emails and websites.


For further information on how the right contractual terms can help protect your business in the event of a cyber attack, contact Victoria Symons at


This article first appeared in B&I magazine on 1 July 2017.