BUGS BREAKDOWNS & ERRORS - LEGAL PROTECTION FOR YOUR ORGANISATION IN THE EVENT OF A TECHNOLOGY DISASTER

This paper is a brief overview of some of the legal and practical issues that should be considered when planning to avert or recovering from an information technology disaster. It is not proposed to cover electronic service providers which are covered later in the conference.

When an information technology disaster occurs, the victim will be looking for the reasons why or how the disaster occurred and who is responsible for any loss that may have been suffered. This paper examines the causes of action available to the victim and some practical ideas to minimize, apportion and avoid the loss and damage.

Typical information technology disasters include :

• Physical destruction of equipment
• Loss of data
• Loss of time
• Business interruption
• Incompatible or inappropriate software and hardware
• Inability of hardware and software to meet existing or changing business needs
• Migration difficulties
• Inadequate or insufficient support
• Insolvency
• Personal injury due to defective hardware or software
• Copyright infringement or allegations thereof

Typical causes of action arise from :

• breach of contract
• the Copyright Act 1968 (Cth), the Patents Act 1990 (Cth) etc
• the Trade Practices Act (1974) (Cth) ( “the TPA” )¹⁾
• other relevant legislation such as the Goods Act (Vic) 1958 ( “the Goods Act” )
• tort

If a condition or essential term of a contract is breached then there may be a claim for damages for losses incurred as well as the common law right to terminate the contract. A condition or essential term is a term of the contract going to the very root of the contract.

“The test of essentiality is whether it appears from the general nature of the contract considered as a whole, or from some particular term or terms that the promise is of such importance to the promisee that he would not have entered into the contract unless he had been assured of strict or a substantial performance of the promise and that this ought to have been apparent to the promisor²⁾.”

Terms which are of such importance in IT projects may include (depending on degree):

• clear title to the hardware or software.
• the ability to change or modify the software or hardware
• failure of performance or functional requirements (hopefully, but not necessarily, as set out in annexures or schedules to the contract).
• failure of essential support obligations.
• failure to get the software or hardware up and running (implementation or integration problems)
• failure to provide encryption keys or devices as required
• failure to migrate successfully
• excessive down time
• failure to provide adequately trained or nominated staff

Recoverable damages may include a claim for money to put the customer in the same situation as if the contract had been performed including loss of bargain (expectation loss) and damage suffered and expenditure incurred in reliance of the contract (reliance loss)³⁾.

If the term is a warranty only then a claim only arises for damages or for rectification of the problem. Typical warranty breaches may include (depending on degree):

• reduction in hours of support.
• inability to correct minor faults.
• delays in providing support.
• inability to supply certain types of support.
• failure to provide minor functionality or performance requirements.

Clearly it may be desirable to have such breaches considered as a breach of a condition and accordingly it is an option to have a supply contract which contains a termination clause which includes the right to terminate for breach of warranty⁴⁾.

The difference between a warranty and a condition is of primary importance when a party no longer wishes to deal with the party in breach.

Unauthorised modifications to the software may be a breach of condition or warranty depending upon the contractual relationship between the parties and the extent of the modifications.

However, it would be difficult for a customer to rely upon a failure of its modifications or the failure of the supplier to support the customer's modifications as a breach of the contract unless special circumstances existed.

Such modifications may indeed relieve the supplier from all further maintenance obligations as to provide such maintenance would be outside the scope of the maintenance obligation and may be practically very difficult. Ideally the situation with respect to the respective obligations of the parties and ownership of such changes should be established before such modifications are made. Further, in appropriate circumstances, the insurer should be notified of such changes.

The inclusion of time outs or time bombs without release codes being supplied may amount to a breach of fundamental implied term which is not relieved, justified or condoned by a failure of the customer to pay licence fees. The supplier of such a program may well be exposed to a suit for, amongst others, breach. Damages may in such circumstances include the loss of business during such interruption.

The TPA and the various parallel state statutes give rise to implied terms that goods will correspond with their description where they are sold by description ⁵⁾ and be of a merchantable quality and fit for a particular purpose where one is specified⁶⁾. Further, legislation such as the Goods Act also give rise to further rights in relation to the sale of certain goods.

In connection with contracts of hire or supply of services in certain circumstances there is an implied warranty that there must be care and skill expended in providing the services and where services are requested for a particular purpose or result then there is an implied warranty that the services will be reasonably fit for that purpose⁷⁾.

The statutory protection provided by the TPA to those involved in the sale and purchase of goods and services depends upon, amongst other things, the category in which the product in question falls as well as whether or not the customer is a “consumer” of goods or services.

The definition of “consumer” under the TPA includes goods or services for less than $40,000 or alternatively that the goods or services were of a kind ordinarily acquired for personal, domestic or household use or consumption.

Further, the categorisation of computer software as goods or services for relief under the TPA⁸⁾ is not clearly defined.

In Section 4 of the TPA the following definitions appear:

“Goods” includes

• ships, aircraft and other vehicles
• animals including fish
• minerals, trees and crops, whether on, under or attached to land or not; and
• gas and electricity

“Services” includes any rights (including rights in relation to, and interests and interests in real or personal property), benefits, privileges or facilities that are to be, provided, granted or conferred in trade or commerce, and without limiting the generality of the foregoing, includes the rights, benefits, privileges or facilities that are, or are able to be, provided, granted or conferred under -

• a contract for or in relation to -
  • the performance of work (including work of a professional nature) whether with or without the supply of goods;
  • the provision of, or the use or enjoyment of facilities for, amusement, entertainment, recreation or instruction; or
  • the conferring of rights, benefits or privileges for which remuneration is payable in the form of a royalty, tribute, levy or similar extraction;
• a contract of insurance
• a contract between a banker and customer entered into in the course of the carrying on by the banker of the business of banking; or
• any contract for or in relation to the lending of moneys

but does not include rights or benefits being the supply of goods or performance of work under a contract of service

In the Goods Act⁹⁾:

“goods” include all chattels personal other than things in action and money. [The term includes emblements and things attached to or forming part of the land which are agreed to be severed before sale or under the contract of sale]¹⁰⁾

“Services” means¹¹⁾ services by way of -

• the construction, maintenance, repair, treatment, processing, cleaning or alteration of goods or fixtures on land;
• the alteration of the physical state of land; or
• the transportation of goods otherwise than for the purposes of a business, trade profession or occupation carried on or engaged in by the person for whom the goods are transported.

In Toby Constructions Products Pty Ltd v Computa Bar (Sales) Pty Ltd¹²⁾ it was decided that the supply of computer hardware and software bundled together could constitute a sale of goods for the purposes of the TPA and the Sale of Goods Act 1932 (NSW) (which has the same definition as the Goods Act) but left open the question of whether a software package supplied independently of hardware may constitute a sale of goods. His Honour reasoning was that there was a sale of tangible chattels, a transfer of identifiable physical property in the supply of bundled hardware and software.

In the case of St Albans v City and District Council and International Computers Ltd¹³⁾ Mr Justice Scott Baker found at page 21 :
“Strictly speaking I do not think that the point falls to be decided in the present case because I think, as I have earlier set out, that the defendants' obligations were expressly agreed, rendering reliance on the Sale of Goods Act unnecessary.
However, I am of the view that software is probably goods within the Act. Programs are, as has been pointed out, of necessity contained in some physical medium, otherwise they are useless. As Mr Mawrey put it, it is just as much a supply of goods as if paint were applied to a wall or printing ink to a blank page. It is not simply an abstract information passed by word of mouth. Entering software alters the contents of hardware.
If the supply of software is not a supply of goods it is difficult to see what it can be other than something to which non statutory rules apply, thus leaving the recipient unprotected in the absence of express agreement. My conclusion is that it is a supply of goods and that Mr Mawrey's arguments are correct.”

The Sale of Goods Act 1923 (UK) has a similar definition of “goods” as the Goods Act.

The problem which has been alluded to but not decided is what the situation is where there is no physical media of supply. Many products are now either installed or supplied electronically via the Internet, BBS or via the vendor's online systems. Such installation will continue to increase as a cost effective distribution medium¹⁴⁾. It is not difficult to see various EPROMS in motor vehicles for instance being upgraded electronically by visiting an authorised garage. In such circumstances it is difficult to justify software as goods.
Further, in Caslec Industries Pty Ltd v. Windhover Data Systems ¹⁵⁾ Gummow J found that breaches of Section 74[2] of the TPA had occurred with the supply of an “off the shelf” package and additional services. No detailed consideration was given to whether or not software was goods save that it was appropriate to apply Section 74[2].

The view of the author is that “services” would appear to be the most appropriate classification for software, however, the implications of that opinion, if correct, would be to deprive certain customers of a wide range of rights.

Whilst this area of the law would seem rife for statutory amendment as suggested by Rogers J in the Toby Constructions case one can speculate that such amendment is not likely until prompted by a further international treaty. (Thirteen years have now elapsed since that judgment without action)

Part V Division 1A of the TPA provides powers for the publication of warning notices by the government in relation to dangerous goods, the banning of goods that do not comply with prescribed product safety standards, the banning of unsafe goods, the compliance with consumer product information standards, the compulsory recall of unsafe goods and notification to the government of voluntary recalls.

Obviously, a critical definition is whether or not software falls within the definition of goods for the purposes of Part V. There does not appear to be prescribed consumer product standards for software save for the Office of Film and Literature classifications which prima facie do not appear to be proscribed standards. There are software development and maintenance standards (AS3900.3) as part of ISO9001 but these standards are different to the proscribed standards contemplated by the TPA.

Part V Division 2A provides for actions against manufacturers and importers of goods which do not correspond with description, are of unmerchantable quality, which do not conform to sample, are unfit for purpose or manufacturers who do not comply with express warranties.

Section 74F is of interest in that obliges, in some circumstances, a corporation to act reasonably in providing facilities and parts for the repair of goods ordinarily acquired for personal or domestic use against manufacturers. A corporation can, however, expressly disclaim such a responsibility if before the time of acquisition such unavailability is made clear.

Part VA of the TPA is a strict product liability regime based on strict liability for loss suffered as a result of a defective goods.

The claimable loss is limited to personal injury, damage to goods or land, buildings and fixtures and that are ordinarily acquired for private use.

Under section 74A and section 75AB a “manufacturer” includes a corporation who holds itself out to the public to be a manufacturer or permits the name of the corporation or a brand or mark to be applied on the goods, or imported the goods. There are also mechanisms for obtaining information about the identity of a manufacturer.

Defences include that the defect did not exist when the goods were supplied, that the defect occurred because of a mandatory standard, that the defect could not have been discovered given the state of technical knowledge when the manufacturer supplied the goods and if the defect is in finished goods any relevant markings or instructions supplied with the goods.

One way manufacturers can manage their liability once their products have left their control is by product markings such as warnings and instructions. Although this will not limit or exclude the liability arsing under statute, it may prevent that liability from arising in the first place.

Section 52 claims under the TPA for misleading and deceptive conduct and section 53 for false representations are potent causes of action against suppliers and customers. They can also be used in conjunction with section 75B as a mechanism to pursue non-contracting parties in appropriate circumstances.

The scope of those sections is very wide and not to be under estimated. Of particular concern to the supplier is section 51A which makes the supplier liable for future representations for which it did not have reasonable grounds to make. Such representations may include the ability of the supplier to provide support services, encryption keys and access to source code that may be required for amendments. Pre-sales literature and representations can often be misleading and consequently expensive for the supplier.

In addition, the parties may have common law rights to rescind a contract for misrepresentation. Representations as to the performance of a computer made in good faith can still be a negligent misrepresentation¹⁶⁾.

At common law the parties are free to structure their arrangements as they see fit. However, under the TPA and Part IV of the Goods Act any attempt to exclude or limit contractual liability that cannot be excluded or limited is void. The TPA does provide a limited exclusion for the supply of goods and services other than a kind ordinarily acquired for personal, domestic or household use or consumption, subject to certain criteria.

Even if those criteria are satisfied circumstances can arise to prevent strict reliance upon such exclusion clauses. First, the exclusion clauses are construed strictly against the party seeking to rely upon same if an ambiguity exists and in any event according to their natural and ordinary meaning read in the light of the contract as a whole thereby giving due weight to the context in which the clause appears including the nature and object of the contract¹⁷⁾.
Secondly, the clause cannot avoid certain terms implied by statute (see above) including misleading and deceptive conduct. In Westsub v Idaps¹⁸⁾ the plaintiff had contracted the defendant to implement a new computer system. Due to representations made by the defendant the court found, amongst other things, that the defendant had engaged in misleading and deceptive conduct under section 52 of the TPA and was unable to rely upon its exclusion clause¹⁹⁾.

At common law there is a duty on a party to mitigate the loss suffered by breach of contract. That obligation may extend as far as co-operating with the other party to resolve problems and this is often overlooked in heat of the dispute²⁰⁾.

In brief, an action in the tort of negligence requires :

• a duty of care to be owed by the tortfeasor to the plaintiff
• that there has been a breach of that duty
• that as a result of that breach the plaintiff has suffered damage which is not too remote.

The standard of care required usually adopted is that of a reasonable man. In considering whether a standard of reasonable care has been met the court may consider issues such as the size of the risk, the likelihood of injury, the severity of the consequences, the cost and practicality of minimising the risk, the common practice of persons engaged in similar conduct and statutory guidelines regarding the required code of conduct (Query how much software development complies with AS 3900.3).

A problem that often arises with IT projects is that due to the complexity, speed of delivery and secrecy of the products involved customers often have limited knowledge of the goods and services being offered. Reliance is therefore placed on the advice of vendors, who know that their advice is being relied upon and fail to qualify it. In other commercial transactions such advice may neither be sought nor offered. It is only in recent years that IT vendors have become aware of their duty which may often conflict with their own interests and on large projects may approach almost a fiduciary duty in appropriate circumstances.

Furthermore, tort is not limited to contractual situations and indeed extends beyond the vendor and its customers to parties which are not too remote.

In the past, courts around the world have viewed economic loss as being not as foreseeable or more remote as compared to loss and damages resulting from physical injury or direct damage²¹⁾. However in the recent case Bryan v Maloney²²⁾ an owner of a house (who was the third owner of the property) who had had no dealings with the builder of the house was awarded damages for economic loss due to faulty footings. The builder's appeal failed in the High Court and it was upheld that the builder owed a duty of care to subsequent purchasers for economic loss and that there was sufficient proximity to give rise to such a duty.

Although some of the judges made it clear that they did not intend to extend the judgment to chattels, it remains to be seen if further extensions of the law of negligence will be supported by the court.

Previous claims²³⁾ in tort have included :

• computerised name searches failing to find appropriate corporate entities or other information
• inaccurate selling/margin prices
• misleading financial information
• title information
• failure to renew leases, patents or other renewable items
• inaccurate information in online service
• automatic reports being defamatory
• being informed that money had been paid or won when it was not so due
• inaccurate reservations
• inaccurate records leading to wrongful repossession
• public utilities wrongfully disconnected
• failure to make municipal estimates
• errors in flight control systems
• failure to maintain weather reporting systems
• computer controlled traffic control systems

However, tortuous liability for negligent mis-statement can be excluded in certain circumstances by making it clear that the information or service provider is not assuming a duty of care. Typical efforts include warnings of limitations of liability at logon and during use of the service including warnings on all printed materials²⁴⁾.

The damages which may be recovered from the supplier will be the amount of money necessary to restore the customer to the position it was in before the statement, subject to the loss being foreseeable.

“Trust in the infallibility of a computer is hardly a defence when the opportunity to avoid the error is apparent”²⁵⁾

Perhaps the most fundamental of all risk management systems is ensuring that adequate backups are taken at regular intervals.
Just because having a backup system is not common practice in some industries it does not mean you should be excused from having one by the courts. The law expects that people in positions of responsibility will take all reasonable steps to minimise the effects of a disaster.

Further, backups must be frequently audited by actual recovery runs on an independent site. Even minute changes of environment, hardware or software, can result in backups not being adequately taken. Audit or report logs do not appear to be always reliable or sufficient. Further adequate recovery planning should include things such as the transport time to recover tapes from a remote site.

A key aspect to reporting errors is in locating the fault. To locate the fault it is important to record the following information each time a fault occurs :

• a general description of the fault
• the symptoms of the fault
• what happened before, during and after the fault
• the time and date of the fault
• the program reporting the error (including release and update levels)
• the program(s) running at the time of the fault (including release and update levels)
• the operating system including release levels and update levels
• the error number reported and any other relevant information displayed. error registers etc
• collect memory dumps, audit logs, error logs, message logs, transaction logs and any other information no matter how irrelevant. In serious failures an entire tape backup (if possible) should be taken for later evidence.
• a complete list of all hardware components including part numbers and BIOS levels
• Has the operation worked before?
• If so, what has changed?
• Can the fault be reproduced?

Your supplier may also have further information which is required to be collected.

Version control can be critical to fault isolation and determination and it is important that versions are appropriately marked for both correcting the fault and subsequent possible litigation.

You should also report faults as soon as possible.

In the St Albans case, the fact the faulty program printed all zeros on a printed report (indicating a fault) was not sufficient to relieve the defendant from its subsequent negligent mis-statement that the figures from the screen could be adequately relied upon, however, the fault was expressly reported to the defendant for attention.

Confidential Information & Conflict of Interest

Who will be initially called upon to fix the fault? Often the supplier that may be sued will be the first in attendance collecting evidence. Customers should take careful notes of all hardware items replaced and any other relevant information that may be obtained. Customers should also be wary of comments such as “Unable to ascertain the fault”. Suppliers likewise should be loathe to admit fault which would be most likely used against them in later litigation. For examples of some undesirable comments made by a supplier see Stephen Peter Byrne v. University of Melbourne²⁶⁾.

If litigation ensues the availability of the information referred to above will become critical. It may be beneficial for the supplier to routinely erase all error tapes and records submitted and thus make such information unavailable for further study after discovery. This could be advantageous to the supplier for a number of reasons including storage of the media. However, to destroy only unfavourable records or data may lead to an inference that evidence is being destroyed. Further, such records cannot be produced in support of the supplier if they are no longer in existence.

Often staff will fail to notice faults as they occur. Further, staff may notice faults but fail to act for a number of reasons including no formal fault notification scheme. Staff training and having adequate reporting systems can go a long way to alleviating these difficulties and create a good evidence trial for the litigation process. Minor faults with time critical systems should be acted upon to minimise any potential loss by such errors being reported to the appropriate people.

If your organisation's security depends on using passwords or encryption data it is necessary to manage the passwords and/or encryption keys. In designing your security system consideration should be given to all the system entry points including passwords and access to encryption keys.

Defensive practices should include:

• built in checks aimed at preventing and detecting unauthorised access, keeping in mind that there will be differing reasons for attack ranging from financial gain to sabotage
• ensuring that staff follow operating rules and procedures recommended by the designers
• emphasis on security of hardware and operating systems when purchasing equipment
• allocating of responsibility so that no one has access to all resources required to perpetrate a crime
• ensuring physical security of computers & communication equipment including integrity of cabling
• inspection and certification of software
• ensuring that your supply contracts warrant that software is free of extraneous and/or dangerous code
• hardware and/or software cannot be penetrated by programmers for independent program development work.
• control or removal of data recording material.
• employing system auditors or system engineers to evaluate the security of the system at the time of design and before final acceptance.

Escrow of source code and associated materials may provide essential protection to a licencee. It involves the developer providing an independent third party with copies of source code and other relevant materials. In the event of certain triggering conditions such as the developer becoming subject to external administration (insolvent) the code and materials will be released to the customer who may then work with the code as and when required. It is also important for the express licence to modify and use such code be incorporated into any such agreement.

To be effective progress verification and inspection of the code and materials is required to ensure the adequate and proper code is being escrowed. Such verification may include an external condition of the materials, random or full testing and a more technical examination if appropriate.

Many companies take out specific insurance policies to cover computer related risks. It is important to determine whether this area is adequately covered by your existing insurance policies. Your product liability or professional indemnity policies may not be adequate in this area. Professional indemnity insurance may not cover you if the policy does not cover loss arising from the sale or supply of goods and chattels. Public and Product Liability insurance may only cover you for personal injury and property damage. Damages for economic loss needs to be expressly considered.

Consumers purchasing computer hardware or software should carefully negotiate express warranties and minimise the exclusion of liability provisions in their supply contracts. Insurance policies may not cover you for damages which have resulted from the goods not being of the quality contracted for, or for the cost of repair or replacement or for the loss of use and similar consequential or commercial losses flowing from such a claim. Insurance policies may be limited to liability to pay compensation for personal injury or damage to property caused by any breach of duty in respect of goods and consequential losses.

Points to consider in choosing appropriate insurance coverage include:

• What is the duty of care upon the supplier?
• Does your policy extend to overseas coverage?
• The fact that design defects or defects in installation may not be covered.
• Are you covered for breach of contract?
• Is damage to your property or property in your charge or control covered if it is not subject to the liability insurance?
• Is your premium properly adjusted for increase in sales and/or product range?

For further information on insurance please refer to the attached brochure “FAI Corporate & Professional Liability and insurance as related to the information technology industry”

The scope for liability and the quantum of damage involving computers increases daily. However, with a proactive program of risk assessment, monitoring, prevention and insurance the waters are not as murky as they may first seem.

STEVE WHITE
WHITE SW COMPUTER LAW
JUNE 1996

www.computerlaw.com.au

© White SW Computer Law 1996

The author greatly acknowledges the assistance of Ms Sarah Pike of White SW Computer Law and Mr Jack Quigley of FAI Insurance.

This article is a guide only and should not be used as a substitute for proper legal advice, readers should make their own enquiries and seek appropriate legal advice.