This article has been written by Aryashree Kunhambu, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
The history of technological inventions tells us that high risk and high reward are known to be the two sides of the same coin. While the pursuit of viral ideas without a risk-proof plan was the norm during the early internet days, most recent times have put a spotlight on the ethical and safety aspects of using technology. Digital information is the lifeblood of many businesses, which presses us to protect digital assets as a high priority today. Besides the obvious practical and commercial consequences, the regulatory framework in several high-performing countries ensures legal sanctions for those corporations who fail to uphold the prescribed privacy and data protection standards. Thus, every passionate innovator today has a legal responsibility to ask himself – ‘What’s the worst thing that could happen, if I failed?’
A great boon of the digital transformation of the business world was the advent of the e-commerce sector. A new category of contracts called electronic contracts was born out of this transformation. Features such as its speed, efficiency, and suitability, have not only made e-contracts incredibly popular but have also served the purpose of drastically reducing the costs of doing business by eliminating the middlemen. In addition to this, corporate entities have also been actively engaging in due diligence processes as a means to propagate and include disaster recovery management (DRM) clauses in their e-contracts. This enables them to showcase a clear vision of business continuity to all the parties having an interest in their business activities. In this article, the author has written about how disaster recovery management can be used as a tool in e-contracts to highlight conscious and informed decisions made by business entities while promoting a reliant business model.
What are e-contracts and why are they safe?
An e-contract is a contract executed via a digital mode of communication as opposed to that of the traditional paper-based model. It provides an opportunity for sellers to reach the end consumer directly without the involvement of middlemen. The whole contract can be finished within a matter of seconds by simply attaching the digital signatures of all the parties to the contract, to an electronic copy of it. The digital signatures attached to an e-contract are the key component to certify its safety. It makes the contract reliable and secures due to hash functions, which ensure the uniqueness of digital signatures, and Digital Signature Certificates (DSCs), which provide a guarantee that the signatures can be verified. Under Indian law, DSCs are legally valid and recognized by the Information Technology Act, 2000. Licensed Certifying Authorities (CAs) issue DSCs under the Ministry of Information Technology which makes the use of DSCs authentic and valid, just as any wet or physical signature. Electronic signatures also serve as proof of signature and presumption to electronic agreements under the Indian Evidence (Amendment) Act, 1882.
What is disaster recovery management?
Disaster recovery management (DRM) is a vital process that organisations, public or private, implement to ensure the smooth recovery of applications, data, and hardware that are most important to business operations after events such as a natural disaster, cyber attack, or even business disruptions related to an unseen event such as the COVID-19 pandemic. It is a collective term encompassing all aspects of planning for and responding to emergencies and disasters, including both pre-and post-event activities. It refers to the management of both the risk and the consequences of an event.
Predominantly, disaster management is more than just response and relief; it is a systematic process aimed at reducing the negative impact and consequences of adverse events. The main objectives of DRM are –
- To have proactive plans in place to mitigate various business risks and minimize losses.
- To have effective and durable recovery of key systems in the business.
- To gather disaster recovery personnel at the command center.
- To decide if the incident is a disaster.
- To activate salvage operations, recovery operations, communications, restoration to normal operations, when required.
Before initiating the DRM process, every business owner must ask himself the following practical questions –
- Does my company hold data on behalf of other parties? If so, what are the duties in respect of that data (contractual, statutory, and otherwise)?
- What liability would arise if such data were lost?
- What liabilities could arise if we cannot access our data?
- Are these risks legally covered under the contracts and disclaimers of the company?
- Are our digital assets covered by insurance?
How can a DRM clause add value to your e-contract once it is incorporated?
Privacy attacks and system crashes are the most common threats that are posed regularly on IT departments of various businesses. According to IBM’s 2020 Cyber Resilient Organization Report, 46 percent of organisations, in the past two years, had experienced a cybersecurity incident that had disrupted the organisation’s IT and business processes significantly. Many companies which experience these situations of major data loss and downtime, file for bankruptcy within months and ultimately wind up their companies. E-commerce contractors mostly depend upon third-party data centers to store their documents or digital information. These servers can be easily burned, destroyed, or tampered with. Further, corporations collecting and processing information of their consumers don’t always assure them of any data security.
Bearing in mind the above-mentioned risks, the obvious benefit of having a disaster recovery plan is business continuity, regardless of the circumstances. Having a strategic approach to disaster recovery planning and adding it to e-contracts can help a company in several other important ways such as:
1. Defining a disaster event and the objectives of the plan
The most essential function of any business enterprise is to forecast future events and prepare for any possible misfortunes to reduce the risk involved. An e-contract while defining a disaster must exclusively mention all the essential elements that would constitute one. A condensed, written form of the possible disasters and the objectives to be achieved in case of their occurrence, will ensure transparency and good faith towards all parties involved in the contract.
The litigation that followed the September 11 attacks, SR International Business Insurance Co. v. World Trade Center Properties, LLC., shows us the importance of defining the terms of a contract with absolute precision. In this case, the insurance companies had issued temporary binders while the full insurance policies were being negotiated. The temporary binders provided $3.5 billion for each occurrence but did not define what constituted an occurrence. SR sued WTC claiming that the terrorist attacks on the World Trade Center constituted one occurrence under temporary binder insurance policies. Based on differences in the definition of “occurrence” (the insurance policy term governing the amount of insurance) and uncertainties over which definition of “occurrence” applied, the court split the insurers into two groups for jury trials on the question of which definition of “occurrence” applied and whether the insurance contracts were subject to the “one occurrence” interpretation of the “two occurrences” interpretation. In the end, nine out of the total insurers were subject to the “two occurrences” interpretation and, therefore, liable for a maximum of double the face value of those particular policies ($2.2 billion).
Thus, a clear DRM clause in an e-contract will showcase a clear intention on behalf of the parties to the contract, leaving the shareholders of the company with ample information to secure themselves and the company in troubled times.
2. Ensuring data remains secure and complaint
Section 43A of the Information Technology Act, 2000 provides for liability of corporate entities and compensation for failure to protect data. It states that if a body corporate is negligent in implementing and maintaining reasonable security practices for possessing, dealing, or handling any sensitive personal data or information which results in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. There is no upper limit specified for the compensation provided by this section. Whereas, Section 66 defines the punishments for various computer-related offences. A DRM clause providing measures to keep the data compliant and secure will prevent the company from undergoing any legal battles.
3. Determining liability
If a disaster were to occur, the courts would determine the liability of the corporation by weighing the actual loss and magnitude of the harm, against the cost of protection undertaken by the company. If a company is bound to lose a lot of money as a result of an interruption to its computerized processing, the courts would take a dim view of it if it failed to implement a strategic recovery plan to restore the computer systems promptly. A few statutory obligations that companies have to keep in mind are –
- Indian tax law requires some accounting and tax records to be maintained for a period of 6 years from the end of the relevant year. Rule 6F of the Income Tax Rules, 1962 has prescribed these books to be maintained under Section 44AA of the Income Tax Act, 1961.
- Section 25 of the PDP Bill 2019 requires every data fiduciary to inform the Data Protection Authority of India by a notice about the breach of any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal. Whether the breach took place due to a fault on the part of the data fiduciary or not is of importance.
- Liability of corporate entities and compensation for failure to protect data under Section 43A of the Information Technology Act, 2000.
Thus, to reduce or to avoid liability under the above-mentioned sections, a company must show that it took a reasonable approach to disaster recovery and ensured that the fundamental standards of care were upheld by it.
4. A well-planned disaster recovery plan predicting the cost of such recovery
An e-contract that contains a well-planned disaster recovery plan will also predict the cost of such recovery. If and when a disaster was to strike, a company would adopt different measures to tackle disasters of different natures, the cost of which would be predetermined in the contract. This would save it from any additional costs incurred due to lack of time and planning. To accomplish these goals, two critical aspects of planning must be adhered to –
- Due diligence – This requires a company to run an analysis of potential threats that could harm its IT systems and maintain these systems in optimal condition.
- Meet the fundamental standards of care – A company must seek innovative solutions that will guarantee business continuity and focus on cybersecurity. It must invest in taking reasonable care for data protection. On-time updates and opting for more effective hardware and software such as adopting a cloud-based data management system instead of a local storage one can save a lot of money for the company in the long run.
5. Greater customer retention
Customers are the key to any corporation’s success and today they expect nothing short of perfection and reliability. Disaster planning enables businesses to maintain high service quality and integrity. Reacquiring an old customer in the aftermath of an IT disaster can be as close to impossible and businesses that are reliant on each other can cause a chain effect of customer loss by all. By assessing all the potential threats and showcasing recovery strategies and compliance measures in a DRM clause, customers are assured that even in any misfortunate circumstances, they will still be provided with adequate services and will not have to look for alternative options. As a result, sustainable customer retention is a benefit of adding a disaster recovery plan in e-contracts.
6. Increased employee productivity
A disaster recovery plan must have exact roles prescribed as clarity in high-stress situations has proven to be most beneficial to reach the end goal quickly. If prior training is provided to employees to detect, assess and address any kind of disaster, it would eliminate unwanted confusion and increase their productivity while managing the disaster. Such training and procedures must be mandated in their employment contracts under the DRM clause. This also helps in holding employees accountable for their actions wherein the management can take suitable measures to correct the same. A disaster recovery clause in an employee’s e-contract should include the following –
- Description of employee’s responsibility for back-up and record protection.
- Provision for maintenance of disaster recovery and business continuity plans.
- Provision for mandatory training and review sessions for disaster recovery.
- Provision for employees to provide a copy of the contingency plan that describes required operating procedures in event of business disruption in their department.
- Provision for timeframes that meet the institution’s requirements.
- Liability clause for disrupting business procedures.
7. Claiming insurance in the advent of a disaster
A corporation placing an insurance claim in the advent of a disaster will be scrutinised for acting reasonably and adhering to all the prudential norms mentioned in the insurance contract of the company. Directors and officers of a company have a fiduciary responsibility to ensure that they used good judgment and that their actions did not result in causing any harm to the company. The general rule is that where the contract is expressed in writing, oral evidence is inadmissible to explain or vary the terms of a written contract. Thus, when a company includes a DRM clause in its contract and acts following all the prudential norms termed in the act, it will be deemed to have acted reasonably and can claim such insurance. One of the Supreme Court decisions laying down this principle is United India Insurance Company Limited v M/s Orient Treasures Private Limited, which held that when the terms of the policy are clear, plain or unambiguous, and reasonably susceptible to one meaning, the courts are bound to give effect to that meaning irrespective of the consequences.
8. A better understanding of scalability
Disaster recovery planning begins with thorough research and a comparison of all possibilities. Businesses who engage in such a strategic process can quickly uncover a data storage solution that makes a lot more sense than the one being currently utilised and that can be tweaked on the go. Technologies like cloud-based data storage and backups simplify the process of archive maintenance, enhance the effectiveness of backups and reduce the cost of disaster recovery. Moreover, incorporating DRM clauses in vendor’s e-contracts for providing backup facilities can help in determining third-party liability in cases wherein data is completely lost from all servers and the company is the primary data fiduciary.
Implementing a disaster recovery plan is a tactical, moral, and legal obligation that corporations must undertake. The expenditure of every competitive corporate entity on technological developments is a clear indication of our world’s reliance on technology, thus not investing in disaster recovery planning by the same entities should amount to corporate negligence. Including it in e-contracts not only makes a corporate entity prepared to recover in the aftermath of a disaster but also has a holistic approach to make it more resilient and profitable.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: