AS COURTS INCREASINGLY HOLD FIRMS LIABLE FOR LOSSES CAUSED BY COMPUTER FAILURES, RECOVERY CAPABILITIES ARE FAST BECOMING A...LEGAL NECESSITY

AS COURTS INCREASINGLY HOLD FIRMS LIABLE FOR LOSSES CAUSED BY COMPUTER FAILURES, RECOVERY CAPABILITIES ARE FAST BECOMING A...

Legal Necessity

By Kevin P. Cronin

The business reasons for contingency planning—avoiding financial losses, negative publicity, loss of market share—are the most immediate and most important. Obviously, you want to get up and running to minimize your losses. But there is another compelling reason for business resumption planning: legal necessity. You may be required to have it whether you know it or not.
There are three situations where contingency planning and disaster recovery capability are legally required or prudent.
The first is where a law, statute or regulation requires a business to have disaster recovery capability.
The second situation is where a contract requires a business to have business recovery capability.
The third area is what lawyers call the “common law,” which is contained in court decisions and which may require some businesses to have business recovery capability.

Statutory Requirements

There are thousands and thousands of laws. The Internal Revenue Service code and the federal code together fill about 50 feet of shelving.
Federal laws often are the most important. The Comptroller of the Currency and the Federal Reserve, for example, require banks to develop disaster recovery plans and continually test and reassess those plans.
Banks, in fact, were some of the earliest converts to the business recovery religion. For over a decade now, banks have been required to have disaster recovery plans. To make disaster recovery a high priority issue, banks must have as agenda items at their annual meetings a discussion of how they are meeting their disaster recovery planning needs.
In addition, the federal Securities Exchange Act of 1934 requires publicly held companies to maintain books and records that accurately reflect their affairs. And even if your company is not publicly traded, the IRS wants you to keep accurate records. Eventually, most businesses are audited, and when the IRS comes knocking, you may be required to produce business records going back three or more years. If the IRS suspects fraud, they can go back 10 years or more. There is no statute of limitations for tax fraud.
If you have lost your backup financial data because of a fire or flood or some other kind of disaster, you can ask the IRS to take your word for it. Don’t bet on it, though.
States have their own regulations affecting business resumption planning. Some states, especially California, require businesses to be prepared for certain recurring natural disaster, such as hurricanes, earthquakes, or floods

Contract Requirements

All businesses have contracts, and some contracts require suppliers to perform, come hell or high water.
Banks, insurances companies, large manufacturers, and other sophisticated businesses already know the importance of business resumption planning. Many have been practicing this discipline for five or 10 years, and they do not want to be the weak link in their business chain. They do not what to go down because a supplier failed to deliver after a disaster. Often, they contractually require that their suppliers have business resumption capabilities. So if you want to do business with big companies, you may have to have business resumption capabilities.
Government agencies often have the same requirements. Many government bid requests (“RFPs” or RFBs’) now require evidence and some contractual guarantees of a bidder’s recovery capability. If you want to bid successfully, you had better provide evidence of that capability.
Some insurance companies now provide discounts for companies that maintain effective business recovery planning programs. The discounts are usually for business-interruption insurance. They give you a break because of your disaster recovery capability.
Eventually, more and more insurance companies are going to mandate that their customers have business recovery capabilities in order to get insurance.
But remember: Business recovery capability is not insurance. Disaster recovery agreements and insurance policies may be triggered by similar types of events, but their purposes are completely different. Disaster recovery aims at minimizing the downtime resulting from disaster. Insurance reimburses, or indemnifies, businesses for certain losses resulting from disasters. Relief comes sometimes weeks, or months, or even years after the loss occurred, instead of within hours.

Common Law

The common law is a thicket of legal rules that have grown out of court decisions and very old laws. A good portion of the law of negligence and fiduciary responsibility, for example, arose out of the common law.
What does this 200-year-old body of law have to do with modern business? Under the common law, your business may have certain fiduciary obligations and “duties of care” to its customers and shareholders.
Plaintiff’s lawyers can be amazingly creative in crafting high standards of care for businesses— whether medical practices, manufacturers, construction companies, or whatever. And these duties can involve having a contingency plan and disaster recovery capability.
Regardless of whether a company is privately held and has just a few shareholders, or is publicly held and has thousands, most jurisdictions require directors and officers of corporations to exercise what is called “good business judgement.” That is a legal term of art that is used a lot in litigation. Good business judgement extends in some circumstances to disaster recovery.
Let’s say, for example, that a manufacturer suffers a catastrophic loss of its data center, losing its records of receivables and delaying thousands of orders. The business has an obsolete contingency plan and, as a result, is unable to recover quickly from the disaster. The business loses megabucks.
The shareholders, feeling the business has been mismanaged, want to get their money back. So they file a “shareholders’ derivative suit” against the officers and directors of the business, alleging that they failed to exercise good business judgement in failing to have a current disaster recovery plan, resulting in the huge financial losses. Depending of the other facts of the case, the shareholders could win such a suit.
Another potential source of legal liability arises out of obligations to customers and to third parties. Even if a business is not required by statute or contract to obtain contingency planning/disaster recovery services, the current availability of such services might make a business’ failure to obtain them negligent and actionable after a disaster.
In a landmark 60-year-old case (In re the T.J. Hopper), several ships sank during a storm off of the East Coast. The vessels were not equipped with radio receivers. If they had been they could have avoided the storm.
Despite the court’s finding that only one shipping line in the country then had fitted its vessels with radio receivers (transmitters were already common for S.O.S. calls), it found the owners of the lost vessels negligent for not equipping the vessels with receivers. The court balanced the cost of the radios, which was relatively small, against the harm that could result from not using them and decided that the prevailing custom of not having radios was negligent.
Putting this ruling in today’s context, when was the last time you heard the excuse, “Our computers are down?” The availability of reliable computer technology makes this problem less and less excusable. Likewise, the availability of disaster recovery capability makes lengthy computer downtime more avoidable, and therefore actionable.
And typical business antidotes to negligence claims—contract disclaimers and insurance—might not prevail in the case of computer disasters.
“Force majeure” exculpatory clauses, for instance, might not be so exculpatory in the case of data center disasters. Why? Because these clauses usually cover events beyond a party’s reasonable control. Because disaster recovery capability is easily obtainable, downtime due to a computer disaster is controllable, and so the clauses do not work in these cases.
Limitation (or exclusion) of liability clauses—the “no consequential damage” provision—may not be enough to protect a business either. Gross negligence, willful misconduct, and misrepresentation probably will not be absolved by any limitation or contract disclaimer.
And business insurance doesn’t always serve as a safety net. All-risk insurance may not cover downtime losses resulting from computer disaster.

Liability Trends

Since disaster preparedness liability issues are emerging slowly, lawyers must draw upon parallel situations where liability stems from failing to adopt state-of-the-art measures.
Technology law, in general, in an embryonic field. Scarcely a week passes without a Computer World article about a new lawsuit aimed at establishing some exotic application of copyright or trade secret laws or at concocting a new form of liability. Commentators have even sought to make data processing and related fields subjects to a malpractice standard, like medicine and law already are .
Considering the costs of defending corporate lawsuits—much less the costs of losing such suits—business recovery planning is not just smart. It’s a bargain.
This article was reprinted courtesy of Sungard Recovery Services, Inc., Recovery Winter 1993.

Kevin P. Cronin is a corporate lawyer in the Philadelphia office of Blank, Rome, Comisky, & McCauley and is member of the firm’s intellectual property and international law groups.

This article adapted from Vol. 6 #2.

Disaster Recovery World© 1997, and Disaster Recovery Journal© 1997, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or part is prohibited without the express written permission form Systems Support, Inc.

Return back to the New DR Planners Page