Do you or your IT administrator pay if a cybercrime attack is made against your company?

Suddenly, a cybercriminal with ransomware encrypts all your files and demands a ransom. So are you responsible for the damage yourself, or is it your IT administrator? Avoid damage and lawsuits with these tips.

In 2020, a ransomware attack cost the Hof van Twente municipality €4 million. Who should pay that amount? The municipality thinks it should not have to. The IT company that Hof van Twente hired was 'in breach of contract', according to the municipality. The IT company disagrees: a Hof van Twente employee changed the password on the servers to Welkom01.  The court must now decide (in Dutch) who is liable for the damages.

IT staff member liable

This is not the first cybercrime case about who is liable. In spring 2020, the Amsterdam court ruled that an IT administrator had to pay (in Dutch) for part of the damage their client had suffered due to a ransomware attack: almost €10,000. Although the business itself had made mistakes, the IT administrator had not provided proper security, according to the court.

Their own responsibility

What do these lawsuits mean for businesses? Whatever the answer, you cannot just sit back when it comes to safety, says Bart Schermer. He is an associate professor of eLaw at Leiden University, and a partner at Considerati, a legal consultancy specialising in digital technologies and privacy. "What is interesting about the Amsterdam judgment is that the administrator does not have to pay the whole amount", he said.

Simple passwords

Indeed, according to the court, the entrepreneur did not get off completely free, Schermer says. "The IT administrator had suggested strong passwords, but had simplified them at the entrepreneur's request to make them easier to remember." That simplification made the system more vulnerable. So in this case, the entrepreneur was partly responsible, and therefore had to pay some of the damages.

Security is important

It is notable, though, says Schermer, that with this ruling, the court finds that security is an important part of IT management. Industry association Cyberveilig Nederland (in Dutch) is pleased with that, says policy adviser Liesbeth Holterman. "Many IT providers do not take sufficient measures, while the customer assumes things are fine. We saw the fact that the court in this case has ruled that the administrator was negligent as a win."

Tips on how to prevent damage

Do you want to prevent damage and lawsuits? There are a few things you should pay attention to:

Work with a good IT administrator

They should be able to configure a firewall, update systems, and arrange for robust backup facilities. Pay attention to this when you are entering into a collaboration. There is a seal of approval (in Dutch) for security companies providing certain services.

Put questions to your IT administrator

You hire someone because you do not have the expertise yourself. But keep asking critical questions: how will you handle my data? Where do you store my data? Who has access to it? Is my data encrypted, and if so, how? If your administrator cannot answer those questions, it would be better for you to find another one.

Follow the advice of your IT administrator

If you are an entrepreneur, do not play around with the security of your system, as happened in the Amsterdam case, where strong passwords were replaced by simple ones. If you give too many people access or use insecure passwords, you weaken your own digital security.

Find a provider that suits you

Is your digital system complicated, or is it small and simple? Choose an IT partner that can meet your needs.

Invest in quality

Good security costs time and money. There are the technical solutions themselves, but also, for example, insurance against cybercrime. If you are an IT administrator and your customer does not want to pay for basic security, it is better to turn down the assignment.

Make clear agreements

This might seem obvious, but it is not always so, as was shown by research carried out in April 2020 by Stichting Internet Domeinregistratie Nederland (in Dutch). In almost a quarter of cases, business owners and IT administrators have not agreed on clear arrangements for security. Record what you have agreed in a service-level agreement (SLA, in Dutch). The clearer the agreements, the better. That way, if there is an attack or a data breach, you know exactly who is responsible.

No change in the trend

Should small IT administrators worry about more lawsuits? No, not really, Schermer thinks: "The Amsterdam ruling is not a major departure from normal liability law. The IT administrator said to their client: I will take care of your entire ICT infrastructure. The moment they failed to do that as an administrator, they could be held liable." Small IT companies that do have their affairs in order probably need not fear more lawsuits.

Hacking helpdesk

Have you been hacked, or do you think you have been hacked? You will find a roadmap and practical solutions on (in Dutch) that will help you prevent further damage.