Technology company Btec is pursuing a 65 million Norwegian kroner claim against its IT service provider Nordlo in the Gulating Court of Appeal. Btec alleges that Nordlo's inadequate security measures directly contributed to a severe cyberattack that caused substantial financial losses. This appeal marks the second time the two companies have faced each other in court over the incident.
The dispute stems from a sophisticated ransomware attack that crippled Btec's operations in late 2021. The attack encrypted critical data and systems, leading to significant downtime, operational paralysis, and extensive data recovery efforts. Btec asserts that its contract with Nordlo included comprehensive cybersecurity responsibilities, which Nordlo failed to uphold. The technology firm points to several alleged security deficiencies, including a lack of multi-factor authentication across key systems, outdated patching protocols, and insufficient intrusion detection and response mechanisms. Btec also claims Nordlo did not adequately verify the integrity and recoverability of backup systems, exacerbating the damage when the primary systems were compromised.
Btec's legal team argues that Nordlo, as a specialized IT provider, had a professional duty to implement and maintain robust security safeguards appropriate for the digital threat landscape. They contend that Btec relied on Nordlo's expertise for its IT infrastructure and security, and Nordlo's alleged negligence constituted a breach of contract. The initial district court ruling, while acknowledging the attack, did not fully assign liability to Nordlo for the entire claimed amount, prompting Btec's decision to appeal and seek full compensation for its losses.
Nordlo, in its defense, maintains that it fulfilled its contractual obligations and that the cyberattack was an exceptionally sophisticated event that could not have been entirely prevented even with industry-standard measures. The IT provider argues that Btec also bore some responsibility for its internal security practices and adherence to recommended protocols. Nordlo's lawyers suggest that the scope of their liability is limited by the service agreement and that Btec's claimed losses are exaggerated or not directly attributable to Nordlo's actions. They emphasize that cybersecurity is a shared responsibility, requiring active participation from both the service provider and the client.
The 65 million NOK claim encompasses a range of damages, including lost revenue during the operational downtime, costs associated with forensic investigations, data recovery efforts, system rebuilding, and reputational harm. The outcome of this appeal could establish significant precedents for how courts assess liability between clients and their IT service providers in the event of cyberattacks. It highlights the critical importance of clearly defined contractual terms and shared responsibilities in managing cybersecurity risks within outsourcing agreements.
The Gulating Court of Appeal is now tasked with re-evaluating all presented evidence, contractual agreements, and expert testimonies. The court will determine whether Nordlo's actions or inactions constituted a breach of duty or contract, and if so, the extent of its financial liability for the damages suffered by Btec. The proceedings are closely watched by the IT industry, as the ruling will likely influence future contracts and risk management strategies for technology companies relying on external IT expertise.
Source: digi.no