Hacking attacks and data breaches are becoming an increasingly common business problem. Despite signed non-disclosure agreements (NDAs), many companies discover that the clauses regarding contractual penalties are unenforceable or insufficient when a security breach actually occurs. This problem has two dimensions. In a world where data is one of the most valuable assets, imprecisely worded NDAs can leave a company without real protection and the possibility of obtaining adequate compensation. This is a direct aspect that translates directly into finances. Unenforceable clauses may also be considered an improper implementation of the adopted risk treatment plan, and this is a step towards management's liability for non-compliance of the 'cybersecurity' management system.
What exactly is a contractual penalty?
A contractual penalty is one of the most popular legal solutions used to ensure a quick path to compensation in the event that someone fails to fulfill the obligations they have undertaken. The provisions contained in Article 483 § 1 of the Civil Code define such clauses as a 'stipulation concerning the method of redressing damage caused by non-performance or improper performance of an obligation.' It therefore refers to obligations arising from a concluded contract. Importantly, the penalty can only apply to events that do not concern settlements or cannot be simply 'converted' into money, so we cannot reserve it for the event of termination of the contract or a delay in payment of an invoice. This is why the regulations refer to it in the context of a so-called 'non-monetary obligation.' Wherein lies the charm of this solution?
It enables to shorten the settlement process in the event of irregularities in the performance of the contract. A contractual penalty constitutes liquidated damages for the harm suffered. If a breach of contract occurs in the manner specified in the clauses on contractual penalties, the party that breached the contract pays the other party the amount specified within the contractual penalty. The accounting department issues a debit note, based on which the obligation to pay arises. This is a significant facilitation compared to litigation, which requires writing a lawsuit and proving in court that one is right (if lucky - several years and a lot of spent funds later).
Very importantly, if we stipulate a contractual penalty in the agreement for a specific event, we exclude the possibility of claiming standard compensation for that event and its consequences. In other words, the contractual penalty replaces ordinary compensation, where it is necessary to demonstrate the occurrence of damage and the causal link between the breach of contract and the value of that damage (in accordance with Article 471 of the Civil Code). This can be avoided if the contract includes a clause allowing for the pursuit of damages under general principles if the real damage is greater than the amount of the penalty stipulated in the contract. However, one must also consider the business aspect – if someone performs a service for PLN 1,000, it is rather difficult to demand acceptance of penalties and compensations that could lead to someone's house or car being auctioned off.
Why has the contractual penalty become popular in NDAs, and how is its amount determined?
An NDA is an agreement that concerns the obligation to protect information disclosed between the parties or by one of the parties. Introducing a contractual penalty into the agreement eliminates the obligation to demonstrate the amount of damage incurred – it is sufficient to prove the very fact of a breach of contract. This is particularly important in the context of confidentiality breaches, where it is often difficult to precisely estimate the value of the damage caused by the breach. Although the amount of the stipulated contractual penalty should be estimated based on the potential damage that may occur, it is not directly linked to it. According to Article 484 § 1 of the Civil Code, the penalty is due even if no actual damage has occurred. The contractual penalty is intended to have not only a compensatory effect but also a deterrent character, i.e., to discourage the other party from failing to fulfill the promises made in the agreement. However, the amount of the penalty must be reasonable, as indicated by the existence of the so-called institution of mitigation of penalty.
It consists of the fact that, in accordance with Article 484 § 2 of the Civil Code, one can request a reduction in the amount resulting from the contract in one of two cases:
- if the obligation has been performed in a significant part,
- the contractual penalty is grossly excessive.
In real life, this means that contractual penalties can be reduced by the court whenever they are deemed disproportionately high in relation to the damage incurred or the degree of the breach. This significantly complicates the approach to how such clauses are formulated. How does this relate to information security breaches?
What should one be careful about when creating penalties for information security incidents?
If a hacking attack occurred, but the implemented security measures prevented a data breach, would it be adequate to charge a contractual penalty of PLN 50,000, PLN 100,000, or PLN 500,000 for such a situation? Of course, it depends, because perhaps the downtime of the infrastructure or the lack of access to services provided by the entity affected by the attack caused such damage. However, it should be remembered that a contractual penalty is not a substitute for normal compensation, but a part of it – concerning the occurrence of the event described in the provisions regarding such a penalty.
A penalty stipulated for the event of 'e-mail not working' cannot be charged if the HR and payroll system fails. Conversely, a penalty for infrastructure failure may be too general to hold up in court.
Why? In recent years, in their jurisprudence, courts have repeatedly pointed to the necessity of precisely formulating clauses on contractual penalties and their adequacy to the potential damage (see, for example, the judgment of the Court of Appeal in Warsaw, case no. V ACa 255/20, LEX no. 3184231, or the judgment of the Court of Appeal in Krakow, case no. I AGa 274/19, LEX no. 3192627). These judgments, moreover, reiterate the interpretation of the regulations that has appeared in case law for nearly 20 years. Therefore, lawyers drafting such provisions should be aware that imprecise clauses may lead to a situation where the contractual penalty does not fulfill its compensatory function. Thus, the perpetrator of the breach will not pay us. On the other hand, great detail risks that nuances regarding the course of events may prevent the recovery of such a penalty because the event entitling one to demand payment will not occur. Is there anything that can be done about this?
How should the description of a breach be created?
As already known from reading the previous paragraphs, if a contractual penalty is stipulated for the event of a data leak, and a data availability breach (server downtime) occurs, it will not be able to be invoked at all. Too general a definition of the circumstances that constitute a breach of contract subject to a contractual penalty may result in it not being possible to apply it effectively. Therefore, it is worth asking how to approach this issue to avoid the greatest possible number of legal pitfalls.
Formulating clauses on contractual penalties should be the final stage of the risk management process. Why? Because a penalty has a specific purpose. With the high repeatability of NDA clauses, it's easy to lose sight of it. This purpose is to protect the company's security by ensuring that in the event of a specific occurrence, the perpetrator will pay an amount that covers the damage associated with that event. In the case of security management systems, the introduction of such a clause into the agreement is the implementation of a risk treatment plan that involves its total or partial transfer to another entity. Therefore, a well-prepared NDA should be preceded by a comprehensive inventory of systems and the data processed in them, in order to properly describe the event to which the penalty is to apply. Without this, signing an NDA is like playing roulette – you might hit and win, or lose time and resources. It is much better to approach these clauses like shooting at a target – set a clear goal and define success metrics.
Who should do this? It will not be possible without the cooperation of lawyers with the so-called 'business,' meaning the individuals responsible for the risk that the contractual penalty stipulated in the agreement is intended to secure. How does this look in practice? Often, a lawyer includes a penalty proposal based on a 'market benchmark' or as a specific percentage of the remuneration. Case law and legal doctrine provide guidance, but the real test always takes place only in the event of a breach.
Would you like to see guidelines on how to approach active and passive causes of cybersecurity incidents? Check out our LinkedIn publication.
Publikacja przygotowana na podstawie przepisów Kodeksu cywilnego -ustawy z dnia 23 kwietnia 1964 r. Kodeks cywilny (t.j. Dz. U. z 2024 r. poz. 1061 z późn. zm.).
