On July 19, 2024, CrowdStrike, which is widely regarded as a leading global provider in the cybersecurity field, released an update for one of its security products. This update had a defect which caused an IT outage which has been described as the largest IT outage in history.[1] In response to this unprecedented event, Fasken’s Information Technology team is producing a series of bulletins detailing how organizations can manage legal risks associated with IT outages.
Introduction
The risk of critical system outages poses significant challenges for both service providers and customers in outsourcing and other technology services arrangements. After COVID, supply chain disruptions, and several high-profile outages, the potential for these disruptions has made force majeure clauses a renewed focal point in contract negotiations and risk management. In this bulletin, we delve into the implications of IT outages as it relates to force majeure clauses and the considerations for service providers and customers when drafting or negotiating these clauses.
Overview of Considerations for Force Majeure Clauses
The contract drafting commentator Ken Adams describes force majeure classes as providing “that if something sufficiently bad happens that isn’t under a party’s control, it would be appropriate to suspend performance.[2] These events typically include natural disasters, war, labour strikes, and other disruptions beyond the control of a party. With the increasing reliance on technology, IT outages can be as disruptive as any natural disaster,[3] and the failure of IT infrastructure or services can lead to significant losses and operational disruptions. In this context, force majeure clauses balance the risk of breach of contract by the service provider against the risks to the customer from its reliance on the service provider.
Legal analysis of force majeure clauses often hinges on (i) the wording of the force majeure clause and its enforceability and (ii) the possibility of invoking the common law doctrine of frustration and similar doctrines.[4] Enforcement of a force majeure clause requires that: (a) there be a causal link between the event and the impairment of contractual performance; and (b) there be a sufficient level of impairment of a party’s performance to trigger the clause. For example, failure to pay under a contract caused by a total system outage may be excused (though often service providers will seek to exclude customer non-payment from the force majeure clause), whereas a partial outage may not warrant excused performance. Case law varies on what constitutes a sufficient level of impairment.[5]
A well-drafted force majeure clause in a technology contract will protect against both specific and general circumstances. For instance:[6]
“A party will not be liable for failure to perform its obligations to the extent caused by any circumstances or event that was not caused by the party and that was beyond its reasonable control [(other than [*]) /, including [*]] (“Force Majeure Event”) if : (a) the party uses reasonable efforts to perform and to resume performance of those obligations and to limit damages to the other party; and (b) the failure to perform is not caused by the party’s failure to: (i) take reasonable measures to protect itself against the same or similar circumstances as the Force Majeure Event; or (ii) maintain a reasonable contingency plan to address the same or similar circumstances as the Force Majeure Event.”
While it is important to properly define the circumstances where a force majeure clause is meant to apply, it is equally important to consider and outline cases where it should not apply. In this regard, provided no fault lies with either party, a court may excuse performance if performance of the contract becomes a thing radically different from that which was undertaken by the contract.[7] However, reliance on equitable remedies under common law is much less predictable than a well-drafted force majeure clause.
Service Provider and Customer Perspectives
For service providers, IT outages can hinder the ability to deliver services, leading to breaches of contract and to customer remedies under service level agreements. When negotiating force majeure clauses with customers, service providers will generally seek to define force majeure events as all circumstances beyond the service provider’s reasonable control, ensuring that all events caused by external factors are captured by the definition. Service providers should also consider mitigation strategies, such as disaster recovery plans and redundancies, that can reduce the likelihood of outages and minimize their impact. It is equally critical to stipulate notification procedures and any relief from performance or penalties that may apply under force majeure conditions.
Customers, on the other hand, will generally seek assurance that service providers have robust systems in place to manage and recover from IT outages and that service providers will take reasonable precautions to avoid outages caused by outside events. Customers may push for narrower force majeure clauses that limit force majeure events to a closed list of circumstances and that specifically exclude certain foreseeable and preventable IT issues, thereby holding service providers to higher standards with respect to system maintenance, disaster recovery, and outage mitigation. Customers should also ensure that contracts include obligations for service providers to mitigate the impact of any outages and to resume performance as quickly as possible. Additional remedies may also be considered. To the extent a customer is unable to negotiate exclusions to the application of a force majeure clause, it should consider alternate measures to mitigate the risks from such events occurring. Where the parties land is a matter of negotiation, which is often impacted by the nature and level of service that is being provided.
Invocation Procedures and Mitigation Efforts
In the event of an IT outage, the party seeking to invoke relief under the force majeure clause should be required to adhere to specified procedures, such as providing timely notice and evidence of its efforts to mitigate the impact of its non-performance. Both service providers and customers must be prepared to document the cause of the outage or other non-performance, its effects on contractual performance, and the steps taken to resume normal operations and performance.
For both customers and service providers, force majeure clauses should be drafted in tandem with business continuity plans. Contracts must address scenarios where backup systems or alternative solutions can be employed to continue operations. A thorough force majeure provision anticipates different levels of outages and aligns with the contingency strategies of the parties.
Conclusion
The integration of IT into every facet of business operations has made the consideration of outages in force majeure clauses more crucial than ever. Service providers and customers must recognize their respective risks and negotiate force majeure provisions that provide clarity, fairness, and resilience. As technology continues to advance and the risk landscape evolves, contracts must be adaptable, anticipating new challenges and ensuring that both parties properly address the risks of events outside of their control.
[1] A Series: Managing Legal Risk Associated with IT Outages Through Contracting Best Practices
[2] Force Majeure in the Time of Coronavirus: The Underlying Concepts and How to Express Them Clearly
[3] As a result of the July 19, 2024 CrowdStrike IT outage, flights were grounded, hospital operations were postponed, and government systems shut down, among other impacts felt across the business and consumer landscape.
[4] Depending on your common law jurisdiction, the doctrine of frustration may also be known as the doctrine of impossibility, impracticability, or frustration of purpose.
[5] Certain court decisions suggest the standard is one of impossibility to perform while others have set a lower threshold such as “real and substantial problems” rendering performance commercially unfeasible (see Braebury Development Corporation v. Gap (Canada) Inc., 2021 ONSC 6210 (CanLII) at para 8; Services Ricova inc. c. Ville de Chambly, 2022 QCCA 1599 (CanLII) at para 6; Atcor Ltd. v. Continental Energy Marketing Ltd., 1996 ABCA 40 (CanLII) at para 11; Liddell v. Mousavi, 2024 ONSC 6431 (CanLII) at para 40. Generally, the fact that performance is simply more difficult or more expensive will not be sufficient to trigger a force majeure.
[6] See also Revisiting My “Force Majeure” Language (With Yet More Changes)
[7] See Naylor Group Inc. v. Ellis-Don Construction Ltd., 2001 SCC 58 (CanLII) at para 53-55; Interfor Corporation v. Mackenzie Sawmill Ltd., 2022 BCCA 228 (CanLII) at paras 65-66; Liddell v. Mousavi, 2024 ONSC 6431 (CanLII) at paras 40,42. The interpretation and enforcement of force majeure clauses may vary based on the governing law of the contract. Parties must be aware of the jurisdiction-specific legal standards that may influence the applicability and scope of force majeure provisions. For instance, although some civil law jurisdictions recognize similar principles to the doctrine of frustration, legal tests may vary for allowing for extinguishment or suspension of obligations.
