Is Transnet still liable for cyberattack damages?
by Nikita Theodosiou. Can Transnet be held liable for damages suffered due to the cyberattack, despite having declared a force majeure?
by Nikita Theodosiou. Can Transnet be held liable for damages suffered due to the cyberattack, despite having declared a force majeure? The recent ransomware cyberattack that crippled Transnet Port Terminals’ (“TPT”) ICT systems and forced the port operator to resort to manual systems, prompted the second force majeure declared by TPT in the space of a month.
This unfortunate event closely followed the civil unrest, looting and widespread violence that plagued the nation following Jacob Zuma’s imprisonment, which prompted TPT to declare the initial force majeure on port operations. Halting port operations can have disastrous effects on an already struggling economy. To add fuel to the fire, the general public’s confidence in TPT has been dwindling due to the World Bank placing the performance of South Africa’s Cape Town, Durban, Port Elizabeth and Ngqura ports in the bottom five out of a list of 351 global ports in its Container Port Performance Index 2020 report, which was released in May of this year.
What does it mean to declare a force majeure?
A force majeure clause is often included in commercial agreements to provide for the situation where an extraordinary event or circumstance occurs, which is deemed to be beyond the control of the parties, such as: a war, strike, riot, crime, plague, or an ‘act of God’ (a hurricane, flood, earthquake, volcanic eruption, etc) or even a cyberattack; and which prevents one or both parties from fulfilling their obligations under the contract. Where such an event occurs, invoking the force majeure clause has the effect of absolving both parties of their obligations and associated liability for the time period during which the event persists.
In most instances, the force majeure clause won’t excuse a party’s non-performance entirely, but rather it will suspend it for the duration of the force majeure. A key question to be asked: is it objectively impossible for a party to fulfil its obligations under the contract?
The onus is on the party that alleges that their performance has become impossible due to the force majeure to prove that the event was not within its reasonable control. Hence, there should be a causal link between the force majeure and the failure to perform. It should also be borne in mind that whilst a party may be excused from its obligations under the contract while the force majeure persists, there is usually an obligation to use all commercially reasonable efforts to alleviate and mitigate the cause and effect of the force majeure, and to resume performance of its obligations as soon as it is reasonably considered able to do so. Procedures which may be provided in commercial agreements in respect of the sending out of a force majeure notice to the other parties would need to be adhered to fully.
What are the implications for Transnet?
All contractual obligations would be suspended for the time period during which the force majeure persists so TPT would be absolved of liability for the non-performance/the sub-standard performance of its contractual obligations for the duration of the cyberattack (which spanned the period from 22 July to 2 August 2021). TPT has reportedly put mitigation measures in place to ensure operations at the container terminals are still running, albeit slower than expected. Among the measures is the use of manual systems in the loading and discharge of containers.
Thereafter, once the force majeure is lifted (with effect from Monday, 2 August 2021), all contractual obligations would resume and all parties would be required to perform accordingly. It will remain to be seen whether Transnet will be fully operational and be able to fulfil all of its obligations now that the force majeure has been lifted; or whether the havoc caused by the cyberattack will have a resulting, negative effect on its current operations.
The pertinent question is: can the cyberattack really be deemed to be beyond the reasonable control of TPT? A number of cyber security experts have weighed in on this question and expressed their opinion that the breach of TPT’s online data could have been prevented if Transnet had adequate defence systems in place. Based on various reports, it appears that it was a malware attack, with “Death Kitty” ransomware having been planted on TPT’s IT systems. It is considered to be objectively difficult to mitigate against these ransomware attacks.
However, it would appear that TPT has poor cybersecurity practices in place which may have contributed to the compromised position that they found themselves in following the cyberattack. TPT has also displayed a lack of business continuity and IT disaster recovery plans. The communication released by TPT has indicated that they were working on manual processes whilst most of their IT infrastructure was offline. This suggests that they were not sufficiently prepared to manage the risk; that their cybersecurity programme is immature; and that they didn’t have the necessary controls in place to assist in the recovery of their compromised IT systems.
Could Transnet find themselves in hot water?
- With respect to loss of income/ damages suffered: If, on inspection, if it can be determined that TPT was negligent in that it did not have adequate defence systems in place to the extent required/ to the extent reasonably expected of a State-Owned entity that has the mammoth task of managing the nation’s rail, port and pipeline infrastructure, then it should not be absolved of all liability occasioned by its failure to perform as contracted. A determination of the sort could potentially give rise to delictual actions being brought against Transnet for damages suffered along the supply chain due to its negligence, failure to mitigate losses effectively and its failure to fulfil its contractual obligations. [A delict occurs when one party commits a wrong against another.]
- With respect to the data breach: Interestingly, the cyberattack was orchestrated soon after the Protection of Personal Information Act (“POPIA”) came into full force and effect in South Africa on the 1 July 2021. The hackers allegedly left a ransom note claiming that they had encrypted TPT’s files, including a terabyte of personal data, financial reports and other documents. The note reportedly instructed TPT to visit a chat portal on the dark web to enter negotiations. However, TPT claims that no data has been compromised. If, upon investigation into the data breach, the Information Regulator finds that the ICT and defence systems that TPT has in place are insufficient to protect personal information of Data Subjects in accordance with the provisions of POPIA; the Regulator may opt to set an example to other entities by imposing a fine on Transnet to the value of R10 million or imprisonment of Transnet’s Information Officer up to 10 years (the latter being less likely).
- With respect to reporting obligations: Senior management at TPT would be obligated to report the extortion to the police official in the Directorate for Priority Crime Investigation (DPCI) in accordance with the Prevention and Combating of Corrupt Activities Act. Failure to report accordingly is an offence, punishable by a fine or up to 10 years imprisonment.
Cyberattacks are bound to happen as hackers are becoming more and more sophisticated by the day so the expectation cannot be for entities to have ICT and defence systems in place that are so sophisticated that they are immune to hacks. However, what is expected in accordance with the principles of good corporate governance, the King IV code and POPIA, is that entities take all reasonable steps in order to ensure that their cybersecurity practices are robust enough to protect their IT Infrastructure in so far as possible within the means available to them. It follows that emphasis should be placed on implementing carefully-considered disaster recovery procedures in order to mitigate the risk and the extent of data breaches, to safeguard the personal information that they process and to prevent, or limit, the disruption of their services.
Whether TPT acted reasonably or negligently in the circumstances would need to be determined by a court of law or the Information Regulator in the event that the matter comes before either of them in the near future.
Nikita Theodosiou is an Associate at Consilium Legal, a boutique legal and business advisory.
– Receive the Retailing Africa newsletter every Wednesday • Subscribe here