IT claims and disputes continue to increase in size and complexity. While the risks of technology project failures and cyber-attacks are well understood, litigation resulting from them is increasingly common. In addition to these known risks, last year also saw a new appreciation of the risk of claims and losses arising from IT system failures that result from non-malicious causes, with the global effects of the CrowdStrike IT outage that affected millions of Microsoft users.

We are seeing an increase in IT disputes and litigation in the following areas in particular:

• IT project disputes where the customer claims that promised solutions are not delivered or achieved, estimates or budgets are exceeded, or requirements change
• The fallout from the effects of cybercrime, which can result in a complex web of claims between affected parties and further complexities from their insurance claims 
• Disputes arising from inappropriate IT subcontractor arrangements 
• Very substantial claims, including ‘class actions’, arising from breaches of privacy as a result of data breaches (which may result from cybercrime or innocent errors)
• Early indications of an increase in regulatory investigations arising from regulated entities’ IT failures affecting their customers

Drivers behind the increase in IT disputes

The rise in IT disputes is partly due to the growing complexity and integration of technology solutions and the process of designing and building them to meet the needs of particular organisations. System failures and data breaches often have significant consequences, leading to disputes over responsibility and cost. Delayed, over-budget, or failed IT projects can severely impact business operations and financial performance, leading to litigation.

Technology underpins almost every aspect of business operations, and contracts that govern the supply of technology services and solutions are critical. As the stakes increase, the likelihood of disputes arising from failures and problems increases as well. We are seeing disputes arising from poorly thought-out projects, unclear performance obligations, ambitious promises, ambiguities in change management processes, termination rights and other causes.

Well-drafted IT project contracts are crucial for avoiding disputes. Even then, terms agreed at a project’s inception may become inappropriate as requirements and expectations change. This can lead to disputes, particularly where expectations were unrealistic, solutions were overpromised or the scope is poorly defined. Additionally, hasty contract terminations or a failure to comply with the contractual variation approval process can result in claims and disputes, including claims of repudiatory conduct that may bring a contract to an end.

A relatively new development is an increase in claims where there are assertions of misrepresentations or misleading conduct, often made after projects have gone off-track or system failures have occurred.

In the financial services industry, an uptick in regulatory scrutiny further increases the risk. For example, the Financial Markets Authority (FMA) now imposes a standard licence condition upon licensed entities that specifically require them to maintain appropriate IT systems to ensure that customers’ needs are met. Additional obligations are imposed upon organisations that provide critical banking systems, which include director responsibility. 

More generally, companies that operate across multiple jurisdictions may find themselves embroiled in cross-border disputes or needing to adapt their contracts to meet higher compliance standards and obligations, such as data protection requirements and cyber breach reporting.

We are seeing some key types of disputes

Software implementation failures

While IT disputes have always arisen from software solution implementation failures, project delays and overspends, these appear to be increasing. We see this as likely due to the increasing number and importance of IT systems and projects. Issues generally arise when an organisation engages a vendor to deliver a solution, only to find that the final product falls short of expectations. Disputes normally centre on whether the vendor delivered to all the agreed specifications, whether at all or on time and on budget. The supplier’s response is typically that the issues arose, or were exacerbated, by the customer’s failure to provide sufficient and timely information and assistance during the process. The involvement of third-party subcontractors appears to be on the increase, with increasing specialisation and products supplied by suppliers who may not themselves manage large scale projects, which complicates claims and disputes further. Disputes arising from these issues are often very complex and expensive to litigate because of the number of relevant issues and documents and the number of parties involved.

Misrepresentation claims under the Fair Trading Act 1986

Claims arising from IT projects have usually been framed as breaches of contract, but increasingly they are also brought as misrepresentation claims. We are seeing an increase in claims under the Fair Trading Act for misleading and deceptive conduct alongside more typical breach of contract claims. Promises to a customer about system performance and cost during the procurement phase may prove to be unrealistic, particularly where the customer’s requirements are not well understood at the outset and prove more challenging or complex than expected. Sales teams may speak of systems as providing functionality “off the shelf”, “fully intergrable” with the customer’s legacy systems or “state-of-the-art security” without adequately defining these terms or explaining any risks or reservations adequately, which increases the likelihood of disputes and claims.

One reason for the increase in misrepresentation claims is that claims under the Fair Trading Act provide an opportunity to circumvent contractual exclusions and limits of liability that are normally found in vendors’ IT project contracts. A recent example of this was a successful claim by the Department of Corrections against its IT system provider following the cancellation of a project to replace its human resources management system. The prime contractor was found liable to the Department for its wasted project costs but was able to recover only part of its liability from its subcontractor, which had limited its own liability in its subcontract [2].

Where a contract purports to contract out of the supplier’s obligations under the Fair Trading Act, there will usually be an issue as to whether that was fair and reasonable, whether any rights have been waived [3], and whether the exclusions should apply to all claims. These issues were tested in the IT context in the Department of Corrections case. In that case, the Court held that a limitation of liability was fair and reasonable in relation to the costs of software design and implementation, but not for the cost of a software licence agreement, primarily because the Judge viewed the latter as a windfall for the subcontractor.

Cloud service agreement disputes

Another increasingly common area of dispute involves cloud service agreements. As organisations increasingly migrate their IT requirements to the cloud, they rely on cloud services providers to ensure the security and availability of their data. Data breaches or service outages, both localised and small-scale or global events such as the recent CrowdStrike outage, can lead to significant claims and conflicts. Where a cloud provider’s terms limit liability to the cost of the service, a business suffering substantial losses due to a data breach may find itself with limited recourse. Providers may also change or vary their terms during the course of the contractual term without clearly notifying the customer, resulting in disputes as to what the relevant contractual provisions are.

Cybercrime

Cybercrime continues to increase, as do claims and disputes arising from cyber events. Cyber criminals appear to be increasingly sophisticated, taking more time to search systems for the most critical data and strike in the most effective way. Often this will involve the threatened or actual release of sensitive customer data. A recent example is the cyber attack upon major Australian health insurer Medibank, which has resulted in two class actions against it on behalf of customers whose sensitive health data is claimed to have been released following a cyber-attack. These claims can involve millions of customers, which greatly expands the financial risk and the opportunity for lawyers and litigation funders to become involved in bringing and supporting claims. 

Claims arising from the effects of cybercrime can be very complex. As well as the complex web of claims between the victim organisation, its customers, and its service providers who provided the relevant IT systems, each of them will have relevant insurers and there may be a number of relevant insurance policies held by each. Unravelling and resolving these disputes can be very complex.

A typical example is the recent attack upon Lehigh Valley Health Network in the US, whose refusal to pay a ransom led to a data breach in February 2023 and the release of cancer patients’ sensitive medical information, including photographs. Unsurprisingly, a class action was filed on behalf of the affected patients, and a settlement was agreed resulting in payments totalling USD65 million. More recently, in August 2024, Microsoft systems in New Zealand including Outlook and Teams faced disruptions and were unable to operate due to a distributed denial-of-service cyberattack.

Innocent IT failures

Innocent IT failures can also result in substantial claims. One of the largest IT outages in history occurred on 19 July 2024, when the global cybersecurity company CrowdStrike released a faulty software update which caused widespread IT system outages by rendering approximately 8.5 million devices running Microsoft software unusable. Although a fix was quickly provided, the fault rendered computers unavailable and the fix typically required IT professionals to intervene, which prolonged the resulting downtime. The issue affected only about 1% of Microsoft customers, but the impact was severe because many of those affected were critical service providers. Banks lost access to payment systems, airlines were forced to ground flights, and hospitals had to revert to manual processes. This caused flow-on losses to many other businesses and organisations. Delta Airlines is reportedly seeking to recover losses from CrowdStrike in the vicinity of USD500 million, although CrowdStrike has applied to have this claim dismissed on the basis of the clauses that limit its liability and provide a maximum cap for damages claims. These claims may fall through the cracks of traditional insurance policies, which tend to focus upon cybercrime events.

Financial markets

Financial services regulators are also increasingly issuing warnings about their expectations of regulated entities in relation to the resilience and cyber security of their IT systems which are essential to protect their customers. The FMA conducted a thematic review of the cyber resilience of FMA-regulated operators in 2019, and subsequently introduced new standard conditions for fully licensed financial advice providers (FAPs) as part of the change in the financial advice regime under the Financial Services Legislation Amendment Act 2019. More recently, the Financial Markets (Conduct of Institutions) Amendment Act 2022 (CoFI Act) will impose a standard licensing condition that licensed entities “make sure that their critical technology systems are operationally resilient”. 

In July 2022, the FMA finalised six standard conditions for financial institutions. The CoFI Act comes into force in March 2025, by which time all registered banks, licensed insurers and licensed non-bank deposit takers in the business of providing relevant services must have a financial institution licence. Like the standard conditions for FAPs, Standard 5 focuses on business continuity and technology systems. It requires licensees to maintain a business continuity plan and the operational resilience of technology systems if their disruption would materially affect the provision of services or other licensee obligations. Licensees’ business continuity plan and technology systems must comply with their fair conduct programme. 

Artificial intelligence

The adoption of artificial intelligence in almost every industry is likely to introduce performance issues, particularly where processes are algorithmically driven without human involvement, vendors cannot be certain of how AI algorithms work, and/ or the AI product ‘hallucinates’ an output. Additional issues will likely arise in relation to data protection, copyright infringement or ownership, the allocation of risk and liability, and substantiation of claims about a company’s use of AI – known as “AI washing”.

Dealing with the increase in IT and cyber claims

Disputes involving technology often raise unique and sometimes unprecedented questions. They will remain a significant risk for IT companies and their customers as technology continues to evolve. Who succeeds will depend on the specific facts of each case, including relevant contract requirements, whether any relevant promises or representations were appropriately qualified and whether the relevant contracts include clauses purporting to exclude or limit liability. Organisations may avoid much of the burden of the increase in litigation by being aware of the risks, by investing in their contract processes and building checks and protections into their pre-contract processes to avoid making actionable representations.

Footnotes:

1. Chief Executive of the Department of Corrections v Fujitsu New Zealand Limited & Anor [2023] NZHC 3598. Our firm acted for the third party in this proceeding.
2. This was the case in CBL Insurance Ltd (in liquidation) v Harris [2021] NZHC 1393, in which the High Court upheld a limitation of liability clause.