The widespread technology outage on July 19, 2024 highlighted major potential issues that can arise when service providers rely on technology to provide critical services. The effects of the outage were felt by critical service providers across numerous industries, including airlines, banks, public transit, healthcare, and media. Because we live in a world that is increasingly reliant on technology, if a critical piece of technology fails or introduces a flaw to a system that relies on that particular technology, it can have extreme consequences, as many experienced on July 19.
While it is difficult for technology providers to ensure something like this will never happen, there are a few things both providers and service recipients can do to address the possibility of this type of event happening and provide a framework under which to mitigate and eventually remedy the effects of such an event.
Require Multiple Levels of Testing and Transparency
A contract should not only include language regarding service levels and remedies, but also require that technology providers (1) have procedures in place to test updates to critical software in a separate environment so that any potential issues can be identified prior to full deployment and (2) provide recipients with a clear understanding of how software and updates are tested, as well as how they are integrated and implemented into their service offerings. While system backups are often automatic, greater consideration should be given to any automatic deployment of updates to mission-critical software or services.
Service Levels and Potential Workarounds
When contracting for software that will be integrated into a critical service offering, the contract should provide service levels—including provisions for ensuring that (1) the software and any updates will continue working with the service offering in the same way and (2) testing and upgrades will be carried out in accordance with agreed upon processes—and financial and other remedies for failure to meet such service levels.
Businesses should also consider developing their own (or requiring the provider to develop) procedures for ensuring critical processes can still be performed despite the failure of the technology. This may include being able to quickly switch to prior versions or removing the software or update at issue. That said, once the overall system is affected, it may take a significant amount of time to get the systems back up and running even if the failure is quickly remedied.
Liability and Limitations
The potential for liability and business losses where a piece of software is part of a critical product or service can be daunting. That said, the allocation of responsibility for the failure of such software or such software causing the failure of the critical product or service should be carefully considered. Similar to how exceptions to limitation of liability for critical breaches (e.g., a data breach) are handled—although parties are not likely to agree to unlimited liability for such failure—the parties should consider “super caps” (i.e., caps well above any standard limitations of liability) and insurance to cover such critical breaches.
Disaster Recovery and Business Continuity
Finally, businesses providing critical services should have disaster recovery and business continuity plans in place. The recent outage serves as a timely reminder of what can happen when even a minor failure occurs within a critical system. Having comprehensive (and tested) disaster recovery and business continuity practices in place is an important and necessary piece of the puzzle to ensure a stable infrastructure for the provision of critical services when using technology.