An essential feature for customers in outsourcing software licensing and arrangements is the provision of robust protection against any software that could embed and distribute malware. To address these concerns, the inclusion of a no-virus warranty has become a common expectation on customers’ side.
A no-virus warranty is a contractual clause in agreements that commits the provider to either deliver software or keep systems free from any harmful code or viruses. For customers, this warranty is critical to ensure that the provider protects against code or viruses that may compromise IT systems or data and cause significant losses. For vendors, the scope of potential liability for a breach of no-virus warranty would be a key consideration.
We set out below some key points to consider when drafting and negotiating a no-virus warranty:
Scope and Definitions
Parties should clearly define what constitutes a virus or malicious code and what is the scope of protection under the warranty, including whether the warranty extends to all modifications or updates of software. Customers will often take a position that the vendor has an absolute obligation to prevent the introduction of malicious code, whereas vendors will often take a position that the vendor will just not “knowingly” insert malicious code into software. Where the parties often land is somewhere in the middle, and the warranty can typically just require that the vendor will take all commercially reasonable efforts to detect malware (e.g., used anti-virus software to analyze the code).
Whether this is the right landing spot will depend very much on the nature of the transaction. Parties should consider the specific circumstances of their arrangement to determine which outcome is reasonable and proportionate.
Remedies
Regardless of the scope of the warranty, the customer will also want to consider whether it is appropriate to specify a remedy for a breach of the warranty. For example, the customer may state that a breach of the warranty would result in the vendor undertaking remediation efforts in cases where a virus is detected or recovery efforts in the event of a loss of data. The remediation protocols may specify actions required from each party to restore the systems and data affected by a virus and stop further spread of malware as well as response times for effective mitigation. Further, depending on the nature of the relationship, the customer may wish to consider whether the remediation efforts are carved out of the limitation of liability.