Business Law Articles
By: Stephen B. Sambol, Esq.
Mateer & Harbert, P.A.
As most businesses have come to completely rely upon computers and the internet and thereby those professionals who design or consult on software or computer systems and networks, it is likely just a matter of time before we begin seeing more claims involving professionals who work in this industry. When a mistake is made by an IT consultant the damage caused can be significant. This might include a security breach or accidental disclosure of health information (PHI) protected by Federal laws like HIPAA or personally identifiable information (PII) or non-public information (NPI) protected by the Federal Information Security Act as well as state laws. Or perhaps even worse, portions or all of a system can be corrupted and data can be lost and rendered unrecoverable. Consequential damages can end up being substantial for the company in terms of jury awards, litigation costs, penalties, lost revenue and loss of business and reputation. Whether you find yourself representing a person or business that has been damaged or defending the IT consultant accused of causing the damage you need to be aware of limitations in the law that might affect the ability to bring certain types of professional liability claims for those losses.
Currently, most states do not have laws in place that specifically address these types of professional liability claims. Instead, the attorney who is involved in prosecuting or defending one of these claims has to rely upon the controlling state’s laws of contract and tort and attempt to apply those laws to the facts at hand. A breach of contract claim may be possible depending upon whether there was actually a contract in place that would govern the respective duties and responsibilities of the IT contractor owed to its customer or client. These contracts might be for services for software development and licensing, systems design and installation or service and maintenance agreements. Contractual liability can also arise out of breach of a HIPAA Business Associate Agreement for the improper handling of PHI. However, many times there is no written contract and one is forced to rely upon any oral agreement(s), which can be quite challenging. Many service contracts also have a limitation of liability provision which limits the damages that can be recovered to specifically exclude damages for consequential losses arising from breach of contract.
On the torts side, a negligence action may be brought if it can be proven the IT company or consultant provided services and failed to exercise reasonable care in providing those services. Reasonable care is often defined as that level of skill or care that would be considered reasonable and prudent under the same or like factual circumstances by a reasonable person. Restatement Second of Torts, Section 283; Prosser and Keeton, Section 32. So, for example, if an IT engineer or tech is providing consultation or data backup and internet security services, those services must be performed with the same level of skill or care as a reasonable person would exercise under the same circumstances.
One might ask whether it really makes a difference if you are have a claim for common law or simple negligence versus professional negligence or malpractice? The answer is yes, it does matter. For one thing, professionals are held responsible to a higher standard of conduct or care under a broader range of circumstances. The simple negligence claim might also be barred by the Economic Loss Doctrine if the damages being sought arise out of a contract between the parties. In several states, a recognized exception to this limitation on recoverable damages is for professional negligence. However, if you are unable to bring suit against the IT provider for professional negligence then you may be confined to just contractual damages which may very well be limited by the language contained in the contract itself.
So exactly why is it that in most instances an IT consultant cannot be sued for professional negligence or malpractice? Believe it or not, it is the very same lack of established standards and regulation within the IT industry itself that has resulted in this somewhat odd exception in the law. Unlike other professionals such as doctors, lawyers, engineers and accountants, etc., the fact there is no uniform credentialing, oversight and enforcement in the industry makes it more difficult, if not impossible, to bring certain types of professional negligence claims against IT or computer industry “professionals”.
The concept of professional negligence or malpractice is essentially something that grew out of the common law of negligence to cover certain situations where the defendant had represented himself as having above average skills and abilities so that the general “reasonable person” standard should not apply in the determination as to what duties were owed and whether they were breached. If the defendant held himself out as having above average skills and expertise, then the law would impose a higher set of standards in which to measure the services that were rendered as compared to others in the same field. Some of these standards were eventually codified as we see for instance in the area of medical malpractice where most states have specific statutes that control actions against health care professionals. Unfortunately, in the relatively new area of IT negligence, there is little precedent for bringing a professional malpractice claim that would involve holding the IT professional to a higher standard … and so the same “lower” reasonable person standard that applies in a basic negligence case usually applies to even a highly educated and skilled IT consultant or software programmer who commits malpractice and causes massive losses to the client and/or third-parties.
Efforts to Create a Higher Duty
Attempts to impose a professional malpractice standard on the IT industry and create a higher duty of care have generally been unsuccessful. In the case of Ferris & Salter, P.C. v. Thomas Reuters Corp. d/b/a West Publishing Corp., d/b/a Findlaw, 889 F.Supp.2d 1149 (2012), a Michigan law firm brought an action against West Publishing doing business as “Findlaw”, alleging breach of contract and professional negligence stemming from Findlaw’s alleged negligence in designing and managing the firm website. More specifically, it was alleged that Findlaw’s computer engineers, employees and agents had negligently destroyed the previous connection/link that had directed website inquiries to the firm’s e-mail accounts. Although Findlaw eventually repaired the problem, there was a significant period of time in which e-mails were not forwarded to the firm’s e-mail accounts because of this error which the firm claims resulted in a loss of numerous clients and hundreds of thousands of dollars in attorneys’ fees. The District Court upheld the lower court’s dismissal of the malpractice claim and found that Ferris & Salter could not bring the claim against the computer consultants because Minnesota courts had not recognized such a claim and the law firm failed to offer any persuasive reason to deviate from the current authority. Conveniently, Findlaw actually cited to itself (Thomas Reuters) as one of the leading treatises in the area:
Most practitioners in computer consulting, design, and programing do not fit a model that creates malpractice liability. These businesses and “professional” parties clearly engage in complex and technically sophisticated activities. Computer programmers commonly define themselves as “professionals.” Yet, despite the complexity of the work, computer programming and consultation lack the indicia associated with professional status for purposes of imposing higher standards of reasonable care. While programming requires significant skill and effective consultation requires substantial business and technical knowledge, the ability to practice either calling is not restricted or regulated at present by state licensing laws. If anything, programing skills have proliferated throughout the general public during the past decade and become less, rather than more, the exclusive domain of a profession specially trained and regulated to the task. Unlike traditional professions, while practitioner associations exist, there is no substantial self-regulation or standardization of training within the programming or consulting professions.
Ferris & Salter, P.C., 889 F.Supp.2d at 1152, quoting Raymond T. Nimmer, The Law of Computer Tech. Section 9.30 (4th ed., Thomas Reuters (2012).
In Superior Edge, Inc. v. Monsanto Co., 44 F.Supp.3d 890 (2014) that followed, Monsanto had retained Superior Edge (SEI) to develop software to enhance sales by helping farmers make more educated decisions about their seed purchases. The two companies entered into a Software Development and License Agreement upon which both companies later brought claims that the other breached. In addition, Monsanto also brought a claim for professional negligence alleging that SEI should be held to a higher standard of care such as that exercised by those skilled professionals in the software development field. Citing Ferris & Salter, the court found that computer professionals are not subject to a higher duty of care based on their profession and dismissed Monsanto’s professional negligence claim.
Some twenty years prior to the Ferris & Salter case, another court had reached a similar decision. In Hospital Computer Systems v. Staten Island Hospital, 788 F.Supp. 1351 (1992) the hospital brought various claims against its computer consultant (HCS) who had developed and implemented its computerized patient accounting and billing system which was to replace its existing computer system. The Court disagreed with the hospital’s position that its “computer malpractice” claim should be recognized under New York law and dismissed that claim. The basis for the ruling was the same, that unlike other professionals who have a higher standard of care imposed upon them by virtue of their profession and by state licensing requirements that would engender trust by the consuming public, no such requirements exist in the computer consultant industry. Therefore, there are no duties imposed on the computer consultant besides those created by contract or ordinary tort principles.
Courts across the country have consistently reached a similar conclusion and refused to classify computer experts as professionals. Although some of the hallmarks necessary to be considered a “professional” might certainly be able to be established, such as the special education, skills, training and experience required of many of those who work in the computer industry, other usual indicia of being a professional remain lacking including the requirement of extensive higher education resulting in a degree, licensure by the state and regulation by a professional organization or association.
For now, attorneys representing companies and individual consultants in the IT and computer industry may be reasonably confident in prevailing on claims based on professional negligence or malpractice. However, their clients will continue to be potentially liable on claims based on breach of contract, breach of warranty and negligence, as well as other torts such as fraudulent inducement or negligent misrepresentation. Perhaps in the future as more of these claims are filed and with the growing awareness of the IT customer and others there might be calls for legislative change or even voluntary changes within the IT industry itself that will create clear standards and oversight which will eventually lead to courts imposing a higher duty of care upon the IT professional.
For more information about Mateer & Harbert, P.A., please visit the International Society of Primerus Law Firms.