Contract law mixes law, business, and personal. It affects us all. We introduce basic concepts of a contract, and explore how it applies for individuals, organizations, cybersecurity, privacy, and information systems.
A contract is an enforceable agreement
Put simply, a contract is an enforceable agreement which creates obligations. A contract is formed when two or more individuals or entities (“parties”) enter into an agreement which then can be legally enforced. Of course, there are some legal details I will get into shortly.
If contract performance goes well, and there are no disagreements between the contract parties, then no one will ever read it again, and no one will ever second guess themselves for entering into it.
But if there is a dispute, the contract will be gone over with a fine-tooth comb. Each side will interpret it to serve their own interests, and each side will second-guess themselves with one of three refrains:
- “I should have gotten a lawyer to review it before I signed it.”
- “I should have listened to my lawyer’s advice before I signed it.”
- “Why didn’t my lawyer warn me about that issue/paragraph/sentence/word?”
As above, a contract is a legally binding agreement between two or more parties. Of course, by “party” we mean an individual or an organization that can enter into a contract (we don’t mean a gathering, such as a birthday or cocktail party).
In the simplest terms, the law requires three main things to form a legally binding contract:
- Acceptance, and
But now let me summarize what they mean, and add two more points:
- Offer (offering to make a deal, such “I will buy/sell the car for $1,000”)
- Acceptance (acceptance of the deal, “I accept”, or signing the contract)
- (This offer and acceptance constituted a “meeting of the minds”, mutual assent, and agreement to be bound by the contract)
- Consideration (something of value — like the car and the payment)
- A legal purpose for the contract (selling a stolen car is not enforceable, nor is an agreement to buy illegal drugs or conduct a hit)
- Legal capacity of the parties to enter into the contract (a five year old is too young to enter into a contract).
Big picture, practical application, and risk management
Before we get into too many details on contracts, let’s look at the big picture and practical application. Like many things in life it comes down to risk and we need to remember that we should not try to eliminate all risks in life, but instead work to manage risks efficiently and on a prioritized basis. Here we focus on legal risk, business risk, and personal risk.
With any potential contract, the question is what potential issues could arise, what degree of harm could occur, and what diligence needs to be done before entering into the contract to manage those risks. There is a chance that the deal works out and everyone is happy, the precise terms or issues in the contract become less relevant because it will never be disputed nor legally enforced.
When do I need a lawyer to review the contract?
As the saying goes, hindsight is 20–20, and that is the best test of when you need[ed] a good attorney to review that contract you are about to enter into.
It would be nice if everyone could afford to have an attorney review every contract for them, but that is just not possible. Further, even after attorney review and advisement of legal risks, many people choose to accept those risks anyway and enter into that contract. And let’s remember that while there are many really good and ethical attorneys out there, just because an attorney says something doesn’t mean it is true or always the best advice. Further, attorneys advise on legal risks, there are many circumstances when a good business decision means accepting some of those risks and continuing forward.
So this is a personal choice. Review the risks and potential harms and costs if things do not work out with the contract. If those risks are high enough and you have the resources, you should consult an attorney.
If you are buying or selling a $5,000 car, it makes no sense to pay an attorney $5,000 to review the advertisement, representations about the car, or the proposed contract and bill of sale. On the other hand, other contracts may require heightened review and legal analysis, including for employment, investments, intellectual property, licensing, criminal plea agreements, and perhaps purchase of a million dollar collectable car. Depending on the circumstance, you may need expert legal advice.
Should I enter into this contract with these terms?
A contract typically contains many terms and provisions, many of which are subject to negotiation. For the car purchase, those terms are simple. Buy this car, in this condition, for $5,000. Most likely price is a term that can be negotiated.
In other contracts, the terms for negotiation are more complex, and this is where the business and personal aspects become important. Ideally, this negotiation can be done in a collegial, respectful manner, where two (or more) parties work together to build a deal they are all reasonably happy with.
Often, there are complex terms and sticking points, and eventually one party says they will not move any further, and the other party needs to make a decision. Accept the current deal, walk away entirely, or try yet again to reshape the deal.
What does a good contract look like?
First, remember that verbal agreements can be legally binding. The problem with verbal agreements is that there may be disputes about what was said and what that meant. Thus, the law may bar enforcement of certain verbal agreements, such as for the purchase of real property (land or homes).
Now consider what a good written contract should look like. I think it should be clearly written and “stand on its own” about what it means. Confusing terminology and legalese should be avoided or at least explained. It should be the proper length. Too short, and it does not address the necessary provisions, and if it is too long it is cumbersome and hard to wade through, meaning errors or inconsistencies are harder to find.
As contracts are negotiated and revised and updated, the changes and versions should be clearly indicated.
Provisions in a contract should include
- Identify parties
- Goods or services to be provided
- Scope of services or details on goods
- Dispute resolution
- Choice of law to resolve disputes
- Forum for resolving disputes
- Notice in case of dispute
- Liquidated damages
- Intellectual property ownership
- And More!
Formation of the contract
The contract is formed after acceptance of the offer. For written contracts, this means both parties (or all parties) have signed the contract.
Defects in the formation process can render a contract unenforceable, void or voidable.
Sometimes terminology can be confusing. Sometimes people refer to a contract that has been signed by all parties as a “fully executed contract”. This is different from executing the terms of the contract, which may be termed performance of the contract, which is discussed next.
After contract formation comes performance
After a contract is formed (following the offer and acceptance) then it is time for performance of the contract (or executing the terms the contract), meaning each side fulfills their end of the bargain. A contract that is satisfactorily completed is said to be discharged.
Parties are bound by the implied covenant of good faith and fair dealing. parties must meet their obligations as evaluated by the reasonable person standard (unless a different standard is specified).
In our car sale example, the buyer goes to see the seller, presents the cash, and receives the keys, the car, and a bill of sale. Other contracts are of course more complex, and the terms of the contract may play out over weeks, months, and years.
Each side has a legal duty to perform their obligations. If they fail to, that is a breach of contract.
Breach of contract
If either side fails to live up to their promises, that can constitute a breach of contract. A breach of contract is when there is a material failure to act or perform obligations in a reasonable manner or time as outlined in the agreement. (Compare, that a repudiation of contract is where one party indicates they will not do what the contract requires them to do, and that requires some more analysis).
The breaching party can be sued and ordered to pay damages (compensation) or even ordered to perform the contract (specific performance).
The three main types of remedies for breach of contract are:
- Damages (money),
- Cancellation and restitution
- Specific performance
Damages in contract are generally to give the party the benefit of their bargain. In contract, damages are generally limited to compensatory (actual) damages and consequential damages. A fuller list of potential types of damages that can be awarded include:
- Expectation damages (the value of the contract, if it were properly performed)
- Compensatory damages (actual damages)
- Consequential damages (special damages because of particular circumstances)
- Reliance damages (to compensate for losses suffered based upon relying on the promise)
- Unjust enrichment (to compensate if one party unfairly benefits from their breach of contract)
- Punitive damages are generally not allowed in contract disputes
- Nominal damages (a minimal amount)
- Liquidated damages (an established amount by contract or statute, to save the court and parties the time of calculating any of the above types of damages)
Types of contracts
There are many different types of contracts, to include:
- Terms of service for software, websites, and more
- Insurance (including cyber insurance)
- Purchase of goods
- Purchase of services
- Purchase or licensing of real property (real estate, land, buildings)
- Investments and purchases of equity stakes or shares in businesses
- For purchase or licensing of intellectual property
- Technology transfer
- Contract manufacturing
- Joint venture
I will touch on a few of these specific types that relate to information security, information systems, and “cyberlaw” next.
Terms of service
Website and software services have terms of service (and privacy policies and more) which we are regularly prompted to “accept”. Those can constitute contracts (and may be termed contracts of adhesion, since there is no ability to negotiate them). Often, we blindly hit accept without reading those contract terms, but that is not unreasonable for us to do. As discussed above, we need to balance our legal risks. It would take us hundreds of hours each year to read all of the terms of service and privacy policies that we agree too. Many of these documents are so complex that attorneys would have trouble figuring them out. Thus, clicking the button is usually the thing for the consumer to do, and anything else would be a waste of time and money. Still, the lesson for organizations is that their staff and attorneys should carefully vet these documents before they are presented to the public and customers.
Insurance and cyber insurance
Insurance is a contract. Cyber insurance is an important contract to consider relating to cybersecurity and privacy. Part of my practice involves advising clients as to whether cyber insurance is right for them to manage their cybersecurity and privacy legal and business risks. I also review cyber insurance applications and policies.
Before any insurance is issued, an application is filled out, the potential insured provides information to the insurer. Based on the information provided, the insurer proposes coverage, and if accepted, a policy is issued. A contract is formed. The insurer promises to cover certain losses, provided they are covered as indicated within the insurance policy (contract) and provided the insured made accurate representations.
Cybersecurity and privacy are complex. In the application documents, organizations may not fully understand what they are being asked, or may not otherwise make accurate representations to the insurance company, and this can mean that claims can be delayed or denied. Organizations may not fully understand what coverage they have, or what exclusions from coverage may exist in the policy.
Imagine, for example, that an organization represents to the insurer that it has implemented two-factor authentication across all systems, and that it has a comprehensive cybersecurity program. After a serious cyber incident, it is revealed that these representations were false, and insurance coverage could be denied. I cover more details on this in a separate article on cyber insurance.
Vendor — client contracts and cybersecurity
Organizations enter into contracts to provide goods or services for clients, and these contracts may contain provisions about data protection, cybersecurity, privacy, cyber insurance, data breach reporting and cybercrime investigation. In fact, some laws and regulations may require such contractual provisions, and best practices may urge them.
In advance of entering into these contracts, organizations may complete questionnaires that make factual representations about their cybersecurity and privacy program.
These questionnaires, and the contracts themselves, should be carefully reviewed.
Imagine that an organization makes representations to a client that it complies with all data protection laws (such as New York’s SHIELD Act and California’s CCPA and CPRA), that it has a comprehensive cybersecurity program, and implements multi-factor authentication. The contract is formed, and perhaps also imposes requirements for data security. A data breach ensues, personal information is compromised, and the costs and litigation start to mount. The client sues for breach of contract, alleging fraudulent representations prior to formation of the contract.
There are many more terms and principles of contract law, and I want to briefly mention a few.
Counteroffer: A counteroffer terminates the original offer, and puts forth a new offer. So once a counteroffer is made, you cannot go back and accept the original offer.
Defenses to a breach of contract claim may include:
- Undue influence
- Misrepresentation and fraud
- Mistake by both parties
- Force Majeure — circumstances beyond the parties’ control
- Statute of frauds
Statute of Frauds is a concept from common law that may be incorporated in statutes, which requires certain contracts to be in writing in order to prevent fraud. Contracts for real estate (land) must be in writing, as must contracts that cannot be performed within a year. This prevents someone from saying to you and suing you on these examples:
- “At the cocktail party (bar) last month you verbally agreed to sell me your house for $X. Now I am suing you to make that happen.” The judge would quickly dismiss this law suit as violating the statute of frauds.
- “At the cocktail party a year and a half ago, you verbally promised to sell me your business for $Y. Now I am suing you to make that happen.” This suit would also be quickly dismissed.
Tortious interference with contract rights is a tort (not a contract claim), and the elements of this tort generally are:
- Existence of a contractual relationship
- Knowledge of that relationship
- Intent to induce a breach of contract
- Breach of contract
- Resulting damages
Types of contracts include
- Express. Promises are expressly communicated
- Implied. Promises are implied by conduct. Ordering food in a restaurant creates an implied contract the food will be safe and edible and that you will pay for it
- Unilateral. The offer is “out there” and acceptance is by performing the act
- Bilateral. Offer is accepted by promising to perform an act
- Contracts of adhesion are form contracts drafted by one side that cannot be negotiated, such as click-through contracts.
Conclusion and disclaimer
Contract law is foundational “traditional” law that affects us all, and has important implications for cybersecurity and privacy.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This is not legal advice nor consulting advice, and is not tailored to your circumstances.
I know something about contract law, and encounter it periodically in my practice after spending dozens (hundreds?) of hours studying it in law school and for the bar exams. However I am far from being a contract law expert, and there there are other lawyers that specialize in this area.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations (including contractual requirements relating to cybersecurity and privacy), please contact me.
This article was originally published on my website at https://johnbandler.com/contract-law/ where I also include links for additional reading, and it may be more current and with improved formatting.
Copyright John Bandler all rights reserved.
Posted to Medium on 9/13/2022 based on my earlier website article. Last updated here on 9/13/2022.