Legal Considerations in Businesses’ Disaster Planning
In the last decade, Disaster Recovery (“DR”) and Business Continuity Planning (“BCP”)have become “hot” topics, as companies attempt to deal with disasters and the associated business risks. “Force majeure” is a legal concept that excuses a party’s performance under a contract on account of wide-scale, unpredictable, and devastating events, such as hurricanes, wars, national strikes and other similar occurrences. These common contractual provisions allocate the risk associated with non-performance because of a catastrophic, unpredictable event (for simplicity, let’s refer to these as disasters). But the legal implications in disaster planning extend beyond force majeure clauses.
The wide reach of disasters can create business risks with equally broad consequences. Imagine the “butterfly effect” in business caused by flooding in northern California or civil unrest in an oil-producing country. As an initial point, disasters may force manufacturers in a directly affected region to close their doors and “weather the storm.” Of course, lost production probably means lost profits. A closure also probably means disappointed business partners, suppliers, and customers. As a result, many large companies require suppliers to maintain business continuity plans to mitigate the risk of disruption.
Contracts play an important role in BCP and DR
For example, insurance contracts warrant careful analysis due to their complexity and nuances. Business interruption insurance, which covers the loss of income suffered by a business after a disaster, plays an important part in disaster planning. So, if business interruption insurance is a part of your manufacturer’s BCP or DR plan, be sure to understand the scope of applicable coverage, exceptions, and limitations.
Additionally, information technology contracts should be considered carefully. While many manufacturers use third-parties for technology solutions, other manufacturers host some, or all, of their own software solutions. These manufacturers typically engage third-parties for DR services, including backing up data and providing hardware in case of an emergency. In these circumstances, contracts should address the manufacturers’ expectations for returning to an acceptable operating level.
A related issue is the notification required in the event of a cyber-security breach or compromised data. Different industries face different requirements of different regulators. Thus, manufacturers that contract with utilities may be subject to different requirements than manufacturers who supply the Department of Defense.
Proper BCP and DR Can Limit Certain Legal Exposure
Unfortunately, many businesses that close their doors as a result of a disaster do not reopen. For those that do, without proper DR preparation, insurmountable setbacks, such as the loss of data, equipment, and personnel, may cripple or ultimately end a manufacturer. Those consequences, combined with the rise in BCP and DR, may put directors and officers on the “hot seat.” They may be accused of breaching their fiduciary duties for failing to implement BCP and DR initiatives. The applicable duty of care for fiduciaries duty standard is measured by one of reasonableness. Thus, directors and officers should evaluate their manufacturer’s preparedness for and exposure due to a disaster. Furthermore, business continuity plans should account for maintaining compliance with all relevant regulations, such as workplace safety and data security. Be careful not to create liability by overlooking these possibilities.
Legal issues and business risks go hand-in-hand, and BCP and DR are no exceptions. The above are just a couple common examples. Each manufacturer’s concerns vary based on a number of facts, including geography, industry, and size. Accordingly, it is crucial to consult with counsel while developing and implementing business continuity and DR plans.