In Australia, contract law is almost entirely regulated by the common law, save for specific legislative control of particular types of contracts (e.g. goods, consumer, insurance).
Background
Cyber issues (security, threats, emerging technology, etc) can significantly affect how a contract is drafted, performed, breached and/or terminated. Cyber issues are a major consideration for contracting parties when allocating risk under a contract.
Cyber risks are the risks that emanate from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks. This includes physical damage, fraud committed by the misuse of data, liability arising from data storage, and the availability, integrity and confidentiality of electronic information whether related to individuals, companies or governments.
In drafting a contract, parties can apportion liability by drafting specific terms that deal with the supply and operation of control systems, force majeure, insurance, compliance with applicable data law, and data transfer, storage and segregation.
A party is bound by the terms of a contract, regardless of whether they read or understood it: L’Estrange v Graucob[1934] 2 KB 394. Exceptions include where there is a vitiating factor (such as fraud or misrepresentation) or where the document is not a contractual document (for instance, where it is a receipt).
The parol evidence rule prevents extrinsic evidence from adding to, varying or contradicting the terms of a particular contract. It also limits the use of evidence when determining what a particular term in a contract means: McCourt v Cranston[2012] WASCA 60.
Construing contract terms
A court will examine what a reasonable person ‘in the parties’ shoes’ would consider to be their intention, based solely on the actual words of the contract: Toll v Alphapharm (2004) 219 CLR 165. This may involve giving effect to express terms, even where an unreasonable result would accrue: ABC v Australian Performing Right Association Ltd[1973] HCA 36; [1973] 129 CLR 99. However, where a construction of absurd terms would lead to an uncommercial or unreasonable outcome, then courts may change, delete or add to words to address any ambiguity.
Subject to the Australian Consumer Law contained in Sch 2 of the Competition and Consumer Act 2010 (Cth), exclusion clauses can operate to either remove or reduce liability where there would otherwise be a breach.
The meaning and implication of an exclusion clause should be determined based on ordinary processes of construction.
Where there is uncertainty over meaning or implication, the clause should be construed contra proferentem: Darlington Futures v Delco[1986] HCA 82; (1986) 161 CLR 500.
An exclusion clause cannot protect a person who does not act in a way permitted by the contract: Gihaud v Great Eastern Railway[1921] 2 KB 426.
An exclusion clause cannot operate where there has been an intentional breach of contract, unless words are expressly used which indicate a contrary path: David v Pearce Parking Station[1954] HCA 44; (1954) 91 CLR 642.
An exclusion clause may not remove liability for loss that involves a departure from an agreed avenue set out in a contract: Thomas National Transport v May & Baker[1966] HCA 46; (1966) 115 CLR 353.
To exclude liability for negligence, there must be clear words to that effect (such as “at owner’s risk” or “not responsible for loss or damage of any description”): David v Pearce Parking Station[1954] HCA 44; (1954) 91 CLR 642.
There are 4 ways to imply terms to ensure a contract works in the way that the parties intend it to (BP Refinery v Hastings (1977) 52 ALJR 20; Codelfa Construction Pty Ltd v State Rail Authority of NSW(1982) 149 CLR 337):
A contractual obligation cannot be performed where there are circumstances in which that performance would cause it to be “radically different” from what was originally intended pursuant to the contract (unless there is a default caused by a particular party): David Contractors Ltd v Fareham UDC[1956] UKHL 3; [1956] AC 696.
Established circumstances that may render the operation of the doctrine of frustration include:
Illegality
Sufficient and serious delay
Death or permanent impairment of a party
Destruction of a subject matter of a contract
An event destroys the basic function or purpose of a contract
Disappearance of a state of affairs occurs that helped the contract to be performed in a particular intended way
The doctrine of frustration will notapply where:
The risk of a frustrating event was explicated by the contracting parties: Codelfa v SRA NSW(1982) 149 CLR 337
The frustrating event was reasonably foreseeable by the parties: David Contractors v Fareham Urban District Council[1956] UKHL 3; [1956] 3 WLR 37
The frustrating event occurred due to the fault of a party relying on the frustration: F C Shepherd & Co Ltd v Jerrom[1987] 1 QB 301 (e.g. negligence can prevent a party from relying on frustration in response to a cyber risk, such as where careless mistakes are involved)
Mistake
Mistake is where parties are in agreement but erroneously presume a particular matter to be accurate. A mistake may be made about the existence of a subject matter, terms, property title, the quality of subject matter, the recording of the agreement and mutual mistakes. Remedies include a rescission order or a rectification of the contract via equity.
If the parties are in agreement, there may be a mistake regarding the existence of:
If the parties are not in agreement (i.e. they come to the contract for very different purposes such that they subjectively can be discerned to not be in agreement), there may be a mistake regarding:
A plaintiff must prove that they were under illegitimate pressure and that a causal connection existed between the pressure and the action that was taken: Crescendo v Westpac(1988) 19 NSWLR 40. Duress essentially negates, vitiates or removes consent in some way by causing the actions of the plaintiff to be non-voluntary.
Illegitimate pressure encapsulates unlawful threats or is unconscionable conduct (based on the nature of the pressure and the nature of the demand that the pressure exists to support). This could involve illegitimately seizing or damaging the property of the relevant party or causing damage to their economic interest: Universe Tankships v ITWF(1983) 1 AC 366.
The remedy is often rescission or making the contract voidable (but not void).
Misrepresentation
The test for misrepresentation is as follows:
There must be a positive misrepresentation of an existing or past fact or law; and
The representee must have been misled by or reasonably relied upon the misrepresentation when entering into the contract (‘sufficient nexus’): Public Trustee v Taylor[1978] VicRp 31; [1978] VR 289.
Misrepresentation is not mere puffs, statements of opinion (unless the facts are better known by the representee or the representee gives an implication that they have an opinion they do not have: Fitzpatrick v Michel[1928] NSWStRp 19; (1928) 28 SR (NSW) 285) or statements of future intent.
Generally, silence is not a ground for relief, except for the following relevant situations which may impel a duty to disclose:
A statement is literally true but incites false impressions: Davies v London Provincial Marine Insurance Co[1878] UKLawRpCh 92; (1878) 8 Ch D 469.
A statement is true when it was given but later becomes false because of situations which come to the attention of the representor.
The representor is a fiduciary (who in turn carries a complete duty to disclose).
Available remedies include rescission and damages (via equity).
Termination
There are several ways a contract may be terminated:
The contract may stipulate that it only lasts for a fixed period before coming to an end (where a contract is silent on the time the contract operates for, the courts can imply a right to terminate).
The parties may mutually agree that one or both has the right to terminate it.
The parties may make a subsequent agreement containing an intention to release the other party from the particular contract.
A court may conclude that the parties intended to mutually abandon a contract, due to a considerable amount of time elapsing without any attempt to perform it or where the parties conclude that the contract should not be performed.
Where a party is unwilling or unable to perform their requirements under the contract.
Where there is a delay, and time is of the essence (in the absence of such a stipulation, and where there has been unreasonable delay, a party can deliver a notice containing a reasonable date for completion of the terms, thus creating time being of the essence: Louinder v Leis[1982] HCA 28; (1982) 149 CLR 509.
Where there has been a failure of a contingent condition (that is, either a condition precedent to formation, a condition precedent to performance of a condition subsequent to performance), the contingent condition may be waived. However, if a party provides the false belief to another that they will not exercise the right to terminate then sections 18 and 237 of the Australian Consumer Law may apply: Edensor Nominees Pty Ltd v Anaconda Nickel Ltd[2001] VSC 502.
To terminate a contract, the party must prove that they were ready and willing to perform their requirements under the contract at the time of breach: Foran v Wright[1989] HCA 51; (1989) 168 CLR 385. There may also be an option to terminate due to anticipatory breach, as long as it is proven that the other party was not disabled or incapacitated when performance was meant to occur.
A party can elect to terminate or affirm a contract, whereby the former removes any right to future performance and the latter culminates in a loss in the right to terminate. To affirm a contract there must be:
Knowledge of events leading up to the right to terminate; and
Unequivocal conduct demonstrating a clear choice to continue the contract.
Rescission
Rescission sets aside a contract and enables parties to get back to their original positions (restitution in integrum): Alati v Kruger[1955] HCA 64; (1955) 94 CLR 216).
Rescission is available to victims of mistake, misrepresentation, duress, undue influence, unconscionable dealing and breach of fiduciary duty: Yerky v Jones[1939] HCA 3; (1939) 63 CLR 649.
Rescission is unavailable if the property which is the subject matter of the contract has been wholly or substantially destroyed by the party that wants rescission: Brown v Smitt[1924] ArgusLawRp 27; [1924] VLR 333.
Bars to rescission include:
If the representee affirmed the contract after finding the presence of fraud which induced them to enter the contract then this will constitute a bar to rescission.
If a bona fide third party acquires rights in the subject matter of the voidable contract (although note that monetary remedies may still be administered):McKenzie v McDonald[1926] VicLawRp 74; [1927] VLR 134.
If there is not a total failure of consideration (only relevant when seeking to rescind a contract for the sale of goods pursuant to Watt v Westhoven[1933] ArgusLawRp 94; [1933] VLR 458).
Damages
A party who sustains damages due to a breach of contract will be put in the same position as if the performance of the contract occurred, though this does not mean as good a financial position as if it were performed: modified Robinson v Harman[1848] EngR 135; (1848) 1 Ex 850; Tabcorp v Bowen(2009) 236 CLR 272.
Expectation damages compensate the plaintiff for what they would have obtained had the contract been performed (including with respect to consequential losses).
Reliance damages are available where the plaintiff cannot prove the benefit they would have obtained if the contract were to be performed but the court determines they should be paid amounts incurred in reasonable reliance upon the contract actually being performed, including damages for loss of a chance.
There must be a causal connection involving the application of a but for test and determining whether there is a novus actus interveniens.
It is necessary to consider remoteness. Damages will not be too remote where they come to fruition naturally or were contemplated by the parties when the contract was formed. The extent of damage and the degree of likelihood of damage are also necessary considerations.
The Sale of Goods Act 1923 (NSW) typically applies in business-to-business transactions, although private consumers are occasionally affected. The Act seeks to protect parties in commercial transactions in NSW (other states have equivalent legislation). For the Act to apply, there must be a contract of sale, a transfer of goods (excludes intangible property, such as IP), and a transfer of monetary consideration. The Act regulates contract formation, effect and performance by implying rights and obligations into contracts between buyers and sellers. The Act can be excluded from a contract between parties if expressly agreed, by conduct or by custom.
Entities who are subject to cyber security obligations (under statute, common law or codes of conduct) may require discharge of these obligations by their third-party service providers (such as cloud service providers or other IT outsourcers), through contractual terms. For example, many merchant contracts contain contractual clauses that require compliance with the Payment Card Industry Data Security Standards, a self-regulatory framework initiated by major credit card providers.
However, the original entities subject to the obligations who have delegated responsibility to a third party will not necessarily escape liability under the legal instrument imposing the obligations: this depends on drafting of the original instrument. Additionally, the third party will have contractual liability, but in most cases they will not have direct liability under the statute, common law or code of conduct.
A notable exception to the above principle that third party contractors are only liable in contract to their head contractor can arise from the operation of the current Security of Critical Infrastructure Act 2018 (Cth) (SOCI). For example, cloud service providers now attract direct obligations under SOCI due to their inclusion as the ‘data storage or processing’ industry sector. These obligations will be in addition to any contractual obligations they have with other entities.
Pass-through contractual obligations may also include compliance with relevant standards eg ISO/IEC 27001 Information technology—Security techniques—Information security management systems—Requirements ISO/IEC 27002 Information technology—Security techniques—Code of practice for information security management
Due to the complexity of the regulatory landscape, there may be conflicts between contracts, statutory requirements, policies or other guidance. For example, the Australian Energy Regulator has noted the potential for SOCI obligations on its licensees to not align with the economic principles within the National Electricity Objective and the National Gas Objective. (Australian Energy Regulator, Submission on the Exposure Draft of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (1 February 2022))