Short answer: never shut down a customer’s site or disable their software access over a billing dispute unless your contract explicitly gives you the right to do so. Taking that step without clear contractual authority exposes you to a Computer Fraud and Abuse Act violation, which is both a civil and a federal criminal statute.
I work with software developers on their software development agreements and other commercial contracts, and the same blind spot keeps appearing. Developers are technically capable of solving problems on their own, and when a customer does not pay, cutting off access feels like an obvious lever. It is not. Here is why.
The Self-Help Remedy Problem.
Under the law, repossessing or disabling something you delivered — cutting off access, shutting down a site, disabling a feature — is called a “self-help remedy.” Self-help remedies are heavily regulated. Think of a car loan: if you stop making payments, the bank can repossess your car. But it cannot break into your locked garage to do so. That limitation — the prohibition on “breach of the peace” — exists to protect the person whose property is being repossessed. The same principle applies in software. You may have the technical ability to cut off access, but whether you have the legal right to do so depends entirely on what your contract says and what jurisdiction governs.
Why the CFAA Makes This Especially Dangerous.
Unauthorized access to a protected computer system is a violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, which is both a civil and a federal criminal statute. When a developer remotely disables a customer’s site — particularly when that site runs on infrastructure the developer deployed or still has credentials to access — courts have found CFAA exposure. A 2015 case illustrates the risk: a developer who shut down a client’s site over a billing dispute faced a CFAA claim, which the court treated as a sufficiently serious theory to proceed. The CFAA’s reach is broader than most developers expect. It does not require hacking in the Hollywood sense — it covers any unauthorized computer access, including access you once had permission for but no longer have authorization to use.
What to Do Instead.
The answer is not to give up your leverage. It is to build your leverage into the contract from the start. A properly drafted software development agreement addresses payment milestones, suspension rights (if payment is not received within X days, vendor may suspend access upon Y days’ written notice), and termination rights (if payment remains outstanding after suspension, vendor may terminate). Those provisions give you a legal, contractual right to suspend — which means exercising that right is not a CFAA violation, it is contract performance. The right way to protect yourself is to negotiate the suspension right into the agreement upfront, not to improvise when a customer is three months late on an invoice.
Getting Paid: Structural Protections.
The better solution to the nonpayment problem is to structure payment so you are never in a position where months of unpaid work back you into a corner. Require a deposit or retainer before work begins. Use milestone payments tied to objective completion criteria rather than acceptance criteria — see the full analysis at Acceptance vs. Completion Criteria in a Software SOW. Invoice at delivery, not after customer acceptance. These structural protections prevent the dispute in the first place, which is always better than having to enforce your rights after the fact.
Common Questions About Software Payment Disputes.
Q: What if my contract has no suspension clause?
A: Negotiate one before work starts, not after a dispute arises. If you are mid-project without one, your options are negotiation, demand letters, and litigation — not self-help.
Q: Can I withhold code or deliverables I have not yet handed over?
A: Potentially, depending on your contract, but this is legally fact-specific. Withholding work not yet delivered is different from disabling something already deployed and in production. Talk to an attorney before acting on either option.
Q: What if the customer is using credentials I set up for them?
A: Check your contract carefully. If your credentials were granted for the purpose of maintaining their systems, revoking them without notice may itself create liability. Document everything and get advice before acting.
Q: What is the safest thing to do when a customer goes dark and stops paying?
A: Send a formal written notice referencing your payment terms, stating the amount overdue, and specifying a cure period. If your contract has a suspension right, give the contractually required notice before exercising it. Do not act unilaterally without legal authority to do so.
For guidance on SaaS agreement structure and how payment and termination rights interact, I hope this helps. Getting these provisions right before the deal closes is far cheaper than dealing with a dispute — or a CFAA claim — after the fact.
Resources:
- Software Development Agreements
- Acceptance vs. Completion Criteria in a Software SOW
- Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (Cornell LII)
Disclaimer:
This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.
Discover more from Aber Law Firm
Subscribe to get the latest posts sent to your email.