A recent 11th Circuit case may – if followed elsewhere and not reversed by the US Supreme Court – reduce a company’s potential exposure under conventional contract language requiring sensitive materials to be held in confidence. Many companies have been concerned that such language would make them liable if they were the victim of a third-party data breach as opposed to an intentional disclosure by one of their employees or contractors.
Adding to the sensitivity of the issue is the fact that it is not unusual for contracts to provide for unlimited liability for breaches of a confidentiality obligation, notwithstanding any generally applicable limitation of liability. Some contracts will go further and expressly provide that data breaches are subject to unlimited liability.
In Silverpop v. Leading Market Technologies, 2016 U.S. App. LEXIS 196, the US Court of Appeals for the Eleventh Circuit held that losses associated with a data breach “are best characterized as consequential” and recovery on a contract claim should be barred when the contract contains a prohibition the award of consequential damages. The Court further found that negligence claims for such data breaches would be barred due to the lack of an applicable standard of care, as well as by the economic loss rule. Thus, absent proof of negligence or specific contractual language that is on-point, a data breach of itself does not constitute a breach of the obligation to take reasonable measures to safeguard confidential material under a confidentiality provision.
In view of both operational ramifications of data breaches and remaining legal uncertainty, companies still should use good technical practices to secure data and investigate procurement of cyber-liability and similar insurance coverage. Confidentiality language and liability limitations also should be negotiated in the same manner as before. Management and counsel should assume that even with this case, companies entrusted with the confidential information of a party with which they contract are still obligated to use at least commercially reasonable data-handling practices. It is also likely that more and more courts will be presented with claims involving the standard of care for negligent handling of confidential information in the data-breach context. These cases should be monitored to ensure that corporate practices comport with the developing law in this area.
But, this case, if its rationale prevails in other courts, may be useful in defending against claims resulting from data breaches that do occur. Even with high-value contracts where a counterparty is adamant about imposing unlimited liability (or a high dollar limit) for confidentiality breaches, this case suggests such unlimited or high liability may not attach to all data breaches.