Originally appeared in Corporate Counsel on May 21, 2015.

IT service providers, particularly cloud service providers, increasingly are resisting unlimited liability for breaches of privacy and data security obligations in their customer agreements. Instead, they offer unlimited liability for breaches of confidentiality, asserting the customer’s risk of a data breach would be covered as a breach of confidentiality, and arguing that unlimited liability for breaches of data protection obligations is simply double dipping.

A Data Breach Is Not Needed to Create Liability

When an IT service provider takes this position, one of the first questions a customer asks is: Assuming that the service provider has access to data that would be covered by privacy and data security laws, what is the risk if the provider breaches the privacy and data security obligations without an actual data breach

In other words, does there need to be a data breach for the customer to incur liability? Unfortunately, the answer is no.

To fully understand the risk of accepting the IT service provider’s position, a customer should identify:

  • The privacy and data protection requirements the customer must satisfy.
  • The likelihood the IT service provider may cause the customer to fail to comply with those requirements.
  • The potential for damages, fines, penalties or other enforcement activity if the customer fails to comply with those requirements—even absent a data breach.

Privacy and Data Protection Requirements

In terms of the privacy and data protection requirements the customer may need to satisfy, the customer should consider legal and regulatory requirements (including regulatory guidance) and industry standards. For example, if a customer collects or processes credit card information, the customer must comply with the Payment Card Industry Data Security Standards (PCI DSS) as well as Visa's Cardholder Information Security Program (CISP), MasterCard's Secure Data Protection program (SDP) and Discover Network's Information Security and Compliance program (DISC). In addition, Massachusetts 201 CMR 17.00 requires a company that owns or licenses personal information of Massachusetts residents to implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards.

Even if there is no data breach, failing to comply with these standards may subject the customer to enforcement actions by the relevant regulatory authority and/or significant fines.

‘Flow-Through’ Terms

Once a customer identifies the relevant requirements, the customer should ensure that these requirements are expressly passed through to the IT service provider through well-tailored “flow-through” terms. Not only is the customer at risk for liability if the IT service provider causes it to fail to comply with the requirements; simply failing to flow through the requirements may subject the customer to liability for noncompliance.

This is true even if the service agreement includes a confidentiality clause, which generally requires the receiving party to exercise a duty of care to protect confidential information of the disclosing party in a way that is consistent with the measures the receiving party takes to protect its own confidential information. It is often unclear, however, exactly what measures an IT service provider takes. For example, Massachusetts 201 CMR 17.00 specifically requires companies to oversee its service providers, including requiring its service providers by contract to implement and maintain appropriate security measures.

Legal requirements and industry standards are not the only potential risk. The customer also may have contracts in place with its end-user customers and other third parties that would expose it to unlimited liability for breaches of privacy and data security obligations. If the IT service provider only offers unlimited liability for breaches of confidentiality and the IT service provider’s obligation is to comply with its own duty of care standard and not the customer’s standards, the customer may not be able to look to the IT service provider for full recourse if the IT service provider causes the customer to breach these contractual obligations.

A Data Breach Does Not Always Mean a Breach of Confidentiality

Even if there is a data breach, customers may be at risk that the confidentiality provision does not cover the data subject to the breach. Confidentiality provisions often define “confidential information” in a manner that may not encompass all of the data subject to privacy and data security laws. For example, the definition may include only information that is labeled as confidential or that a “reasonable person” would consider to be confidential. In this case, certain types of data, such as IP addresses or geolocation data, are unlikely to be labeled as confidential when disclosed to the IT service provider and may not be something a “reasonable person” would consider to be confidential.

“Confidential information” often is defined to include end-user customer data but not employee data. The IT service provider’s services, however, may include storing or processing employee data. Particularly for services such as cloud-based HR solutions, this may be as simple as receiving employee names, phone numbers, addresses and emails in order to provide technical support.

If the customer discloses personally identifiable information to the IT service provider that is not covered by the definition of confidential information, then a breach of that data would not be a breach of confidentiality for which the IT service provider would have unlimited liability under the service agreement.

Conclusion

The risk of liability for a breach of privacy and data security obligations without a data breach is only increasing. Audit and enforcement activities have continued to increase, an example being the U.S. Department of Health and Human Services Office for Civil Rights’ focus on HIPAA privacy rule violations—with some resulting in civil penalties in the millions. This risk is likely to continue to grow as regulators and states become even more active in setting data protection requirements and enforcing them, including increasing scrutiny of how companies are flowing down protections to third parties.

Customers will want to minimize their risk in deals with IT service providers by (1) including privacy and data security obligations sufficient to satisfy their privacy and data protection requirements; and (2) insisting on uncapped liability for the IT service provider’s breach of those obligations. If the IT service provider simply refuses to accept such unlimited liability and only offers uncapped liability for breaches of confidentiality, the customer may try to reduce its risk by:

  • Including privacy and data security obligations sufficient to satisfy the customer’s privacy and data protection requirements, even if those obligations are subject to a general limitation on liability.
  • Ensuring damages the customer may incur for breach of privacy and data protection obligations, such as regulatory fines, penalties and the like, are not excluded by a sweeping exclusion of liability for consequential damages, even if they are subject to a general limitation on liability.
  • Seeking a heightened liability cap for breaches of privacy and data security obligations in addition to uncapped liability for breaches of confidentiality
  • Defining “confidential information” to ensure it encompasses all personal data the customer may disclose to the IT service provider.
  • Including the right to terminate for convenience without the payment of any early termination charge.