I am a lawyer in a boutique law firm that specializes in technology law matters. I support some of the world’s largest legal departments on IT procurement projects. The one inescapable trend I have seen in technology transactions is the prominence of risk balancing provisions in contracts. One of the most notable risk-balancing provisions is the limitations of liability. Historically, IT services and software were offered “as-is” or on a “best-efforts” basis with sweeping limitations of liability in favor of the vendor. For software purchased for on-premises deployment, such limitations of liability were generally accepted by customers. Today, the risk profile of most technology transactions has changed due to increased legal regulation of customer data. In response to this increased risk profile, the market adapted by tying limitations of liability to the revenue paid by the customer under the contract for either a trailing six or twelve months prior to an incident. Sophisticated customers objected to revenue-based limitations of liability because the potential claims scenarios involving data privacy and business continuity substantially outweighed the revenue paid.
As customers demanded greater risk balancing, sophisticated service providers secured professional liability insurance also known as cyber-liability coverage that protected each of the provider’s customers for a single annual premium tied to revenue. For SMB and mid-market deals most of my clients require vendors to carry adequate professional liability insurance to cover likely claims scenarios including data breach incident response, class action response, and regulatory response. Contractual risk balancing is achieved by limiting liability to the proceeds of insurance or a combination of the proceeds of insurance and some multiple of revenue for uncovered claims. For these reasons, limitations of liability provisions need to be reviewed in tandem with the indemnity provisions and the insurance provisions.
The cleanest way to accomplish risk balancing using professional liability insurance is to clearly define the insurance coverage, draft the indemnity provisions to be as broad as the coverage grant, i.e. all claims arising from the services, and craft the limitation of liability so it does not limit the client’s access to the insurance. Insurance provisions should clearly require the provider during the term and for period of one year after expiration, to carry professional liability including cyber liability coverage for data loss remediation, data breach incident response, crisis management, and regulatory response with an aggregate limit no less than the probable claim scenario amount. Even with good insurance language, narrowly crafted indemnity or limitations of liability provisions can be invoked by carriers to limit the availability of insurance proceeds in the event of a claim. I like to mirror the coverage grant language from the cyber liability policy directly into the indemnity provision so it is clear that the provider’s indemnity obligation is identical to the risk that has been transferred. Finally, the limitation of liability has to be crafted so that is tied to the proceeds of insurance or contains a carve-out from broader limitations for covered claims.
Limitations of liability tied to professional liability solves a portion of the risk balancing problem, but it does not solve the risk balancing problem for uncovered claims or for large vendors that do not carry professional liability coverage. When dealing with large vendors, third-party insurance is less common. Providers like Microsoft for example, do not agree to carry third-party insurance. In many instances, I have advised my clients to secure first party cyber-liability coverage to cover the increased risk associated with a transaction. Negotiating limitations of liability with these vendors is even more critical and therefore potentially contentious.
As hosting and cloud based services have emerged, risk balancing has become a central negotiating point in almost all technology transactions. The market is moving toward riskier delivery models. Taking advantage of emerging technology without bearing undue risk will be one of the factors that determines who wins and who loses.