A Georgia court recently agreed on a summary judgment motion that a digital marketing contractor was not monetarily responsible for an unauthorized intrusion into its computer network. In the case, Silverpop Systems, Inc., the digital marketing contractor, entered into a service agreement with Leading Marketing Technologies, Inc. (Leading Marketing) that permitted Leading Marketing to upload content to Silverpop’s web-based e-mail marketing tool so Silverpop could send out messages on Leading Marketing’s behalf. (Silverpop Sys., Inc. v. Leading Mkt. Techs., Inc., No. 12:-cv-02513-SCJ (N.D. Ga. Feb. 18, 2014).

In November of 2010, Silverpop’s web-based system was hacked, potentially affecting the security of the nearly 500,000 e-mail addresses Leading Marketing had uploaded to the system. After an investigation, Silverpop could not confirm whether any information was exported from its system. Silverpop informed Leading Marketing of the incident. Leading Marketing continued to use the services for several months while withholding payments to Silverpop. Silverpop filed a declaratory action seeking payment. Leading Marketing counterclaimed, arguing that it was justified in withholding payment since Silverpop had failed to keep the addresses secure. Leading Marketing presented a variety of legal claims in support of its argument, including negligence.

In finding for the vendor, the court found that Leading Marketing had failed to present evidence regarding the applicable standard of care regarding data breaches in its industry. Furthermore, although Leading Marketing did highlight some deficiencies in Silverpop’s intrusion detection system, it offered no evidence establishing how these deficiencies failed to meet the applicable standard of care.  On Leading Marketing’s breach of contract claim, the court found that the damages were consequential damages that were not recoverable according to the terms of the parties’ contract. Leading Marketing had argued that the breach caused a loss of market value to its list of e-mail addresses. Due to a contract provision barring the recovery of consequential damages, Leading Marketing could not recover these damages. 

TIP: As security incidents become more common, companies hiring vendors may want to review their vendor contracts to ensure that there are appropriate provisions to allow for recovery of costs associated with the incident and that vendors have insurance coverage to live up to their representations.