Until very recently, it was considered matter of course in a services agreement for any data disclosure or loss, regardless of cause, to be excluded from any and all limitations of the vendor’s liability. However, as data breaches continue to change the risk landscape of the business world, third-party vendors increasingly insist on limiting their liability for damages related to data breaches. In light of this, many transactions now include a “super cap” – a separate, higher limitation of liability specifically setting forth the circumstances, types of damages, and amount of damages for which a vendor may be liable in the event of a data breach.
While this approach can be a reasonable compromise for customers under certain circumstances based on the types of data and the services involved, not all super caps are drafted equally. Here are four points to keep in mind with respect to limitations of liability for data breaches when your company is negotiating with a vendor.
- Clarify What’s Covered. One of the reasons vendors are now pushing to limit this type of liability is that data breaches often can occur without bad action or intention on the part of the vendor − yet still have devastating consequences. Even if the vendor meets all of its obligations under an agreement, a motivated hacker can still find a chink in the armor. Increasingly, this is coming to be considered a cost of doing business − a risk that all parties have to share. While you may accept the reasonableness of this argument with respect to security caused by outside actors, it is important to distinguish such incidents from situations in which the vendor has breached the agreement (such as affirmative disclosures of confidential information) or has a separate obligation under the agreement (such as indemnification provisions). Breaches of obligations regarding confidential information and indemnification obligations frequently are still excluded from any limitations of liability (including any super cap).
- Create a Distinct, Separate Limit. If you are willing to agree to a separate limitation of liability for data breaches, it is important to make sure that it is truly distinct and calculated separately from the general limitation of liability, as opposed to a higher threshold that is available for only certain types of claims. You do not want to experience a data breach in the third year of an agreement only to find that the damages you had collected from the vendor in the first year of the agreement due to performance issues have reduced the amounts available to cover your current costs. This also will leave coverage available if there is a data breach early in the term of an agreement, in case there are other issues with the vendor later in the term.
- Set an Appropriate Cap. Typically, general limitations of liability are tied to the amounts paid by a customer to a vendor under the agreement, on the basis that the vendor’s risks should be proportionate to its benefits under an agreement. However, it is risky to apply such logic to data breaches, for which the costs and liabilities can far exceed the fees paid to a vendor. Rather than the contract specifying a cap based on a multiple of fees payable, consider proposing a fixed amount that you calculate up front based on an analysis of what your damages may be in the event of a security breach.
4. Beware of Damages Exclusions. It is not uncommon to exclude certain types of damages (e.g., consequential, special, indirect) under an agreement, subject to narrow exceptions. However, in the context of a data breach, it may be difficult to judge at the outset whether a certain cost will be deemed by a court to be direct or consequential, and it is possible that all such damages would be in categories traditionally excluded under limitation of liability clauses. One approach is to draft your super cap such that no categories of damages are excluded, but all damages, regardless of category, are capped at the agreed limit. If a vendor won’t agree to that, another approach is to have both parties acknowledge in the contract itself that certain types of damages (such as costs of notifications, costs of reasonable mitigation for affected data subjects, any governmental fines or penalties, and costs and expenses of recreating or reloading any lost, stolen or damaged data) will be considered direct and therefore will be recoverable, subject to the agreed super cap.