Companies that operate online often include disclaimers and limitations of liability in standardized terms of service.

If a company suffers a data breach involving personal information collected from its customers, can the company rely on these disclaimers to limit or preclude liability to those customers?

This two-part series of posts looks at that question—in particular, two decisions from a California federal court in In re Yahoo! Inc. Customer Data Security Breach Litigation.

Hacks lead to billions of compromised accounts

In re Yahoo! arose after hackers accessed user accounts for Yahoo’s free email and small business services. In all, the breaches compromised three billion accounts—Yahoo’s entire user base. The hackers stole users’ login credentials and other personal information and obtained access to the contents of their emails.

The users sued. Their complaint asserted claims for breach of contract based on Yahoo’s terms of service. In those terms of service, Yahoo promised to protect users’ personal information:

  • “We are committed to ensuring your information is protected and apply safeguards in accordance with applicable law.”
  • “We limit access to Personal Information about You to employees, contractors, or service providers who we believe reasonably need to come into contact with that information to provide products or services to You or in order to do their jobs.”
  • “We deploy industry standard physical, technical, and procedural safeguards that comply with relevant regulations to protect your personal information.”

Yahoo, claimed the plaintiffs, failed to live up to these commitments and knew that its security measures were inadequate.

Don’t disclaim me, bro

Yahoo moved to dismiss.

Yahoo first argued that its terms of service contained express disclaimers that precluded liability. Those disclaimers stated:

  • Yahoo’s provided its services “AS IS,”
  • use of those services was “AT YOUR OWN RISK,”
  • “no data transmission over the Internet or information storage technology can be guaranteed to be 100% secure,” and
  • “SECURITY MECHANISMS IN THE SERVICES HAVE INHERENT LIMITATIONS.”

Those disclaimers, argued Yahoo, showed that it never promised users a “completely secure, hack-proof environment.”

The court rejected that argument, finding that the disclaimers could not override Yahoo’s affirmative security promises. Indeed, the court explained, Yahoo’s statement that its security mechanisms had “inherent limitations” itself implied that Yahoo had at least some reasonable security mechanisms in place.

Consequential damages limitation leads to partial dismissal

Yahoo also argued that limitations of liability in its terms of service precluded the recovery of consequential damages, such as out-of-pocket mitigation costs and the reduction in value of the plaintiffs’ personal information.

To that end, the terms of service said that Yahoo would not be liable for indirect, incidental, or consequential damages, including damages for “loss of data or other intangible losses” resulting from “unauthorized access to or alteration of your transmissions or data.”

The Court agreed, and dismissed the contract claims to the extent that they sought out-of-pocket mitigation costs.

The court also, however, invited the plaintiffs to amend their complaint. The reason? The plaintiffs might be able to escape the limitations of liability by alleging that they were unconscionable.

The plaintiffs accepted the court’s invitation and filed an amended complaint.

Tomorrow’s post will look at how the court handled the plaintiff’s unconscionability arguments.