I continuously confront vendors who say I am “the only” lawyer who objects to limitation of liability provisions that attempt to limit the liability of a security incident to the amount of the contract. That is very hard for me to believe. The value of the contract has no relevance to the actual damages and losses that are sustained in the event of a data breach.
Companies are attempting to limit liability and argue that they are not an insurer. But companies fail to take responsibility for their own actions, and are attempting to transfer liability to the customer. But the customer is not the insurer of the vendor’s liability either. It is hard for me to believe that I am the most difficult lawyer in the world where fairness is concerned when it comes to parties agreeing to be responsible for their own actions.
In my experience, when there is a fraud or a security incident, it is very clear what happened and very rare that the incident was caused by more than one party. In such an instance, my position is that the party that caused the incident should take responsibility for the incident and should have insurance to cover it. However, I have been involved in several cases lately (in which I didn’t negotiate the agreement) where the limitation of liability was insufficient to cover the losses, and the customer was left holding the bag for the vendor. Sometimes insurance policies will not cover the acts or omissions of others, so the client was less than fully covered.
No company can take on unlimited liability, but there are multiple options to share the risk and to be fair. I guess what is bothering me these days is that everyone used to be fair, and now some aren’t. Some companies with market share and leverage are being unreasonable, despite the fact that they can afford taking responsibility for their own actions, and have ample insurance to cover their act or omission.
Question vendors who are putting your organization at risk and determine whether doing business with that vendor is worth the risk. Is that vendor a partner or an adversary? Are they being fair in the negotiation or heavy handed? Are there other companies that can provide the same service and are more reasonable? Does your insurance cover the fault of a vendor if the vendor does not take responsibility for its actions? These are important questions to ask, and lately they are popping up more frequently than ever before as data is more portable and is transmitted from vendor to vendor to vendor.