When is a Limitation of Liability not a Limitation of Liability?

If you do any contracting involving technology, you will no doubt be well familiar with the concept of a limitation of liability provision.  Almost all provisions contain two parts.  First, a complete disclaimer of all liability for lost profits and other types of “consequential and incidental” damages.  Second, an overall cap on all other damages based on some variant of the fees paid under the agreement.  Depending on the nature of the agreement, certain exclusions may be made to the limitation of liability (e.g., indemnity obligations, breaches of confidentiality, etc.).  As between two businesses (as compared to consumer contracts), these types of provisions are generally fully enforceable, even if the result would result in extraordinary harm to a party.  There are, however, certain very narrow instances when courts may be inclined to forego the limitation of liability and hold a party to the contract liable for all damages.  Perhaps the most well known example of the foregoing is the trend in New York courts to put the limitation of liability aside, even when sophisticated businesses are involved, when a party engages in gross negligence or reckless conduct.

The “New York” exclusion was recently affirmed when a court found that the domain name registrar Register.com may be liable for gross negligence and recklessness and breach of contract for transferring control of a domain name to an alleged hacker (Baidu Inc. v. Register.com Inc., S.D.N.Y., No. 10-444, 7/22/10).  Specifically, there were allegations Register.com breached its own security protocols in making the transfer.  If those breaches constituted gross negligence or reckless conduct, Register.com’s strong contractual limitation of liability may be ineffective.

The lesson in the Register.com and other similar cases is that parties need to be aware that while contractual limitations of liability are generally effective and enforceable, those provisions may not always (at least in New York) be enforceable to protect a party from egregious conduct like gross negligence and willful misconduct.  While this appears to be a narrow exception, the problem is that the term “gross negligence” is very broad.  Almost any contract breach (e.g., a software bug, a support failure, a breach of internal security policy, etc.) could potentially constitute gross negligence depending on the facts of the particular case.  This should be a wake-up call for vendors providing services and products in New York.  Breach a contract and the vendor may be placing the entire assets of its business at risk.


Copyright © 2010 IDG Communications, Inc.

The 10 most powerful cybersecurity companies