• United States



When is a Limitation of Liability not a Limitation of Liability?

Jul 27, 20103 mins
IT Leadership

If you do any contracting involving technology, you will no doubt be well familiar with the concept of a limitation of liability provision.  Almost all provisions contain two parts.  First, a complete disclaimer of all liability for lost profits and other types of “consequential and incidental” damages.  Second, an overall cap on all other damages based on some variant of the fees paid under the agreement.  Depending on the nature of the agreement, certain exclusions may be made to the limitation of liability (e.g., indemnity obligations, breaches of confidentiality, etc.).  As between two businesses (as compared to consumer contracts), these types of provisions are generally fully enforceable, even if the result would result in extraordinary harm to a party.  There are, however, certain very narrow instances when courts may be inclined to forego the limitation of liability and hold a party to the contract liable for all damages.  Perhaps the most well known example of the foregoing is the trend in New York courts to put the limitation of liability aside, even when sophisticated businesses are involved, when a party engages in gross negligence or reckless conduct.

The “New York” exclusion was recently affirmed when a court found that the domain name registrar may be liable for gross negligence and recklessness and breach of contract for transferring control of a domain name to an alleged hacker (Baidu Inc. v. Inc., S.D.N.Y., No. 10-444, 7/22/10).  Specifically, there were allegations breached its own security protocols in making the transfer.  If those breaches constituted gross negligence or reckless conduct,’s strong contractual limitation of liability may be ineffective.

The lesson in the and other similar cases is that parties need to be aware that while contractual limitations of liability are generally effective and enforceable, those provisions may not always (at least in New York) be enforceable to protect a party from egregious conduct like gross negligence and willful misconduct.  While this appears to be a narrow exception, the problem is that the term “gross negligence” is very broad.  Almost any contract breach (e.g., a software bug, a support failure, a breach of internal security policy, etc.) could potentially constitute gross negligence depending on the facts of the particular case.  This should be a wake-up call for vendors providing services and products in New York.  Breach a contract and the vendor may be placing the entire assets of its business at risk.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author