Do those stellar security obligations really provide any protection?

In this blog entry, we are going to be talking about a dirty word:  liability.  Specifically, we are going to be looking at vendor liability in the event of a security/data breach on their systems and networks.  Solving a Rubik’s Cube may be easier to understand than truly grasping the importance of vendor liability in this context. 

Consider the following scenario, which, sadly, has played out all too often in the real world:

You have spent months negotiating a major outsourcing or cloud-services agreement worth millions of dollars.  As part of that agreement, the vendor will have possession of one of your most valuable assets:  your data.  You fully appreciate the risk and have spent long hours negotiating truly world-class information security requirements.  The vendor has committed to implement extremely strong, layered information security measures.  The vendor has further committed to constantly evolve its security measures to address newly discovered threats and vulnerabilities and to keep pace with best industry practices.

You assure your senior management that your business’ information-security measures are airtight and proceed with contract signing.  Six months later, the vendor has a massive security breach, millions of elements of personally identifiable information are compromised, the breach and your business are featured on the front page of the business section, your business is the subject of a class action lawsuit by its customers claiming millions of dollars in damages and finally, several regulators are contemplating enforcement actions and substantial fines against you.

You investigate the breach and find the vendor failed to properly implement the security measures required under the agreement.  You call your lawyers and say, “I want to sue,” and send them a copy of the vendor contract.  Five minutes later, your lawyers call to explain the realities of the liability provision in the vendor contract.  The vendor has almost no liability for the breach.  Your pink slip is waiting on your desk when you return from lunch.

What went wrong in this scenario?  You negotiated excellent security protections.  The problem is not with those protections, but with the liability section in the contract.  All vendor agreements contain a “limitation of liability” clause.  This is common and comports industry practice.  Your ability to recover damages under the agreement is strictly limited by that clause.  The wording of that clause in the overwhelming majority of vendor form agreements is written such that the vendor has little (and sometimes no) liability for breaches of the agreement, including security breaches. 

In the remainder of this post, we will look at what a limitation-of-liability clause is, how they are constructed and most importantly, how they must be drafted to give effect to the security language you have worked so hard to negotiate.  Understand, as reflected in the above vendor scenario, that unless that clause is drafted properly, even the strongest information security obligations are essentially illusory.  The vendor has little real responsibility if they fail to comply with them.  In talking with regulators, they have made clear that such an approach is likely not compliant with your regulatory obligations.  It is not enough to have outstanding information-security obligations; the vendor must also have enough “skin in the game” to ensure they take those obligations seriously. 

Let’s look at a very standard limitation of liability found in most vendor agreements:

LIMITATION OF LIABILITY.  IN NO EVENT WILL VENDOR BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY INDIRECT, PUNITIVE, EXEMPLARY, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE) ARISING OUT OF THIS AGREEMENT OR THE PRODUCTS, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES.  IN ANY EVENT, THE MAXIMUM LIABILITY OF VENDOR FOR ALL CLAIMS (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE) OF EVERY KIND ARISING OUT OF THIS AGREEMENT OR THE PRODUCTS WILL IN NO EVENT EXCEED IN THE AGGREGATE THE FEES PAID BY CUSTOMER IN THE PRECEDING THREE MONTHS.

The first thing to note about this language (and generally every other limitation of liability) is that it is comprised of two sentences or parts.  The first sentence is generally a complete disclaimer of liability for what are called consequential or incidental damages.  These are the “big ticket” damages:  harm to a business’ reputation, loss of customers and business, decreased stock value, etc.  The second sentence generally provides a cap or limit on all other damages.  These damages are referred to as “direct” damages. 

Consider this limitation-of-liability clause in the context of the above vendor scenario.  It says that if the vendor fails to comply with its security obligations and breaches the agreement, the customer cannot recover even a single dollar of lost profits or compensation for harm to its business reputation.  The maximum liability of the vendor is limited to three months of fees paid, which could be a very low number.  Certainly, this would not compensate the customer in the above vendor scenario, as the customer faces a class action lawsuit, regulatory fines and an impaired business reputation.

So, what is to be done to better protect the customer?  The first, and best, approach is to exclude breaches of the security obligations from the limitation of liability.  This can be done by adding a sentence similar to the following to the end of the provision: “The limitations and exclusions of liability in this Section will not apply to nor limit Vendor’s liability for breach of its security obligations in this Agreement.”  Such an approach will ensure the vendor is fully responsible for its actions.  More importantly, it provides strong incentive for the vendor to actually fulfill its security obligations and avoid a breach in the first place.

If the vendor refuses an outright exclusion of security breach liability, consider negotiating a heightened or “super” cap for such breaches: “The limitations and exclusions of liability in this Section will not apply to nor limit Vendor’s liability for breach of its security obligations in this Agreement.  In the event of such a breach, Vendor’s liability for consequential and direct damages shall not exceed $5,000,000.00.”

As the above vendor scenario highlights, never be complacent because the vendor offers outstanding security obligations.  Those obligations are of little real value unless the vendor actually assumes an appropriate level of responsibility if it fails to comply with them.  All too often, vendors are more than willing to brag about their world-class security measures but seem far less confident when it comes to standing behind them.

[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]